Scalable Security for OT Networks

May 15, 2023
The Defense in Depth approach to securing industrial networks considers the network holistically to build in multiple layers of security.

What is the #1 concern about vertical integration in industrial automation? You guessed it: security. And even in the context of OT (operations technology) networks in industrial automation, it makes sense to work with your IT department because these folks have a lot to offer. They have experience with security and integrating security into networks, and we can draw from this experience as we integrate IT and OT networks.

But we need to have an understanding on priorities, because in the IT world, confidentiality is paramount followed by integrity and availability. In the OT world, these priorities are flipped. In OT, availability is paramount because we need to ensure controllers can perform real-time data exchange to keep the factory operating. Then we are concerned with integrity and finally confidentiality.

Defense in Depth

Even if there is disagreement with this shift in priorities, the one thing we can all agree on, no matter what side of the aisle you are on, is the concept of Defense in Depth. This is a concept where we look at the network holistically and build layers of security—like the layers of an onion—so if a malicious actor gets through one layer, there is another layer to provide the next level of protection. And then another layer, and another layer and so on.

It all starts at the outer layer with policies and procedures where we establish who has access to what, and we control how maintenance and updates are performed. Then, we have physical security where we can have something as simple as putting locks on critical areas or something more proactive like logging events or actions. Next is network security where we can use things like network segmentation and key management to ensure devices are authorized to be on the network. We can add firewalls that allow access based on a configured set of rules or make use of DMZs or data diodes.

For those unfamiliar with DMZs, these prevent direct data access. Data must first be put in a neutral location and then it can be retrieved by the other side. There also are industrial firewalls and DMZs available today that are intended for OT networks, meaning they are ruggedized, have a graphical user interface and provide simplified administration tools that can be used by control engineers. As we move down into computer, application, and device security, we find security tailored more toward OT networks where availability is the priority. And this is where Profinet comes in.

Netload test

Up until now, our current approach at PI has been to recommend a Defense-in-Depth strategy and, on top of that, we require that every device passing through the test lab for certification to undergo a so called “netload test.” This is where we subject the device to a flood of network traffic to simulate a denial-of-service attack and make sure that the device not only degrades gracefully but recovers automatically.

Security classes

Today, the market is calling for additional levels of security, so we are looking beyond netload tests and have come up with three scalable security classes:
  • Class 1 is where we tighten up security for the DCP and SNMP protocols, and we protect GSD files.
  • Class 2 is where we use authentication between a controller and a device to ensure a device is allowed to be on the network. This helps prevent man-in-the-middle attacks.
  • Class 3 is where we encrypt the real-time I/O data, which is helpful if the data contain sensitive information like recipes, formulas or other trade secrets.

These scalable security classes, starting with Class 1, will become available in the next year or so, with Classes 2 and 3 following. If you are interested in additional details regarding security and PI’s security classes starting with Security Class 1, please visit the Profinet Security Guideline at https://www.profibus.com/download/profinet-security-guideline and , of course, contact us any time here at PI North America.

Tom Weingartner is technical marketing director at PI North America.

Sponsored Recommendations

Understanding and Using E-Stops

E-stops, or emergency stop switches, are used to ensure machine as well as personnel safety. They are used to provide a consistent and predictable failsafe response on a wide ...

Demystifying motor disconnect switches: What are they and how are they used?

From conveyor belts to drum mixers, motors are used in virtually every industrial application to drive machinery. Equipment downtime is the main motivation behind monitoring and...

Full Line of DIN Rail Terminal Blocks Video

Altech offers an extensive line of DIN Rail Terminal Blocks including all major Connection Technologies available in the industry to meet requirements for a vast variety of applications...

The Value of Integrating DIN Rail Cylindrical Fuse Holders Into Your Designs

What short circuit currents do I have to consider when purchasing a DIN rail cylindrical fuse holder? That data is available from the manufacturer. For example, Altech cylindrical...