PI North America’s annual general assembly meeting is the spot to catch up on the latest news about Profibus, Profinet and industrial networking in general. At this year’s meeting, which marked the organization’s 20th anniversary, a session focused on specific steps manufacturers should be taking today to secure their industrial control systems (ICS).
Delivered by Mike Werning, field application engineer for Moxa Americas, the session focused on explaining industry best practices around ICS security as well as key security countermeasures recommended by ICS-CERT.
Though some of the security best practices Werning highlighted may seem a bit obvious, it never ceases to amaze me how many companies—of significant size and import—have still not taken many of these steps. Following are some of the key industrial control system security best practices highlighted by Werning;
- Secure all plant floor web consoles using https.
- Secure the console interface by disabling telnet and use SSH secure shell. If you use telnet, the administrator’s password can be retrieved from the console’s data stream, says Werning.
- All accounts with access to the ICS should be assigned a complex password with more than 8 characters using a mix of numbers and upper/lower case letters.
- Use a management VLAN, but be sure to change the default management VLAN to something other than 1. Werning also suggests using trunk links to carry multiple VLANs between switches and to limit access to management VLANs to management computers only. “Doing this limits the scope of where changes can be made,” he said.
- Disable any unused ports on switches. If you don't disable these ports, at least lock them so that they are open only to known MAC addresses. Once they’re locked, they cannot learn any additional addresses.
- Use authentication and authorization via security protocols such as RADIUS and TACACS+. If you're unfamiliar with these terms, check out the video at the bottom of this article, which explains both in basic networking terms.
- Be aware that versions 1 and 2 of SNMP cannot be secured against packet sniffing because those versions use clear text. “Use version3,” Werning advises, “because it has authentication and DES encryption.” One caveat to use of version 3 is that many legacy devices do not support it. If you cannot use version 3 due to legacy equipment issues, Werning suggests changing the read/write community settings to something obscure or unique.
After discussing these best practices in detail, Werning highlighted five key countermeasures for ICS cybersecurity, according to ICS-CERT. These high-level measures should form the first level of your ICS security outline:
1. Implement Specific Security Policies
- Develop a plan for your company/facility and review regularly for compliance;
- Make sure the points in this plan are aligned with security standards for your industry.
2. Block access to resources and services
- Use perimeter devices and VPNs;
- Implement firewalls with access control lists (ACLs).
3. Detect Malicious Activity
- Make monitoring of network configurations, event logs, and network performance a regular process.
4. Mitigate possible attacks
- Use filters, deep packet inspection, secure network services and ports to fend off basic network intrusion possibilities.
5. Fix Core Problems
- Though it’s never as simple for ICS as it is for IT, performing regular software/firmware upgrades are necessary to keep your ICS secure.
In a final note, Werning pointed out that it’s becoming a regular process for some companies to check several security-related sites to see where ICS breaches are occurring most. Some of those sites, such as SHODAN and Infracritical.org can “poke you back”, Werning cautioned. So make sure your basic security building blocks are in place before visiting such sites using networked computers.
The Networking 101 video below from Cisco explains RADIUS and TACACS+ use for network user authentication, authorization and accounting.
Leaders relevant to this article: