1. What is industrial security?
The main aim is to ensure the availability and reliability of plants and equipment, as well as the confidentiality and integrity of machine data and processes. The threats can be substantial and the effects far-reaching. Therefore, a coordinated, holistic approach to security measures is needed that covers all relevant areas: Devices, systems, plants and equipment, processes, and employees.
Potential security gaps and vulnerabilities
A company's security chain is only as strong as its weakest link. Vulnerabilities can exist in many places, as shown in the list below.
- Employees
- Network infrastructure
- Production plants and machines
- IT equipment (PCs, HMI, laptops, printers, tablet PCs, smartphones)
- Guidelines and regulations
Potential threats
- Impairment of machine safety
- Disruption to productivity and downtime due to malware
- Sabotage of production plants
- Manipulation of data or applications
- Unauthorised use
Potential effects
- Loss of production
- Reduced quality
- Loss of intellectual property
- Danger to people
- Economic or image damage
Trends impacting industrial security
- Internet of Things (IoT) - Network compatibility of electronic devices and online communication
- Remote access to plants and equipment
- Use of wireless technology (WiFi, mobile radio)
- Cloud computing
2. Security measures and recommendations
This chapter includes recommended security measures to protect your system from threats. The recommendations are divided into three parts: System security, network security and plant security, which then complement each other to form an overall concept.
2.1 System security, system hardening
System security refers to measures that focus on a part of the plant or a system. In addition to the said recommendations, you can find further system-specific hardening recommendations under the listed links.
System hardening describes techniques and practices to reduce potential points of attack in a system. This involves adjusting settings of the delivery state, deactivating services that are not required and implementing guidelines. Due to their wide range of applications, Bucher Automation products are not delivered with full system hardening.
Network services and ports
Activated services pose a risk. To minimise the risks, services that are not required (e.g. web server, telnet, remote maintenance, etc.) should be deactivated.
Software (not required for operation)
Software uses system resources. Unnecessary software should therefore be uninstalled or deactivated. Furthermore, the sources and installation media of new software must be free of viruses.
Encrypted data transmission
To protect data from unauthorised viewing and manipulation, cryptographic methods should be used for transmission, authentication and signature.
- Asymmetric encryption via PKI
- Hashing
- Symmetric encryption
User accounts and passwords
Every activated user account enables system access and is, therefore, a potential risk. The following measures are thus recommended:
- Reducing the number of activated user accounts to the minimum required
- Using non-privileged accounts to execute processes
- Using secure access data for existing accounts
- Changing default passwords during commissioning
- Changing passwords on a regular basis
- Checking user accounts on a regular basis
Local firewall
A firewall controls incoming and outgoing system network traffic. It is recommended to activate the local firewall and only allow the necessary network traffic.
Virus scanner
The application of a virus scanner should not interfere with productive plant operation. The following requirements should therefore be met for its application on industrial plant components:
- It must be possible to install the virus scanner without any further dependencies, such as a firewall
- Virus scanner clients can be divided and configured in groups (product or task dependent)
- Configuration option of messages without automatic actions (delete, quarantine, ...) in case a virus is detected
- Option of deactivating the distribution of signatures and updates
- It must be possible to carry out a system or file scan manually and in groups
- Logging option on the server
- Suppression of local messages so as not to mask system messages
Patching
It is recommended to keep the systems up to date. The system functionality WSUS (Windows Server Update Service) is offered by Microsoft and available for Windows-based systems. WSUS supports administrators in delivering Microsoft updates in large local networks.
Further hardening recommendations
- German Federal Office for Information Security (BSI): Windows 10 Hardening Guideline
- NIST Checklists
- NIST Security Guidelines for Storage Infrastructure
- Australian Cyber Security Center: OS Guidelines
2.2 Network security, network segmentation
Network security is at the core of the protective measures. This is where the plant network is divided into sub-areas and communication is limited comprehensively, thus creating protection zones. This can also be helpful to detect network traffic anomalies and then restrict the traffic accordingly.
Definition and configuration of network zones
A division into different network zones (segmentation) in a factory can be useful, as not every zone has the same protection needs. Critical plants and equipment should be separated from non-critical ones. Associated network zones should have similar communication characteristics. Moreover, it is important to define rules for comprehensive communication. Through sensible segmentation, potentially insecure systems (outdated operating systems, ...) can also continue to operate by being completely sealed off from other zones.
Separation via firewall systems
In the simplest case, separation is via a firewall system that controls and restricts communication between the networks.
Separation via DMZ network
Security is further enhanced by preventing direct communication between the production and corporate networks. In this case, coupling takes place via a separate DMZ network and communication occurs indirectly via (terminal) servers in the DMZ network.
Stateful Packet Inspection (SPI) and next generation firewalls
Firewalls can block unwanted network traffic by inspecting the data packets and including the connection status in the transmission decision. Virtual patching can also reduce vulnerabilities that are not yet known and block their exploitation. Intrusion prevention can be used to prevent intrusion attempts by attackers.
Use of VPN with IPSec for remote maintenance
Encryption and authentication can be used to create a secure tunnel to the system whose data cannot be intercepted or manipulated. This allows remote maintenance from a secure environment.
2.3 Plant security
Plant security represents the outer protective ring of defence. It includes physical protection measures, processes and guidelines.
Physical protection of critical areas
It is recommended to protect the company location as well as production and plant areas against access by unauthorised persons. Physical security can be increased through the following measures:
- Guarding and monitoring the company premises
- Security guards and entry control
- Having external persons accompanied by company employees at all times
- Access control in production areas
- Installing critical components and control units in lockable control cabinets
- Monitoring and alarming closed-off areas
- Limiting radio ranges to defined areas
- Implementing guidelines for the use of data carriers (USB flash drives) and IT devices on control components