With increasing connectivity and digitalisation of industrial plants and equipment comes the challenge of greater demands on all the components involved. Industrial security deals with protecting plants and equipment against intentional or unintentional faults. The main aim is to ensure the availability and reliability of plants and equipment, as well as the confidentiality and integrity of machine data and processes.
The threats can be substantial and the effects far-reaching.
Therefore, a coordinated, holistic approach to security measures is needed that covers all relevant areas: Devices, systems, plants and equipment, processes, and employees.
Potential security gaps and vulnerabilities
A company's security chain is only as strong as its weakest link. Vulnerabilities can exist in many places, as shown in the list below.
Trends impacting industrial security
This chapter includes recommended security measures to protect your system from threats. The recommendations are divided into three parts: System security, network security and plant security, which then complement each other to form an overall concept.
System security refers to measures that focus on a part of the plant or a system. In addition to the said recommendations, you can find further system-specific hardening recommendations under the listed links.
System hardening describes techniques and practices to reduce potential points of attack in a system. This involves adjusting settings of the delivery state, deactivating services that are not required and implementing guidelines.
Due to their wide range of applications, Jetter products are not delivered with full system hardening.
Network services and ports
Activated services pose a risk. To minimise the risks, services that are not required (e.g. web server, telnet, remote maintenance, etc.) should be deactivated.
Software (not required for operation)
Software uses system resources. Unnecessary software should therefore be uninstalled or deactivated. Furthermore, the sources and installation media of new software must be free of viruses.
Encrypted data transmission
To protect data from unauthorised viewing and manipulation, cryptographic methods should be used for transmission, authentication and signature.
User accounts and passwords
Every activated user account enables system access and is, therefore, a potential risk. The following measures are thus recommended:
A firewall controls incoming and outgoing system network traffic. It is recommended to activate the local firewall and only allow the necessary network traffic.
The application of a virus scanner should not interfere with productive plant operation. The following requirements should therefore be met for its application on industrial plant components:
It is recommended to keep the systems up to date. The system functionality WSUS (Windows Server Update Service) is offered by Microsoft and available for Windows-based systems. WSUS supports administrators in delivering Microsoft updates in large local networks.
Further hardening recommendations
Network security is at the core of the protective measures. This is where the plant network is divided into sub-areas and communication is limited comprehensively, thus creating protection zones. This can also be helpful to detect network traffic anomalies and then restrict the traffic accordingly.
Definition and configuration of network zones
A division into different network zones (segmentation) in a factory can be useful, as not every zone has the same protection needs. Critical plants and equipment should be separated from non-critical ones. Associated network zones should have similar communication characteristics. Moreover, it is important to define rules for comprehensive communication. Through sensible segmentation, potentially insecure systems (outdated operating systems, ...) can also continue to operate by being completely sealed off from other zones.
Separation via firewall systems
In the simplest case, separation is via a firewall system that controls and restricts communication between the networks.
Separation via DMZ network
Security is further enhanced by preventing direct communication between the production and corporate networks. In this case, coupling takes place via a separate DMZ network and communication occurs indirectly via (terminal) servers in the DMZ network.
Stateful Packet Inspection (SPI) and next generation firewalls
Firewalls can block unwanted network traffic by inspecting the data packets and including the connection status in the transmission decision. Virtual patching can also reduce vulnerabilities that are not yet known and block their exploitation. Intrusion prevention can be used to prevent intrusion attempts by attackers.
Use of VPN with IPSec for remote maintenance
Encryption and authentication can be used to create a secure tunnel to the system whose data cannot be intercepted or manipulated. This allows remote maintenance from a secure environment.
Plant security represents the outer protective ring of defence. It includes physical protection measures, processes and guidelines.
Physical protection of critical areas
It is recommended to protect the company location as well as production and plant areas against access by unauthorised persons. Physical security can be increased through the following measures: