Thanks to high-profile cases like Stuxnet, Flame, Disttrack (aka Shamoon), and Batchwiper, security has become an increasingly hot topic within all industries. In addition to direct system attacks, various organizations are attempting computer attacks via memory stick hacks and massive DDoS attacks causing communication shutdowns.
While creating a completely secure system is theoretically possible by completely locking it down, you would sacrifice usefulness and usability of your system in the pursuit. Running a completely isolated system also leaves the system vulnerable to new and improved viruses or hacks that the existing system may not even recognize as a running process. Outlined below are some critical steps to create a more secure environment.
Segregate Your Networks
You should never have your control and business networks, or any outside-the-facility connection, on the same network. The obvious security implications are that one malicious email attachment could bring down both networks. There are also various hacks to switches and routers that may leave the control system open to the underworld of computing.
Historically, plants have relied on DMZs (demilitarized zones) to isolate the control system from the outside business networks. In light of recent attacks, this is becoming less and less trusted. A section of a network that can be accessed by both your control network and business network has been shown to be a weakness in several of the attacks listed above. Allowing the control network to store data to a system that can be saved onto DVD, CD or memory stick provides a way for information to flow between the control and business networks without speaking directly.
Deny Access by Default
Configuring firewalls between networks is something that many companies fail to do adequately. Many configurations are rushed, leaving them incomplete. The best policy is to deny all traffic by default and only allow connections on an exception basis, a concept called 'whitelisting.'
Deny Execution by Default
In addition to the denial of access, new software monitoring systems, such as Bit9, whitelist all executable files on the system with the original install. These monitoring systems can also be configured to restrict anything from running that is not whitelisted or alarm when something outside the whitelist runs on the system.
Restrict Physical Access
Simple solutions, such as locking control panels with access alarms and allowing only the DCS or PLC engineering nodes to program on the control network, can increase security and stop the infestation of harmful worms and viruses.
Securing control and business network systems should be every organization's top priority. The Avid team can help you maximize security for your system. We welcome an opportunity to meet with you and your team to discuss your system security needs.