Industrial Security

1. What is industrial security?

With increasing connectivity and digitalisation of industrial plants and equipment comes the challenge of greater demands on all the components involved. Industrial security deals with protecting plants and equipment against intentional or unintentional faults. The main aim is to ensure the availability and reliability of plants and equipment, as well as the confidentiality and integrity of machine data and processes.
The threats can be substantial and the effects far-reaching.
Therefore, a coordinated, holistic approach to security measures is needed that covers all relevant areas: Devices, systems, plants and equipment, processes, and employees.

Potential security gaps and vulnerabilities

A company's security chain is only as strong as its weakest link. Vulnerabilities can exist in many places, as shown in the list below.

Employees
Network infrastructure
Production plants and machines
IT equipment (PCs, HMI, laptops, printers, tablet PCs, smartphones)
Guidelines and regulations

Potential threats

Impairment of machine safety
Disruption to productivity and downtime due to malware
Sabotage of production plants
Manipulation of data or applications
Unauthorised use

Potential effects

Loss of production
Reduced quality
Loss of intellectual property
Danger to people
Economic or image damage

Trends impacting industrial security

Internet of Things (IoT) - Network compatibility of electronic devices and online communication
Remote access to plants and equipment
Use of wireless technology (WiFi, mobile radio)
Cloud computing

2. Security measures and recommendations

This chapter includes recommended security measures to protect your system from threats. The recommendations are divided into three parts: System security, network security and plant security, which then complement each other to form an overall concept.

2.1 System security, system hardening

System security refers to measures that focus on a part of the plant or a system. In addition to the said recommendations, you can find further system-specific hardening recommendations under the listed links.

System hardening describes techniques and practices to reduce potential points of attack in a system. This involves adjusting settings of the delivery state, deactivating services that are not required and implementing guidelines.
Due to their wide range of applications, Jetter products are not delivered with full system hardening.

Network services and ports

Activated services pose a risk. To minimise the risks, services that are not required (e.g. web server, telnet, remote maintenance, etc.) should be deactivated.

Software (not required for operation)

Software uses system resources. Unnecessary software should therefore be uninstalled or deactivated. Furthermore, the sources and installation media of new software must be free of viruses.

Encrypted data transmission

To protect data from unauthorised viewing and manipulation, cryptographic methods should be used for transmission, authentication and signature.

Asymmetric encryption via PKI
Hashing
Symmetric encryption

User accounts and passwords

Every activated user account enables system access and is, therefore, a potential risk. The following measures are thus recommended:

Reducing the number of activated user accounts to the minimum required
Using non-privileged accounts to execute processes
Using secure access data for existing accounts
Changing default passwords during commissioning
Changing passwords on a regular basis
Checking user accounts on a regular basis

Local firewall

A firewall controls incoming and outgoing system network traffic. It is recommended to activate the local firewall and only allow the necessary network traffic.

Virus scanner

The application of a virus scanner should not interfere with productive plant operation. The following requirements should therefore be met for its application on industrial plant components:

It must be possible to install the virus scanner without any further dependencies, such as a firewall
Virus scanner clients can be divided and configured in groups (product or task dependent)
Configuration option of messages without automatic actions (delete, quarantine, ...) in case a virus is detected
Option of deactivating the distribution of signatures and updates
It must be possible to carry out a system or file scan manually and in groups
Logging option on the server
Suppression of local messages so as not to mask system messages

Patching

It is recommended to keep the systems up to date. The system functionality WSUS (Windows Server Update Service) is offered by Microsoft and available for Windows-based systems. WSUS supports administrators in delivering Microsoft updates in large local networks.

Further hardening recommendations

German Federal Office for Information Security (BSI): Windows 10 Hardening Guideline
NIST Checklists
NIST Security Guidelines for Storage Infrastructure
Australian Cyber Security Center: OS Guidelines

2.2 Network security, network segmentation

Network security is at the core of the protective measures. This is where the plant network is divided into sub-areas and communication is limited comprehensively, thus creating protection zones. This can also be helpful to detect network traffic anomalies and then restrict the traffic accordingly.

Definition and configuration of network zones

A division into different network zones (segmentation) in a factory can be useful, as not every zone has the same protection needs. Critical plants and equipment should be separated from non-critical ones. Associated network zones should have similar communication characteristics. Moreover, it is important to define rules for comprehensive communication. Through sensible segmentation, potentially insecure systems (outdated operating systems, ...) can also continue to operate by being completely sealed off from other zones.

Separation via firewall systems

In the simplest case, separation is via a firewall system that controls and restricts communication between the networks.

Separation via DMZ network

Security is further enhanced by preventing direct communication between the production and corporate networks. In this case, coupling takes place via a separate DMZ network and communication occurs indirectly via (terminal) servers in the DMZ network.

Stateful Packet Inspection (SPI) and next generation firewalls

Firewalls can block unwanted network traffic by inspecting the data packets and including the connection status in the transmission decision. Virtual patching can also reduce vulnerabilities that are not yet known and block their exploitation. Intrusion prevention can be used to prevent intrusion attempts by attackers.

Use of VPN with IPSec for remote maintenance

Encryption and authentication can be used to create a secure tunnel to the system whose data cannot be intercepted or manipulated. This allows remote maintenance from a secure environment.

2.3 Plant security

Plant security represents the outer protective ring of defence. It includes physical protection measures, processes and guidelines.

Physical protection of critical areas

It is recommended to protect the company location as well as production and plant areas against access by unauthorised persons. Physical security can be increased through the following measures:

Guarding and monitoring the company premises
Security guards and entry control
Having external persons accompanied by company employees at all times
Access control in production areas
Installing critical components and control units in lockable control cabinets
Monitoring and alarming closed-off areas
Limiting radio ranges to defined areas
Implementing guidelines for the use of data carriers (USB flash drives) and IT devices on control components

Your contact person

Frank Gründig
Cyber Security Engineer
+49 (7141) 2550-436
frank.gruendig@bucherautomation.com

More information

Professional Services