By Ted Grevers
Using connected devices raised the stakes for production environments.
Think about it for a moment, tablets, once thought of as toys, are now one of the more useful tools of the trade for immediate access to production related services.
Similarly, smartphones are a standard issue tool for those who directly support production operations, allowing for immediate access to the machines in the production environment. Meanwhile, laptops, a long-time tool supporting production operations, now also support maintenance and management.
But as the number of mobile devices connecting to an industrial automation network continue to grow, each introduces a new world of security concerns.
With the adoption of connectivity of the machines on the plant floor, the rules of the security game have changed significantly.
Industrial security, with respect to industrial automation infrastructure, the machines, their control systems, and their application needs, creates unique security demands not found within the enterprise or carpeted space (particularly as malware outbreaks find their way onto the production floor). To properly support a mobile device, operations teams must establish security models based upon industrial security and information technology best practices.
Under the direction of CXO level executives, information technology best practices should steadily begin to extend from the IT controlled enterprise space into production environments. Guidance from both the operations technology team and the IT team is required to manage security risk through products, architectures and technologies that create a mature defense-in-depth approach to risk at the plant floor.
Beyond Physical Security
With new threats arising, leaving all mobile devices at the door is no longer a suitable safety approach in production environments.
A centrally manageable defense-in-depth security approach is recommended, which allows for the creation of different levels of secure wireless access to the industrial automation environment within a plant for plant personnel, contractors, integrators and partners and their many mobile devices.
Additionally, a holistic defense-in-depth approach must be aligned with industrial security standards such as IEC-62443 (formerly ISA99) Industrial Automation and Control Systems (IACS) Security and NIST 800-82 Industrial Control System (ICS) Security uniquely for each production environment.
Multiple layers of defense, including administrative, technical, and physical policies must also be defined within the production environment, to address different types of threats. No single product, technology, or methodology will ever fully secure a plant-wide architecture; protection must include internal and external security threats, and must continually evolve as threats do.
In the interest of production, the design and implementing of a comprehensive industrial automation network security framework should be an extension of the industrial automation environment. The access security framework should be persistent and a central part of any industrial automation network’s design process. What becomes acceptable in one production environment might be completely misaligned in another production environment. Security within a production environment must also be scalable, and take into consideration the vast array of mobile devices utilized within a plant.
Rules and access control policies become a critical factor for wireless access control.
Provisioning and posture policies must be applied across the industrial automation networks in real time, so a plant engineer experiences consistent access to their applications and devices from their wireless mobile device, as well as their wired connections in a holistic defense-in-depth model.
Fine-grained, not broad policies, should include the association of a user and their mobile device to an associated VLAN or an automated and dynamic downloadable access control lists. This allows for an intelligent network to automatically adjust its security access policies based upon the user and their device connecting to the network. Because a mobile device has gained access to the production network doesn’t mean the device should have access to the entire production network.
For example, IEEE 802.1X device-sensing capabilities are built into industrial Ethernet switches for wired connections and wireless LAN controllers for wireless connections in support of centralized network-wide profiling at a device’s point of network entry.
An identity service engine is used in conjunction with the plant’s industrial automation architecture to provide a dynamic layer of network access control security by identifying all mobile devices, their requested industrial automation application needs, and logged-on user identity to dynamically implement security policies across the network infrastructure the mobile device will be accessing.
Centralized plant-wide flexibility in deciding how to implement guest policies becomes critical for environments that experience changes in on-site personnel, and their multiple mobile devices. Working together, new device on-boarding can be streamlined according to business policies defined by IT and OT teams, reducing the need for continued IT mobile device support each time a new device requires access at the plant floor.
In short, the connected production environment is changing, and it’s changing fast. With a robust security plan in place, plants can continue to innovate while also mitigating a new breed of risk.
Ted Grevers is a solution manager at Cisco Systems, responsible for an array of industry solutions which integrate Cisco and third party products into collaborative and marketable offerings. He holds 12 patents in the United States, Europe and Asia for categories including wireless, video, distributed compute, communications, advertising and network management.