Editor's Choice
Analytical Instrumentation & Environmental Monitoring
Data Acquisition & Telemetry
Electrical Power & Protection
Enclosures, Cabling & Connectors
Fieldbus & Industrial Networking
Flow Measurement & Control
Industrial Computer Hardware
Industrial Wireless
IS & Ex
IT in Manufacturing
Level Measurement & Control
Maintenance, Test & Measurement, Calibration
Mass Measurement
Motion Control & Drives
News
Operator Interfaces, Switches & Relays
PLCs, DCSs & Controllers
Pneumatics & Hydraulics
Pressure Measurement & Control
SAIMC
SCADA/HMI
Sensors & Transducers
Smart Home Automation
System Integration & Control Systems Design
Temperature Measurement
Training & Education
Valves, Actuators & Pump Control


Editor's Choice



Print this page printer friendly version

Mission-critical cybersecurity

August 2023 Editor's Choice

In our modern world, Ethernet and TCP/IP have become the de facto standards in most mission-critical control and monitoring applications, largely due to the design of these protocol suites around the Open System Interconnect (OSI) model. However the freedom and flexibility of being built around such an open system philosophy, while playing a large part in the success of Ethernet, also allows for many vulnerabilities which can be exploited by attackers.

Cybersecurity has become the greatest driving factor when designing and maintaining these networks, even more so than reliability and availability.

In planning and designing cybersecurity for a mission-critical network, a common mistake is to see the network as a single entity, and simply try and protect this entity holistically. While this view is not completely wrong, it is not the only perspective that should be taken when designing such a security system. Instead we should approach cybersecurity from a more granularly, and as the OSI model is already a well-developed and understood reference, we can use this to guide our approach.

We start at the base of the model by considering physical security. A mission-critical site should already be very familiar with physical security considerations such as access control to certain areas, and layered access control with areas like control rooms being extra secure. Networking hardware should be either contained in cabinets in the control room, or in locked cabinets out in the plant/field, with only certain engineers and technicians having access. Cables will generally already be run in to reach locations such as trenches, or along ceilings. Preventing access to cables was more important when backbones consisted of copper cabling, which is much easier to tap into without disrupting the network. Even fibre cable can potentially be cut and spliced into tapping equipment, but this requires more specialised hardware and longer periods of access to cabling, and is more detectable. At least the initial cut of the cable will definitely be more easily detected, and so is not as much of a security concern.

Next we look at layer 2, or our switching level. In most cases, our layer 2 network is considered ‘secure’, as it generally falls completely within the site’s physical and logical areas, and we normally focus on security at the edges/perimeter of a network. Historically we have not worried much about authentication or encryption at layer 2. However these days even this is being re-evaluated in most cases, especially with layer 2 fibre networks often now spanning public access locations. Layer 2 MAC authentication between ports is something being introduced by many vendors. Previously port security was more about protecting edge ports against unknown connections, but now this is expanding to make sure that links between two switches on the network are indeed between those two switches, and not going via some ‘man in the middle’ type attack. Links have to constantly ensure this authentication is real, otherwise they will be disabled until they can correctly authorise the switch.

However, a much more common functionality exists at layer 2 that is ubiquitous in industrial sites, and helps with not only security, but load balancing and determinism as well, namely Virtual Local Area Networks (VLANs). In corporate-type environments VLANs are generally not used, and IP subnetting is the primary way of segregating logical network segments. However, IP subnetting does not actually stop certain packets from one subnet from reaching a device in another subnet, and can be exploited to spread malware. VLANs, on the other hand, are defined and managed by the switches themselves, meaning that data in one VLAN that we do not want to reach a device in another VLAN, will not be able to do so unless we specifically allow it. This means that the end devices are much safer, and an attack or issue within one VLAN is not as easily transferred into another VLAN. This is why we also often implement guest or contractor VLANs to allow control over third-party access when working on the network.

We can look at layer 3 and 4 together, as these are generally secured using integrated firewalls, which look at the layer 3 and 4 headers of the traffic (and in some cases even more layers, especially with newer firewalls).

Firewalls generally exist in one of two fashions, or both in many cases. The first is a gateway or layer 3 switch between two logical network segments. Normally we consider one of these to be unsecure, or at least less secure than the local network we are in charge of. The second is a router-on-a-stick, where the router is connected just on the edge of a network, and handles routing between IP subnets and VLANs within that network specifically. However, in both cases the operation of the firewall is the same.

Although different vendors approach the operation of a firewall differently, the basic premise is the same. Firewalls will divide the network into logical portions or zones, and will then be able to control traffic attempting to move between these zones using the router. This control will generally be achieved by creating a list of rules that define how to treat packets of different types. For instance, it might define a source IP address or range, meaning packets from those devices are subject to this rule. At the end of the list of rules will be a catch-all rule, which should always be configured to drop all packets, except sometimes for testing. This means any packet that we have not specifically created a rule for in order to allow it through the firewall will be stopped and discarded. In this way we are able to control the traffic entering and leaving the network.

