vocational training courses

Industrial Training - The Best for Less

Industrial Networking Solutions Security - PLC, SCADA

  1. Home >
  2. articles >
  3. automation >
  4. industrial network security


...by Business Industrial Network training author. Industrial network security solutions essential to today's PLC - SCADA security.

 

Industrial Networking Solutions Security - PLC, SCADAIndustrial networks are considered the best solution for industrial applications and automation systems for their superior benefits like increasing response time, distance covered, and higher interoperability.
 
However, with such a complex system, security measurements become essential, and any dereliction of it could cause a serious threat to the whole system and some time, to the personnel involved in it, in fact, production machines networks without proper security can cause physical damage to man and machine, check the educational video here

 

Now let's discuss some practical advice on security recommendations within the following lines.

 

Security Recommendations:

 

1 - ANSI/ISA-99.02.01 security standard: Or the American National Standards Institute. The International Society of Automation has approved the second standard in the ISA99 series for the security of industrial automation. It guides users to establish a cybersecurity management system showing all details about policies, procedures, practices, and personnel. No step should be taken without a full understanding of this standard.


2 - Infrastructure: Access points, routers, switches, hubs, etc., are the frames that hold the whole system parts together. You must consider the harsh industrial conditions in which these devices will operate and the difference between them and their commercial counterparts as they may cost more money and convince some companies to purchase the commercial ones. The saying "You get what you pay" may apply here, as the industrial network components are environmentally tough equipment and well prepared for such conditions. Also, when choosing and installing some parts like for example the switches, experts should discuss some important technical details like applying the SNMP protocol and to determine whether they should be fully managed or just lightly managed or even web managed.


3 - Power Security: All industrial equipment should operate under a wide variety of power conditions to ensure minimizing the downtime and preventing power loss, automation Ethernet is not an exception. You must install sufficient power supplies with adequate fuses and breakers that can give a very short response time and with the prospect of providing a redundant system in case needed. Use an industrial UPS (Uninterruptible Power Systems). Using a UPS, allows operator stations to be closed and shut down in a controlled way if the power supply fails, thus reducing plant downtimes to a minimum.


4 - Firewalls and antivirus programs:  Like any other software system, your network requires protection against viruses, worms, hacking, and all other forms of software breaching and interfering, keep in mind to install some suitable programs for this task and update them continuously to ensure maximum protection for your system. Insight might be gained by reviewing this little research article about 'Hacking The Industrial Network' that show some statistics about security threats (click Industrial Network Security).
 
5 - Isolation: Sometimes, companies mix their Industrial Ethernet network with the office network or the BAS -Building Automation System- network and even make the industrial network connected to the internet. In fact, the office networks and internet data transfer consumes significant bandwidth which causes a negative effect on industrial network response time and efficiency, not to mention that exposing it to direct internet connection can present a serious security threat... That's why VLANS are the ultimate solution to divide this system into several parts, tagged VLANS can isolate and secure each network, accommodates with managed switches, and even manage the bandwidth traffic to prohibit delays inside the critical parts of the network. Wi-Fi and mobile applications increase security risk and small mobile SCADA screens increase the risk of operator error.


6 - Surveillance: The most important rule of any security system is to keep a watchful eye over every single part of it. Surveillance is more than just monitoring the network, but also, guarantees a fast intrusion to handle errors and malfunctions before they spread and cause damages and hazards to the whole operation process. Video surveillance or remote video monitoring is a very practical solution in this case as the revolutionary IP cameras can manage to send and receiving data with high traffic rate and many switches now on the market supports the expansion of this monitoring IP technology, this mechanism provides bigger flexibility to the surveillance process.


7 - Technical Support: It's much recommended to have a support provider to aid your system twenty-four seven. Having a professional, well-prepared team to back you up around the clock is a very cost-effective solution. You'll save time and money by providing such a service. Many bugs and problems in the system or the equipment can be handled by the technical support specialists and sometimes they can fix it remotely with no need to send a technician on site. But also keep in mind, someone working with a network system remotely can greatly increase the risk to man and machines as well as downtime.


Also within your industrial security procedures, including a corporate protocol for outside support. Ensure vendors and OEMs can only access your production equipment when the proper authority physically located in the plant, allows them access, on a case-by-case basis. Also remember to unplug modem phone lines connecting machines to OEM, after each remote support instance is done.


NOTE: With traditional computer networks, mistakes may result in communication failures and/or computer crashes. With an Industrial Network, the crash may be a live machine and could cause physical harm to humans working in a facility! Not to mention thousands in downtime cost.

