Jeff Smith of American Axle & Manufacturing (AAM) is a guru in the world of industrial Ethernet networking and ICS Security. We were fortunate to have him speak again at the 2013 Belden Industrial Ethernet Infrastructure Design Seminar.
In a previous article I outlined the reasons AAM decided to move to Ethernet/IP communications and how they implemented best practices such as standardized segmented network configurations. Today I am going to write about Jeff's approach to ICS security.
Jeff opened his remarks by saying no one wants to spend money on security. However, he feels that that is the wrong question. What you should be asking is:
"How much do I need to spend to feel comfortable with the risk?"
To answer this he suggested you assess your current security posture and then define the objectives for improving that posture.
Determine Your ICS Security Priority Areas
In the case of AAM they decided on the following four priority areas:
- Protect the manufacturing (Ethernet/IP fieldbus) network from the enterprise (untrusted) network.
- Ensure secure, safe remote support capability from inside and outside the company.
- Control and track supplier access to manufacturing control systems – the biggest challenge!
- Protect the manufacturing systems from malware attacks from PCs by
- Removing PCs from the manufacturing network. Put them on the enterprise network where possible.
- Isolating PCs at the edge of the network and implement a firewall with Deep Packet Inspection and VPN capabilities to connect them to the manufacturing network.
Jeff's graphic above highlights his point of view on this topic. For AAM this strategy disallows dual homed machines, including removing the NIC that connected the PC to the fieldbus.
After establishing your priority objectives, you then need to implement solutions. At the presentation Jeff demo'ed the AAM remote access system and provided AAM standard network diagrams.
Jeff's Deep Thoughts on ICS Security
What I really liked about Jeff's talk was his emphasis on having the proper perspective on ICS security. He described it as "deep thoughts" spoofing the SNL "Deep Thoughts with Jack Handy" skits, and they are applicable to end users, suppliers and integrators alike. Here they are some of them:
- Many don't need a "10 Ton Security Model" which involves complex acronyms and lots of security "stuff." Vendors need to stop talking about security this way and end users need to stop being paralyzed by thinking of it this way. After assessing the needs of the user, talk to those needs.
- Shore up the foundation. Your first step to better security might be to "fix" your strategy for control system Ethernet, and then secure it. (If you need help, here is one program from Belden that might do the trick.)
- Address security from the perspective of the controls organization. For example, in the enterprise world, security is a mature discipline. But the Ethernet-based fieldbus world is just reaching the toddler stage in controls organizations. And, ICS security is in its infancy.
- Thus do not try to speak to controls engineers about the broad-range of Ethernet topics, narrow it down to what is relevant to them.
- Remember that many control engineers don't have experience with Ethernet based controls networks. At the same time, companies are tight with training dollars. This forces support staff to learn on-the-job, even though technology change is rampant. Help them.
- For Ethernet-challenged engineers, what is your engineering plan to "Convert Legacy Fieldbus X to Ethernet fieldbus" look like? You are going to have to address this.. so get moving!
- Remember "Controls Engineers can do Controls Stuff" and think about capitalizing on your skills for hardwiring safety/security solutions. It's the "cockpit door" of the controls realm.
- Don't forget about attacks from the inside, intentional or unintentional.
- Think about detection and fast recovery. It will be difficult to stop every attack, so have a plan for quickly recovering from them.
Hardware Deep Thoughts
- If you have money available, replace unmanaged switches with managed switches.
- ICS Security Appliances. They need to:
- Be easy to configure
- Be easy to replicate and deploy
- Be designed for the longer lifecycle of controls equipment
- Not require extensive knowledge of IT to support
- Not require an IT person to replace at 2am when the line is down
(here is information about one such device)
Keep It Practical
When you hear Jeff talk about security it seems to be straight forward and practical. That's something to keep in mind as you deal with the real-world challenges of learning new technology while still getting your day job done, changing how you do things, and influencing your organization to move in the right direction.
Just keep remembering that security does not have to be complicated. As Jeff says:
"Do something, a little today and more tomorrow. Eat that elephant one bite at a time."
How have you helped move your organization towards better cyber security practices? Let us know your keys to success.
Related Content to Download
- Case Study: Hirschmann® OpenRailRS20 Managed Switches Chosen to Network Automobile Parts Production Lines at American Axle & Manufacturing.