Carefully designed layers are a network’s best defense

Jan. 15, 2016
Start with the ISA 99 guidelines, then take advantage of new technologies to counter evolving threats

Without cybersecurity, the Industrial Internet of Things (IIoT) isn’t going anywhere. Manufacturers must be confident that their applications and data are protected before they'll adopt Internet protocol (IP) networking, virtualized computing, cloud-based services and other IIoT tools on their plant floors—and do it in numbers in large enough to bring IIoT into the industrial mainstream.

Meanwhile, industrial companies continue to pursue business practices that further increase the need for cybersecurity, including unmanned operations and remote workforces, big-data infrastructures, integrated networking and data sharing with other companies, mobile applications and wireless. "All of them can be thresholds to greater vulnerability," said Jeff Melrose, senior principal technology strategist for cybersecurity at Yokogawa Corp. of America, in his session opening comments at Smart Industry 2015.

A moving target

Beyond basic risks and threats, Melrose noted that many cybersecurity problems and solutions are constantly evolving, and so users must continually update their responses, skills and knowledge about dealing with them.

"For instance, advanced persistent threats (APTs) are sets of stealthy and continuous computer hacking processes that target specific entities for business or political motives," explained Melrose. "APT attack cycle characteristics target specific organizations; gain footholds with common tactics like phishing emails; use compromised system to access to move laterally; and cover their tracks to maintain access for future initiatives. Spear phishing is a hallmark of APTs, which ask recipients to click on links, so they can download malware."

"This makes the typical Internet-facing firewall a problem because it can't handle everything. What's really needed is defense in depth with additional inner walls, ICS network separations, and firewalls arranged as demilitarized zones (DMZs) to create physical or logical sub-networks," said Melrose. Most importantly, DMZs can separate internal local area networks (LANs) from other untrusted networks like the Internet or business-level networks." He added that basic process control systems (BPCSs) also needs to be separated from safety instrumented systems (SISs).  

To achieve these separations, Melrose recommends following the International Society for Automation’s ISA 99 standard for Industrial Automation and Control System Security and its guidelines for establishing "zones and conduits" in ICS networks. For example, ISA 99 advises organizing security zones by logical groupings of physical, informational and application assets that share common security requirements. The standard further recommends that users establish a network communication policy that only allows required protocols though its network separations and firewalls and denies all other all inter-zone communications.

"It's important to use ISA 99 to help prevent APTs because plants and their networks are often connected to their enterprise levels in many ways that aren't realized," added Melrose.

New security tools

Luckily, just as threats and malware evolve, many cybersecurity solutions are adapting to combat them. As a result, where there used to be just a few basic firewalls, Melrose reported there are now newer versions that can perform:

  • Deep packet inspections;
  • Intrusion detection systems (IDSs) to prevent zero-day attacks;
  • Secure socket layer/secure shell (SSL/SSH) functions to prevent hacker evasions;
  • Website filtering to prevent phishing;
  • Quality of service (QoS) and bandwidth management to prevent denial of service attacks;
  • Antivirus inspections to scan executable software files; and,
  • Active directory to police authorizations.  

"Users can also implement unidirectional architectures, such as data diodes, which are really the ultimate in network segregation because the only allow communication in one direction, and prevent all data from transiting to the protected zone. However, unidirectional gateways still aren't seamless, and not all protocols are supported yet."

Likewise, Melrose reported that air gaps can still be used to separate safety and critical control systems, but problems with that approach include no alerts from separate zones, no updates via the networks, and no visibility into disconnected systems. More recently, this method has adapted into a "paranoid air gap" strategy, which uses:

  • Dissimilar media, such as Cat 6 versus fiberoptic cabling;
  • Three feet of separation between cabinets containing network hardware;
  • Reinforced steel enclosures;
  • Separate cable runs, also with three feet of separation; and
  • Separate power, operator crews and authorization policies.

Despite the availability of these improved components and methods, Melrose concluded that the most essential and most overlooked cybersecurity tool is a network that is well thought out during its design phase. "Using ISA's zones and conduits, putting firewalls where they're most appropriate, and using a data diode between SIS and BPCS can get users a long way toward a good cybersecurity design with full cyber defenses," he said.