June 2020

38 n COMMUNICATIONS, NETWORKING AND SECURITY June 2020 www.drivesncontrols.com Cybersecurity: what to look for and where A dvances in operational technologies and factory-floor networking are providing powerful tools to boost yields and cut waste, but they require an understanding of the cybersecurity risks they open up. Any change to a network – whether purposeful, accidental or malicious – leaves evidence. This is often incomplete, isolated and hidden in device logs or not even collected in the first place. Just as Scada will optimise and control an industrial process, a cyber-security plan (see below) is needed to help optimise and control visibility to cyber-security events and ensure that protective controls are in place. Insider threats Too often, cyber-security efforts focus on external threats. Yet insider threats and non- malicious events are often just as big a risk. Malicious actions by employees can be overlooked. Building a robust perimeter does little if the adversary is already inside. Reasons include disgruntlement, revenge, betrayal, blackmail, cheap thrills or boredom. If every time a change is made to a system, an alert is sent to the operator, then every change can be verified to authorised work orders. Unexpected, unauthorised changes, whether malicious or not, can be reverted immediately to the expected operational configuration. Not all cyber-events are malicious – unintentional mistakes play a role too. It is easy for a busy operator to type in, say, 60 instead of 6.0 for a parameter value. Another common, non-malicious scenario that can impact production networks stems from an imminent failure in the physical infrastructure, such as a cable, switch or device such as a PLC or HMI. These devices can generally communicate diagnostic data but is anyone proactively looking at it? Malware describes man-made code that can infect an OT network and impact production. Malware can change configurations, capture passwords or open connections to external devices. The impact can vary from trivial to shutting down production entirely. Malware can be introduced to the OT network in various ways. Infecting user PDF manuals and schematics is common, as are emails sent via Internet-connected devices. When a contractor opens such a file on the plant floor, the malware is launched and spreads throughout the entire OT network. n * Belden has published many White Papers and blogs on industrial cyber-security issues, including several written by Gary DiFazio, the strategic marketing director for industry cybersecurity at Tripwire, which Belden acquired by in 2015. www.belden.com/resources/knowledge- center?type=white-paper and https://www.belden.com/blog Taking some simple steps can help to reduce the risk of your control networks falling victim to cyber- attacks. Consulting editor Andy Pye has been looking at advice* from the networking giant, Belden. A three-step strategy for managing cybersecurity To reduce risks and detect and avoid the impacts of threats, you should consider implementing cyber- security measures that provide continuous real- time visibility into your network. Usually, these involve a three-part strategy: Create an inventory: what do you have and what does it do? n understand and document all communications between the control and IT networks n keep track of all remote access into the control network, including vendor access with dial-up modems, VPNs and cellular connections n create and update inventory information for both hardware and software, including vendor, make, model, serial number, firmware version, and versions of installed software n create andmaintain a network topology diagram n understand what industrial protocols are communicating and between what assets, such as HMIs to PLCs n understand how assets and devices are configured and if those configurations are changing n identify vulnerabilities in the environment n implement centralised capturing of logs from automation devices such as switches, PLCs, routers, firewalls and HMIs Implement protective controls n ensure segmentation between IT and control networks to deny unauthorised communications or access o control lists on networking devices. n disable services not needed to run industrial processes n enable cybersecurity features, such as logging, SSH, SNMP v3 n check device/system configurations – change default passwords and enable password management Continuous monitoring Not a“one-and-done”activity – it needs to be performed continuously because automation systems evolve and the cyber-threat landscape changes constantly. Cybersecurity monitoring helps to answer questions, such as how do I know: n if my device/asset configurations are changing? n if my operational baselines (the configuration of a device or system that is specific to the environment it is running in) are changing? n if one of my devices is about to fail? n if a rogue asset or protocol is present on my network? n if my vulnerability risk profile has changed?