As manufacturers continue to adopt Industry 4.0 and IIoT technology, cybersecurity is becoming more and more critical with each passing day. Successfully protecting a network requires not only constant vigilance but strategies for securing an organization at every level. However, even with the best preparation, there is always a chance of attack. Consider the three laws of supervisory control and data acquisition (SCADA) security:
- Nothing is 100% secure.
- All software can be hacked.
- Every piece of information can be an attack.
Sounds scary, right? Well, driving a car would be scary too if people only focused on what could go wrong. That’s why there are seatbelts, airbags and insurance. Similarly, the goal of network security is to mitigate risk, not eliminate it. With that in mind, here are five best practices users can implement to better secure their network.
1. Enterprise security
When considering cybersecurity at the enterprise level, simplicity is the best policy. Complex solutions will not improve security when applied this broadly. However, in-depth knowledge of the environment — machine models and access, their software versions, normal traffic levels on the network — will help someone gain a better understanding of their system and allow them to quickly recognize any abnormal activity.
2. SCADA network security
For the scope of a SCADA network, make sure to secure each connection, whether it’s a programmable logic controller (PLC) to server, database to server, client to database or cloud to client (the list goes on). It is vital that every connection is protected. This can be accomplished in a number of ways, but they all center around authentication and authorization. Most commonly, authentication comes in the form of usernames and passwords. Additional solutions, such as two-factor authentication, including biometrics, public key infrastructure (PKI), key cards and USB tokens offer yet another layer of protection. Once a user has verified who they are through authentication, authorization determines the privileges they should have in a system. This can be role-based, network-based or a hybrid of both.
3. Network security
The best method for keeping a network protected is using TLS (sometimes called SSL), which encrypts all data over HTTP to prevent session hijacking by securing databases and the gateway. It also encrypts OPC UA and message queuing telemetry transport (MQTT) communication to ensure private data transfer. Auditing is another powerful tool for maintaining security. By running periodic audits, someone can track who did what from where, creating logs, trails and profiles to make sure that whatever happens on the network, it is recorded.
4. Device security
Device security can be split into two categories: protecting workstation computers and servers and protecting PLCs. For computers and servers, this consists of removing unnecessary programs, keeping software up-to-date, setting up firewalls on redundant servers, using only necessary ports and disabling remote access. If remote access is required, make sure to use a virtual private network (VPN) for multi-factor authentication. As far as PLCs are concerned, it is best to use network segmentation — keeping operational technology (OT) data on a separate, private network — using a virtual local area network (VLAN) with encryption and setting up an edge-of-network gateway as a bridge. Another option is implementing unidirectional gateways (AKA data diodes), which allow information to pass from the SCADA network to the information technology (IT) network in only one direction, guaranteeing isolation while maintaining the flow of data.
5. Physical security
It may sound counterintuitive, but physical security is an integral part of cybersecurity. One of the most common forms of attack is to physically hijack a server or workstation. To combat this, people can implement company-wide solutions like guards, badges and video monitoring as well as device control for laptops, phones and USB keys. Beyond that, having effective policies and training will go a long way towards keeping networks safe from bad actors and honest mistakes alike.