As manufacturers continue to adopt Industry 4.0 and IIoT technology, cybersecurity is becoming more and more critical with each passing day. Successfully protecting a network requires not only constant vigilance but strategies for securing your organization at every level. However, even with the best preparation, there is always a chance of attack. Author Andrew Ginter summed it up with his 3 laws of SCADA security:
- Nothing is 100% secure.
- All software can be hacked.
- Every piece of information can be an attack.
Sounds scary, right? Well, driving a car would be scary too if you only focused on what could go wrong. That’s why we have seatbelts, airbags, and insurance. Similarly, the goal of network security is to mitigate risk, not eliminate it. With that in mind, we’ve put together a primer of best practices you can implement to better secure your network.
1. Enterprise Security
When considering cybersecurity at the enterprise level, simplicity is the best policy. Complex solutions will not improve security when applied this broadly. However, in-depth knowledge of your environment — machine models and access, their software versions, normal traffic levels on the network — will help you gain a better understanding of your system and allow you to quickly recognize any abnormal activity.
2. SCADA Security
For the scope of a SCADA network, make sure to secure each connection, whether it’s PLC to server, database to server, client to database, or cloud to client (the list goes on). It is vital that every connection is protected. This can be accomplished in a number of ways, but they all center around authentication and authorization. Most commonly, authentication comes in the form of usernames and passwords. Additional solutions such as two-factor authentication, including biometrics, public key infrastructure (PKI), key cards, and USB tokens offer yet another layer of protection. Once a user has verified who they are through authentication, authorization determines the privileges they should have in a system. This can be role-based, network-based, or a hybrid of both.
3. Network Security
The best method for keeping a network protected is using TLS (sometimes called SSL), which encrypts all data over HTTP to prevent session hijacking by securing databases and the Gateway. It also encrypts OPC UA and MQTT communication to ensure private data transfer. Auditing is another powerful tool for maintaining security. By running periodic audits, you can track who did what from where, creating logs, trails, and profiles to make sure that whatever happens on your network, you have it recorded.
4. Device Security
Device security can be split into two categories: protecting workstation computers and servers and protecting PLCs. For computers and servers, this consists of removing unnecessary programs, keeping software up-to-date, setting up firewalls on redundant servers, using only necessary ports, and disabling remote access. If remote access is required, make sure to use a VPN for multi-factor authentication. As far as PLCs are concerned, it is best to use network segmentation — keeping OT data on a separate, private network — utilizing VLAN with encryption, and setting up an edge-of-network gateway as a bridge. Another option is implementing unidirectional gateways (AKA data diodes), which allow information to pass from the SCADA network to the IT network in only one direction, guaranteeing isolation while maintaining the flow of data.
5. Physical Security
It may sound counterintuitive, but physical security is an integral part of cybersecurity. One of the most common forms of attack is to physically hijack a server or workstation. To combat this, you can implement company-wide solutions like guards, badges, and video monitoring as well as device control for laptops, phones, and USB keys. Beyond that, having effective policies and training will go a long way towards keeping your network safe from bad actors and honest mistakes alike.
Start Protecting Your System Now
The tips listed above will benefit any SCADA system, but leveraging a robust, security-focused software like Ignition by Inductive Automation can offer incredible peace of mind (along with great support).
To learn more about securing your organization’s industrial automation platform, click here.