Industrial Cybersecurity: Debunking the Myths and Adopting Best Practices

About 20 years ago, OT networks used to be isolated when production lines were air-gapped and unconnected. However, things started to change around ten years ago when industrial automation was being implemented in factories. During this time, factory managers started to interconnect production lines in order to tap into the benefits that factory automation could bring. When an OT system is connected to the Internet or other IT systems, the OT system becomes a point of weakness for malicious attacks or accidental data loss. So why is cybersecurity so often overlooked by OT engineers? The answer can be traced to some common myths.

Common Industrial Cybersecurity Myths

Several common myths about industrial cybersecurity are doing the rounds. For instance, some people may think that because their industrial networks are physically isolated and not connected to the Internet their networks are secure. This statement may have been true ten years ago but not nowadays. For example, industries such as smart manufacturing often require many devices to be interconnected. Even if your industrial control systems (ICS) or industrial networks are not connected to the Internet, the systems may still be vulnerable to unauthorized connections. Some people also believe that hackers do not understand ICS, PLCs, or SCADA systems, so their networks therefore should be secure. In reality, several sophisticated cyberattacks that targeted ICS networks, such as Stuxnet (targeting PLCs) and Industroyer (targeting circuit breakers), have been reported since 2010. Furthermore, malware specifically designed to target industrial control devices have been unleashed, causing substantial damages to industries. This trend clearly indicates that hackers are changing their focus to target industrial sectors, such as oil and gas, energy, and manufacturing, which suggests that attacks on industrial sectors are likely to increase in the future.

Watch Video: Debunking Industrial Cybersecurity Myths

The Differences Between Industrial Networks and IT Networks

Industrial networks and IT networks have different business priorities, focus areas, protection targets, and even environmental conditions. In fact, different priorities are often decided by different managers within the same organization. On the IT side, business analysts, CIOs, and IT architects are the primary decision-makers that plan and manage IT networks and cybersecurity. From their point of view, confidentiality is the top priority. On the OT side, plant managers, COOs, and control engineers are the main decision-makers. From their point of view, production or system availability is the top priority. Therefore, in order for IT/OT integration to succeed, it is important to understand the different business priorities and needs of both IT and industrial control systems. The following figure describes these differences in greater detail.

Different priorities for IT and OT networks.

Best Practices for Enhancing Your Industrial Network Cybersecurity

Despite the big differences in priorities and techniques used to protect industrial control systems compared to enterprise IT systems, several industrial associations have developed standards and security guidelines for connecting or converging ICS with IT systems. In particular, the Industrial Internet Consortium (IIC), National Institute of Standards and Technology (NIST), and International Electrotechnical Commission (IEC) focus on three major areas for improving ICS cybersecurity. These three pillars for securing industrial networks are:

• Deploy defense-in-depth protection for industrial networks
• Enable security settings on your industrial networks
• Manage security through education, policies, and monitoring

Based on these three pillars, we recommend the following best practices as the first step to shoring up your ICS cybersecurity.

Best Practice I: Secure Network Infrastructure

• Segment your ICS into several subsystems and define the data communication needs between each subsystem.
• Install industrial firewalls between each segment and configure the data communication policy properly (for example, block unnecessary data communication with protected subsystems).
• Install an intrusion prevention system (IPS) or intrusion detection system (IDS) to monitor whether any malicious activity is taking place on your industrial network.
• Set up VPN connections for any remote monitoring or remote maintenance access.

Base Practice II: Hardened Device Security

• Confirm that you are not using default passwords on your equipment, especially network devices such as industrial Ethernet switches, routers, wireless access points, or cellular routers.
• Choose a strong password that has at least eight characters and is hard to guess.
• Enable access control lists. This feature can preregister device IP or MAC addresses on the industrial network device and only allow the devices that match the access control rules to use the network.

Best Practice III: Security Management and Education

• Develop security policies for the operators who design, operate, and maintain this system. Policies should also consider third-party contractors and equipment vendors.
• Train and educate system engineers to understand the importance of cybersecurity and ensure they are familiar with new policies.
• Develop security policies for endpoints, equipment, and network devices.
• Invest in security monitoring tools to monitor and back up security settings on your equipment and network devices.

Conclusion: Industrial Cybersecurity Is Everyone’s Job

Manufacturers also need to understand and balance the different priorities of their IT and OT departments in order to effectively break down organizational silos and implement best practices for strengthening industrial network security, which include deploying defense-in-depth protection, enabling security settings on industrial networks, and managing security policies through education and monitoring. As these guidelines suggest, the responsibility of ensuring cybersecurity for industrial networks falls on more than just one person in your organization. In the end, everyone in your organization has a crucial role to play when it comes to industrial cybersecurity and the successful transformation of legacy OT systems to Industry 4.0 in a future where everything is connected to the Internet.

For more pragmatic solutions and best practices to protect your industrial networks, download the white paper, Industrial Network Cybersecurity: Debunking the Myths and Adopting Best Practices.