 
SCADA Security Risks:


SCADA is considered to be an HMI (Human Machine Interface) - software system which is just a software program on a PC capable of accessing a PLC system to send and receive data, this is why it has security concerns like any other software system, it can be hacked, bugged or infected by software viruses. PLCs can be indirectly affected too if the SCADA system attached to it is not properly secured. 


One of the most intimidating security Breaches was the Stuxnet worm which targeted industrial software and equipment, it struck the Iranian uranium enrichment infrastructure in 2010, the Stuxnet hit Step-7 software application that is used to reprogram PLC devices. A more recent and equally intimidating example is the Department of Homeland Security report issued on 3/15/2018, persistant still today, Russian hackers made their way to machines with access to critical control systems at power plants and can shut down USA power now with a push of a button (or worse).


Nevertheless, Stuxnet is a Windows computer worm, not a PLC virus. That's why the most secured industrial system is one that only uses PLCs and local HMIs with no computer software involved.

 
Current Network Status:


These are some articles and surveys about the current industrial network status in different fields showing analysis and recommendations for the security systems. The major players for 2011 in industrial network protocols are Ethernet/IP, PROFInet, Modbus TCP, ISA SP-100.11a, and Wireless HART.


1 -  The following article is about security for critical infrastructures like power plants, substations, electric utility control centers, and water systems, and describes some positive and negative points. The article shows an overview of the latest cybersecurity in industrial networking. https://www.controlglobal.com/articles/2009/CyberSecurity0903.html?page=1


2 - If you'd like to make a full evaluation of your current network security status, you should take a look at this detailed article that shows how to assess your security level:
https://www.controlglobal.com/articles/2005/371.html


3 - Also as wireless technology applications are especially vulnerable to cybersecurity attacks, there is an article in Energy Tech Magazine "Wireless Internet plant security", I recommend you read.

 

4 - As the industry takes its first steps into the world of IIoT, becoming more networked also brings risks. Especially since the industrial sector much less mature than social media in the best approaches to mitigating those risks and achieving the benefit of connectivity without the vulnerability. CISCO and Microsoft have also been working with Rockwell Automation to ensure AB / FactoryTalk is secure, so be sure to read the material AB / Rockwell has put together.


Security Checklist:

network and scada security

 

[  ] Review ANSI/ISA-99.02.01 security standard to map all PLCs/Machines on the network.
[  ] Check and install all the infrastructure from network components to power equipment and make sure to test their configurations.
[  ] Ensure firewalls are in place and updated.
[  ] Ensure machine network is not connected to BAS network.
[  ] Ensure PCs with SCADA have antivirus software running on them.
[  ] Isolate PCs with SCADA from direct internet access.
[  ] Connect your system to an efficient surveillance and monitor system.
[  ] Provide your system with a qualified technical support provider vendor.
[  ] Ensure all personnel are trained to face emergency situations. (Including PLC Training)
[  ] Run several test operations before launching your system online.
[  ] Have current backup copies of PLC programs and HMI/SCADA programs.
[  ] Have industrial network policies and procedures in place and enforce them as the safety issue they are.

[  ] Have an all employee cybersecurity awareness program in place, updated and taken at least annually.
[  ] Unplug phone modems and vendor remote support connections attached to equipment, when remote support is finished.
[  ] Limit and keep a record of those who have Wi-Fi and mobile access to your industrial system.
[  ] Survey your system at regular intervals to maintain maximum security.


Going further with you Industrial Network Security ...

Industry 4.0 in USA: Risk (IIoT)

PLC network to SCADA HMI to HTML5 or smartphone

Deploying a resilient converged plant-wide ethernet architecture (PDF download)


Hope this helps.

You may also find our free on-line PLC Networking Basics course of interest.

Don Fitchett  - Business Industrial Network  (BIN) - BIN95.com

About the Author: DDon Fitchett founded the activity-based costing system called "True Downtime Cost™" (TDC), authored books and speaks at conventions on the topic, and is president of BIN. Don has been in the industrial training sector for over two decades, setting up training programs around the world, and still conducts training seminars to this day.

Business Industrial Network delivers instructor based industrial training as well as training software and on-line industrial training.

 

(YYou may copy and distribute this article as long as all credits, including this paragraph, are included and all links are active and distribution is not for profit. You may reference portions of this article as long as an active link back to the original article webpage at BIN95.com is present. Otherwise, this material is copyright protected.)

 

Linkedin Join 4600+ other professionals who follow us on LinkedIn.
Youtube Please subscribe while on Youtube. 35.3K+ subscribers learn from our hundreds of educational videos.
Twitter 3800+ followers keep up to date on our Twitter feed. Won't you join them?
Facebook Over 3000 friends like our Facebook feed, which you may want to follow also.
Pinterest Over 4000 followers find interesting pictures on our 74 Pinterest channels, you may too.