We automate your success.

Industrial Security

1. What is industrial security?

With increasing connectivity and digitalisation of industrial plants and equipment comes the challenge of greater demands on all the components involved. Industrial security deals with protecting plants and equipment against intentional or unintentional faults. The main aim is to ensure the availability and reliability of plants and equipment, as well as the confidentiality and integrity of machine data and processes.
The threats can be substantial and the effects far-reaching.
Therefore, a coordinated, holistic approach to security measures is needed that covers all relevant areas: Devices, systems, plants and equipment, processes, and employees.


Potential security gaps and vulnerabilities

A company's security chain is only as strong as its weakest link. Vulnerabilities can exist in many places, as shown in the list below.

  • Employees
  • Network infrastructure
  • Production plants and machines
  • IT equipment (PCs, HMI, laptops, printers, tablet PCs, smartphones)
  • Guidelines and regulations


Potential threats

  • Impairment of machine safety
  • Disruption to productivity and downtime due to malware
  • Sabotage of production plants
  • Manipulation of data or applications
  • Unauthorised use


Potential effects

  • Loss of production
  • Reduced quality
  • Loss of intellectual property
  • Danger to people
  • Economic or image damage


Trends impacting industrial security

  • Internet of Things (IoT) - Network compatibility of electronic devices and online communication
  • Remote access to plants and equipment
  • Use of wireless technology (WiFi, mobile radio)
  • Cloud computing

2. Security measures and recommendations

This chapter includes recommended security measures to protect your system from threats. The recommendations are divided into three parts: System security, network security and plant security, which then complement each other to form an overall concept.

2.1 System security, system hardening

System security refers to measures that focus on a part of the plant or a system. In addition to the said recommendations, you can find further system-specific hardening recommendations under the listed links.

System hardening describes techniques and practices to reduce potential points of attack in a system. This involves adjusting settings of the delivery state, deactivating services that are not required and implementing guidelines.
Due to their wide range of applications, Jetter products are not delivered with full system hardening.


Network services and ports

Activated services pose a risk. To minimise the risks, services that are not required (e.g. web server, telnet, remote maintenance, etc.) should be deactivated.


Software (not required for operation)

Software uses system resources. Unnecessary software should therefore be uninstalled or deactivated. Furthermore, the sources and installation media of new software must be free of viruses.


Encrypted data transmission

To protect data from unauthorised viewing and manipulation, cryptographic methods should be used for transmission, authentication and signature.

  • Asymmetric encryption via PKI
  • Hashing
  • Symmetric encryption


User accounts and passwords

Every activated user account enables system access and is, therefore, a potential risk. The following measures are thus recommended:

  • Reducing the number of activated user accounts to the minimum required
  • Using non-privileged accounts to execute processes
  • Using secure access data for existing accounts
  • Changing default passwords during commissioning
  • Changing passwords on a regular basis
  • Checking user accounts on a regular basis


Local firewall

A firewall controls incoming and outgoing system network traffic. It is recommended to activate the local firewall and only allow the necessary network traffic.


Virus scanner

The application of a virus scanner should not interfere with productive plant operation. The following requirements should therefore be met for its application on industrial plant components:

  • It must be possible to install the virus scanner without any further dependencies, such as a firewall
  • Virus scanner clients can be divided and configured in groups (product or task dependent)
  • Configuration option of messages without automatic actions (delete, quarantine, ...) in case a virus is detected
  • Option of deactivating the distribution of signatures and updates
  • It must be possible to carry out a system or file scan manually and in groups
  • Logging option on the server
  • Suppression of local messages so as not to mask system messages


Patching

It is recommended to keep the systems up to date. The system functionality WSUS (Windows Server Update Service) is offered by Microsoft and available for Windows-based systems. WSUS supports administrators in delivering Microsoft updates in large local networks.


Further hardening recommendations


2.2 Network security, network segmentation

Network security is at the core of the protective measures. This is where the plant network is divided into sub-areas and communication is limited comprehensively, thus creating protection zones. This can also be helpful to detect network traffic anomalies and then restrict the traffic accordingly.


Definition and configuration of network zones

A division into different network zones (segmentation) in a factory can be useful, as not every zone has the same protection needs. Critical plants and equipment should be separated from non-critical ones. Associated network zones should have similar communication characteristics. Moreover, it is important to define rules for comprehensive communication. Through sensible segmentation, potentially insecure systems (outdated operating systems, ...) can also continue to operate by being completely sealed off from other zones.


Separation via firewall systems

In the simplest case, separation is via a firewall system that controls and restricts communication between the networks.


Separation via DMZ network

Security is further enhanced by preventing direct communication between the production and corporate networks. In this case, coupling takes place via a separate DMZ network and communication occurs indirectly via (terminal) servers in the DMZ network.


Stateful Packet Inspection (SPI) and next generation firewalls

Firewalls can block unwanted network traffic by inspecting the data packets and including the connection status in the transmission decision. Virtual patching can also reduce vulnerabilities that are not yet known and block their exploitation. Intrusion prevention can be used to prevent intrusion attempts by attackers.


Use of VPN with IPSec for remote maintenance

Encryption and authentication can be used to create a secure tunnel to the system whose data cannot be intercepted or manipulated. This allows remote maintenance from a secure environment.


2.3 Plant security

Plant security represents the outer protective ring of defence. It includes physical protection measures, processes and guidelines.


Physical protection of critical areas

It is recommended to protect the company location as well as production and plant areas against access by unauthorised persons. Physical security can be increased through the following measures:

  • Guarding and monitoring the company premises
  • Security guards and entry control
  • Having external persons accompanied by company employees at all times
  • Access control in production areas
  • Installing critical components and control units in lockable control cabinets
  • Monitoring and alarming closed-off areas
  • Limiting radio ranges to defined areas
  • Implementing guidelines for the use of data carriers (USB flash drives) and IT devices on control components

Your contact person

Frank Gründig
Cyber Security Engineer
  +49 (7141) 2550-436
  frank.gruendig@bucherautomation.com

More information

Your contact person