Virtual private networks (VPNs) are another buzzword these days, and for good reason. A VPN is a way of creating a secure tunnel through an unsecured network, meaning that even traffic that is not natively encrypted will be placed into the tunnel and encrypted at a higher level. To the end devices and processes this will be completely transparent, but it will stop any attacker from reading the traffic as it passes through the unsecure network portions. In mission-critical networks, especially in South Africa where many sites are running hardware more than ten years old, this functionality can become extremely important when hardware suppliers need to log in remotely to the devices for maintenance or troubleshooting. Many of these devices may not natively support encrypted protocols such as SSH, and instead may use an open protocol like Telnet to communicate. In these cases the unsecure Telnet traffic will at least be encrypted while travelling across unsecure network portions.

In recent years we have started to see the introduction of Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS) and Next-Generation Firewalls (NGFWs). The full scope of these is beyond the time we have here, but suffice to say that these systems are starting to add more intelligence and decision-making capabilities to the hardware itself using AI. IDS systems will use pattern tracking to create baselines of the traffic on the network, and will then notify administrators on anomalies to these patterns, allowing the administrator to take manual action to prevent an attack, or deal with an issue before it becomes too serious. An IPS takes this one step further. While it will still notify the admin of anomalies, it will also be able to take active steps to prevent the anomaly, such as sending a command to a NGFW to add or edit a rule to disallow that traffic. At the same time the administrator will still be notified, so the changes can be confirmed or denied.

While we could go on for hundreds of pages on the intricacies of cybersecurity, it is important to note a couple of things. Firstly, while it is important to look at the overall system holistically, it is just as important to look at the smaller details when designing a cybersecurity approach, and consider each possible avenue of attack on the network. Secondly, security is a constantly changing field, and as such must be constantly re-evaluated and added to. However, at the same time, we must consider the third point, that security is not a way to completely block attacks, but rather a deterrent. Any system built by people is fallible, and generally can be exploited. As such we must constantly rethink our own security, and never get caught in the trap of thinking that our networks are ever truly 100% secure.


Credit(s)

Tel: +27 11 454 6025
Email: [email protected]
www: www.h3isquared.com
Articles: More information and articles about H3iSquared


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

STEMulator – a gift to the youth of the nation
Editor's Choice News
STEMulator is a groundbreaking virtual platform designed to ignite the spark of curiosity in young minds and stimulate their interest in STEM subjects.

Read more...
Innovate, accelerate, dominate
Festo South Africa Editor's Choice Pneumatics & Hydraulics
Festo’s latest innovations, revealed through the Ramp Up Campaign, offer a blueprint for performance excellence, using the anatomy of a race car as an analogy to simplify and powerfully communicate how their technologies address industry challenges.

Read more...
Case History 198: Cascade control overcomes valve problems.
Editor's Choice Flow Measurement & Control
There are many processes where it is undesirable for the load to suddenly change quickly, for example in the paper industry. Examples of level control have involved reasonably fast tuning. An example of a level loop tuned this way and responding to a step change in setpoint is given.

Read more...
Advanced telemetry solutions
Editor's Choice Industrial Wireless
Namibia is one of the driest countries in sub-Saharan Africa, with an average annual rainfall below 250 mm. To address this challenge, the Namibia Water Corporation has employed one of southern Africa’s most powerful and well-proven telemetry solutions, designed and manufactured by SSE/Interlynx-SA.

Read more...
Navigating the future of intralogistics
LAPP Southern Africa Editor's Choice
In the rapidly evolving landscape of global markets, the demand for agility, efficiency and scalability in intralogistics has never been more critical. At LAPP Southern Africa, we stand at the forefront of this transformation, offering cutting-edge connection solutions tailored to the dynamic needs of intralogistics.

Read more...
Cutting-edge robotics and smart manufacturing solutions
Yaskawa Southern Africa Editor's Choice
Yaskawa Southern Africa made a compelling impact at this year’s Africa Automation and Technology Fair.

Read more...
A cure for measurement headaches in contract manufacturing
VEGA Controls SA Editor's Choice
A contract manufacturing organisation provides support to pharmaceutical and biotechnology companies in the manufacturing of medications, formulations and substances. VEGA’s measurement solutions offer accuracy and reliability for monitoring levels and pressures during the manufacturing process.

Read more...
PC-based control for a food capsule and pod packaging machine
Beckhoff Automation Editor's Choice
For TME, a machine builder specialising in the packaging of powdered foods, Beckhoff’s PC-based control technology offers unlimited opportunities when it comes to performance and innovative capacity in terms of flexibility, scalability and openness.

Read more...
Simple and efficient level measurement in the mining, minerals and metals industries
Endress+Hauser South Africa Editor's Choice Level Measurement & Control
Measuring devices in the mining, minerals and metals industries face the challenge of varying material states and long distances in measurement height. Endress+Hauser’s answer to these challenges is the new Micropilot family.

Read more...
PC-based control for fertiliser
Beckhoff Automation Editor's Choice Fieldbus & Industrial Networking
On a farm in the USA, valuable ammonia is extracted from slurry and processed into ammonium sulphate. NSI Byosis has transformed this complex process into a flexible modular system. This modular approach requires an automation solution with flexible scalability in both hardware and software, which this Dutch company has found in PC-based control from Beckhoff.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  Hi-Tech Security Solutions
»  Hi-Tech Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd | All Rights Reserved