Design patterns for increased security in industrial networks

Gone are the days when industrial networks could be physically separated from all other networks. The same applies to the myth of security through incompatibility, which has long given industrial plants a feeling of security.

Times have changed, and not solely because of developments such as the Industrial Internet of Things and Industry 4.0, which have resulted in greater interconnectedness and homogenisation of industrial plant network structures. Industrial component manufacturers have already started designing their connectable components based on standard industrial PC systems.

They are also increasingly replacing proprietary communication protocols with the network protocols Ethernet and TCP/IP, which are widely used and accepted worldwide. However, this enhanced networking means that industrial plants have a larger attack surface.

What’s more, many monitoring and control systems are used for years — sometimes decades at a time — without receiving or being able to receive security updates in a timely manner. Either such patches are unavailable or a change in software is not without risks or may invalidate existing certifications.

This results in numerous soft targets in an application with industrial control systems. It is evident, therefore, that these important but vulnerable systems must be protected. Many companies set up perimeter firewalls at the edge of their industrial networks to protect the soft targets in their industrial applications against threats from the internet or from office networks. Although this is a necessary step, modern network security demands far more than just perimeter security.

Comprehensive network security concepts need to take into account both different methods of attack and different kinds of attackers. This includes scenarios where the first line of defence has already been compromised, ie, the firewall at the edge between the production network and the office network or the internet. Once an attacker has penetrated a network, they can quickly cause major damage if the architecture and configuration of the network were selected with no regard for security. The good news: implementing a network capable of withstanding an invading attacker is not as complicated as it may first appear, provided security is taken into account as early as the network planning stage.

Taking security into account during the initial phase of network design is an important step towards creating a more secure industrial control system. However, issues such as exposed services must also be incorporated as a matter of principle; for example, by enforcing best practices such as the implementation of firewalls and the zones-and-conduits concept. Disregarding the ‘flat network’ architecture design and the ‘screened host’ design in favour of the ‘screened subnet’ architecture limits an attacker’s freedom of movement within a network and better protects critical or vulnerable devices against compromised services. When it comes to restricting device access to the network and allocating devices to individual zones, IEEE 802.1x represents an effective way to increase security and reduce the administrative burden.

Finally, there are other ways of strongly limiting the influence an attacker can have within a zone. Using these methods and architectures helps to create secure and robust networks. Consequently, the network can no longer be used by the attacker as a dangerous weapon but instead acts as a serious barrier to attacks in industrial environments.

Hirschmann’s latest range of HiOS switches, for example, incorporates comprehensive security mechanisms that regulate network access and protect against attacks. These include port security, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard, ingress/egress ACL, sFlow, Storm Control, automatic denial-of-service prevention and port access control via 802.1x including multiclient authentication, Radius VLAN/policy assignment and guest/unauthenticated VLAN. Hardware redundancy methods such as PRP (Parallel Redundancy Protocol) and HSR (High Availability Seamless Redundancy) also ensure uninterrupted data communication. As a result, the Hirschmann switches offer maximum performance for your network without compromising on security.

Additionally, the EAGLE One is an industrial security router offering all-round protection for data communication in practically any environment, at an optimal price-performance ratio. Comprehensive Layer 2 and Layer 3 redundancy functions ensure switchover to a hot standby device in the event of a fault or failure. Moreover, networks can be protected with the security router or segmented into security zones in accordance with the defence-in-depth concept. The innovative Firewall Learning Mode allows simple and smooth start-up using a rule configuration based on recognised network traffic patterns.

To see the full article and download the white paper click here.