Network security is currently a field of study in and of its own. There is a great need for security measures at each level of your IT and OT environments. In the OT (Operational Technology) environment, it is imperative that we evaluate security risks with protection of our process operations in mind.
When thinking about layer 1 and 2 security, I want to think about points of physical contact that intentional or unintentional acts can happen to infect a system with unwanted malicious network traffic.
Locking it down
Starting with the front lines, control systems servers and workstations should not be accessible to anyone that ownership doesn’t belong. This includes control rooms. Cabinets should be locked so that any access to HMI/SCADA clients, as well as, network cables and jacks is inhibited. Rack or server rooms need to also be locked as well as the cabinets. Access prevention is the first line of defense. Operator accounts can be deployed that do not allow any other PC interaction except what is needed for HMI/SCADA operation.
The days of powering up a network switch with factory defaults and plugging into your network are either long gone or your system is at risk. With security in mind, the system configuration of network equipment must be proactively protecting your network. Any unused switch ports should be administratively disabled. Access ports should have a BPDU guard enabled to prevent additional switching devices from being introduced into your network. In a high-level security situation, it is recommended to allow ports to only see the MAC address that is assigned to that port or the network switch will shut it down. These front-line measures will prevent intentional or unintentional network intrusion from occurring.
As with the IT environment, the OT environment needs antivirus protection as well. Servers and workstations should be kept up to date with a reputable AV provider. There is one caveat to AV protection, it can also interfere with your control system software. Your control system support center can tell you what AV providers have been tested and approved, and there will likely be certain specific settings that will need to be implemented during deployment, so keep this in mind before running out and buying before doing due diligence research on what AV protection your control system support center recommends and the settings they have tested and accepted.
I also recommend an AV Server for automatic updates of all machines in your OT environment. This makes the administration tasks of AV deployment and maintenance much more efficient and easier to maintain.
Keep in mind that AV is an insurance policy and is only aware of the types of malicious traffic that it has been taught to recognize. Keeping your network secure in the first place is the best form of protection for your OT network.
There are many acts of both intentional and unintentional attacks to networks in every environment. As control and automation engineers, we must proactively secure our OT networks both from a physical and a configuration perspective to give our facility the protection it needs for its operations.
Written by Brandon Cooper
Senior Controls Engineer and Freelance Writer