In order to fully understand data passing through an industrial network, one needs to take a deep dive and analyze the data itself.
In other words, when we have data moving from controllers to I/O blocks, how do we actually know it’s the right data?
To understand the kind of data to look for it is important to consider the following:
• Does the data have the correct motion control movement? Is it setting a value that it’s supposed to set?
• Have we reached a point in industrial networking where data threats lead us to consider reassessing the data we have in our control networks across an entire plant?
• Are we examining this data using artificial intelligence to determine if there is an actual threat?
For some time now, it’s been clear the focus on factory security has been around the perimeter of the network. Now we are beginning to see a shift in attention being given to the identity of system services and the people behind these services involved in protecting plant processes. While these are all necessary steps to take, they will not help uncover the possibility of malware being inserted into a system, or even just a simple change of programming that is malicious in nature.
By examining the actual information that is traversing the network, we may determine if something problematic or malicious is actually occurring and take the necessary steps to solve it. But the reality of existing security methods, as good as they are, is that no one can guarantee a 100 percent chance that you can keep someone out.
Detecting An Intrusion
So what do you do when someone gets access to your plant? You cannot simply stop the line and interrupt the process. There needs to be a way to detect the intrusion and evaluate the intent. This is crucial because some forms of intrusion are solely for observational purposes, while some are there to do damage.
Observing your own network traffic will have an impact on the network infrastructure. The network equipment needs to have the capability to make copies of the traffic in order to send it off to the applications that can evaluate it and perform an intelligent analysis of the data. The next step is for an individual to take the data analysis and make a decision based on those facts. One option to consider is to implement an automated reaction at this time, but that still requires thought and analysis about the intent of an intrusion.
The network will then need to respond to a signal, whether directed from an automated application or a human being, in order to mitigate the discovered anomaly. From here, the insertion of a new white list Access Control List versus a blacklist Access Control List can help terminate communications from an unknown device that is not expected to be present on the network.
On The Network
At a practical level, the only place to do this is in the network itself.
The network is a platform that touches all the devices and systems on the plant floor. Distributing the intelligence needed through the floor plan by way of the network then makes it easy to perform an analysis on a smaller scale in each of the cells or zones. The network can then send the accumulated behavior data to a central location to evaluate the information and present notifications to people and systems as needed. This approach is already active in the data center space with respect to normal business applications, so this is an extension of existing technology in order to accommodate the kinds of information we see in industrial applications.
Those individuals overseeing data travelling through their network would benefit from implementing advance machine learning, to identify behavior anomalies. They also need to have access to a data set of common vulnerabilities, the ability to recognize behavior deviations, and control access for systems and applications.
These capabilities combined with other security infrastructure settings can help the plant floor to detect and mitigate threats faster.
Dave Cronberger is a solutions architect for Internet of Things at Cisco.