Cybersecurity is a very hot topic and is becoming increasingly important, not just from an economic perspective but also from a political and social perspective. The economic impact of cybersecurity is easy to understand: if information technology infrastructure is compromised in some way, it is logical to expect some kind of economic impact. What is not so apparent is the importance that cyber security has from a political and social perspective. The Cambridge Analytica scandal is representative of the importance of cybersecurity from a political perspective. In this case, the personal data of several million Facebook users was used, or at least was attempted to be used, to influence the US elections. If you take a look at international airports, the fights they are battling are now more to do with cyberwars than traditional conflicts. Many companies manage...
You're reading from Hands-On Industrial Internet of Things
What is a DiD strategy?
Today, all companies have been effectively forced to consider the risks they face and evaluate the vulnerability of their assets with regard to their related potential economic impact. Once risks have been assessed, priorities can be established and a defense strategy can be arranged. This means that we need to adopt DiD logic, without being discouraged by the apparent difficulty of this approach. But what is DiD?
DiD is an approach to information security by which a security posture is achieved through the coordinated and combined use of multiple security countermeasures. It is based on the integration of three different categories of elements: people, technology, and operating methods. The redundancy and distribution of countermeasures is based on two main concepts: defense in multiple places and layered defenses.
These concepts are certainly not new...
Firewalls
One of the best practices of the DiD strategy is to isolate the Control Network (CN), which is also often called the Process Control Network (PCN), from the corporate and internet systems using firewalls. While firewalls are widely used in the traditional IT sector, their adoption in CN/PCN environments is quite recent. Most IT firewalls are generally unaware of industrial-control protocols and may introduce unacceptable latency into time-critical systems. They may also face operational constraints that are not typical in the IT world. The reality is that firewalls can be complex devices that need careful design, configuration, and management to be efficient and effective. In this section, we are going to look at some basic information about firewalls and how they are usually deployed in the factory to segregate the control network and protect industrial devices.
Basically...
Common control-network-segregation architectures
This section outlines the most common security practices that are currently used in industrial-control environment in terms of the architecture, design, deployment, and management of the firewall in order to separate the PCN network from the corporate network.
The solutions presented are related to two main scenarios:
- Two-zone firewall-based designs without a DMZ
- Three-zone firewall-based designs with a DMZ
There is also another scenario, which is often referred as dual-homing. In this scenario, dual-network interface cards are installed either in a workstation or in a control device that requires access to both the corporate and process control networks.
Securing the I-IoT data flow
In Chapter 4, Implementing the Industrial IoT Data Flow, we analyzed five different options for connecting the edge to industrial data sources, highlighting the strengths and weaknesses of each. The five options that we analyzed were the following:
- Edge on fieldbus
- Edge on OPC DCOM
- Edge on OPC Proxy
- Edge on OPC UA
- OPC UA on controller
We have not yet considered the cybersecurity requirements and constraints for each of these options. In this section, we will understand how to secure them from a networking perspective, according to the standards of the ICS and the related best practices. As we outlined in the previous Common control-network-segregation architectures section , securing the control network is just one of the recommendations of the DiD strategy that can be used to mitigate the cyber risks of the whole control system environments. There...
Summary
In this chapter, we outlined the DiD approach. You learned that the goal of a DiD strategy is the achievement of a security posture through the coordinated and combined use of multiple security countermeasures that is based on two main concepts: defense in multiple places and layered defenses. We looked at how DiD is based on the integration of three different elements: people, technology, and operating methods. Since firewalls are an important part of securing the control network, we also provided a short description of the different classes of firewall. After that, we explored the most common architectures to secure the industrial devices linked to the control network.
Following this, we looked at how to segregate a control network by means of DMZ and VLAN. We examined the most common security practices currently used in the industrial control environment and analyzed...
Questions
- What are the three main elements that make up a DiD strategy?
- People, technology, and operating methods
- Firewall, antivirus, and people
- Patching, physical barrier, and people
- Which is the main feature that differentiates a stateful firewall?
- Packet filtering
- TCP session modelling
- Packet inspection at the application layer
- What is the main advantage of a DMZ?
- Segregation of the control network
- Being able to create and deploy devices that act as dual-homes in a specific network
- Monitoring traffic crossing networks
- What is the main advantage of a VLAN?
- Segregating the control network
- Building up a DMZ
- Building logical networks that share the same physical infrastructure
- What is the main security constraint of the edge in an OPC DCOM deployment setup?
- Allowing DCOM traffic to cross the firewall
- Using a DPI firewall for filtering OPC packets
- Building...
Further reading
Additional resources can be found at the following links:
- Introduction to Recommended Practices: https://ics-cert.us-cert.gov/Introduction-Recommended-Practices
- Cyber Threats: https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions
- Control System Vulnerabilities and Attack Paths: https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities
- Secure Architecture Design: https://ics-cert.us-cert.gov/Secure-Architecture-Design
- Updating Antivirus Software in an Industrial Control System: https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Recommended%20Practice%20Updating%20Antivirus%20in%20an%20Industrial%20Control%20System_S508C.pdf
- Improving Industrial Control Systems' Cybersecurity with Defence-in-Depth Strategies: https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C...