ICS Security Depends on Good Network Design
“Ethernet today is not the same as it was when it was invented 40 years ago,” said Jim Laurita, technical service manager in Belden’s Industrial IT group. His talk “Industrial Ethernet Infrastructure (IEI): Design Best Practices” opened the Belden Design Seminar, held last month near Chicago, IL. “There have been steady improvements.”
Poor organization and design of an industrial network leads to downtime and cybersecurity incidents.
The Evolution of Industrial Ethernet Infrastructure
Among the improvements have been increased bandwidth, full duplex communication, bi-directional communication, no collisions, switching, prioritization and segmentation via a VLAN, Laurita said.
The beauty of Ethernet is that it keeps developing with greater robustness. Bandwidth speed is increasing, there is a lower cost, it is an open technology and it is a non-proprietary solution.
The beauty is the manufacturing sector can learn from how IT handled and used the technology.
“Automation is lagging behind IT by many years. It has taken longer for Ethernet to gain wider acceptance,” Laurita said. “Control and automation systems and applications are migrating from proprietary to open standards to enable seamless connectivity.”
What Laurita wanted to stress is that open and viable Ethernet is here to stay and, knowing that, people need to understand good basic design principals necessary for a secure and viable network.
“There is a common misconception about networking that ‘I have installed this at home, how hard can it be?’” Laurita said. “The home network is not plug-and- play, it is more like plug-and-pray. The practice of just installing industrial Ethernet equipment randomly for connectivity is no longer practical.”
Key Components of Good Industrial Network Design
Laurita showed a basic manufacturing network and went over the various key components to assess:
• Physical side of the network
• Equipment selection
• Logical design
• Multicast control
• Network security
• Other key aspects like Power over Ethernet (PoE), time synchronization, user interface,
and ease of troubleshooting
• Network management
A properly segmented network utilizes subnets and industrial firewalls to ensure network security.
“Industrial Ethernet is more than just a physical ruggedization of IT equipment or block diagrams with lines,” Laurita said. “Users need to determine the applications now and in the future and focus on total lifecycle and cost of ownership.
“In addition, designing an industrial network requires knowledge and cross-collaboration from many disciplines. There is not one person who knows all the answers.”
In short, a secure network design works and ensures a smoothly running process.
“A well designed network will result in the highest level of availability and scalability for the future and enhance the total lifecycle manageability of the asset.”
- ISSSource.com webpage: Unsupported ICS: Not an Easy Upgrade
- Blog: Improve Industrial Security with Network Management Software
- Blog: Connecting and Securing Legacy Electrical Substations to the Smart Grid
- Blog: Defense in Depth Cyber Security for Substation Communications
- Tripwire blog: 20 Critical Security Controls – Control 1: Inventory of Authorized and Unauthorized Devices