Editor’s Note: This article was created with expertise from Mark Cooksley, a product manager with Hirschmann Automation and Control and an expert on industrial cyber security.
Defense in Depth is recognized as one of the key best practices for securing industrial networks. It involves using multiple types of defenses at different layers in the network in order to provide higher resistance to attacks than is possible with a single defense, such as a perimeter firewall.
Okay, great, we know this … but, what are the practical ways to put this concept into practice? Your first step should be to do a risk assessment and to prioritize your risks and their countermeasures.
In parallel, think about your current defenses, which likely include the perimeter firewall. Do they also include taking advantage of the security functions built in to other network devices?
As network hardware has become more powerful, it has expanded to include security capabilities. Most managed Ethernet switches include cyber security features to protect themselves and they are a way to enhance the security of your network at no extra cost.
To make sure you are not missing any easy to implement security enhancements, let’s take a look at some of the security features built into switches, such as those from our Hirschmann and GarrettCom brands.
Singular defenses, such as a wall, will inevitably be breached. Similarly, a perimeter firewall needs to be supplemented with multiple layers of defense to truly protect
industrial Ethernet network infrastructure.
Limit Communication Protocols
One type of straight-forward protection is to limit communication protocols to only those that are needed to manage a network infrastructure device. The table below shows recommended restrictions for common management protocols used by industrial control systems (ICS).
Table 1: Management protocols should be limited or changed as above to
protect network infrastructure.
Restrict the IP Addresses that Can Access Devices
Another layer of defense is to restrict the IP addresses that can access devices. To do this, specify which IP addresses are allowed to access the device management interfaces. Specify, which protocols each IP address can use.
An attacker would then need to spoof the IP address of the management station to reach the devices, which would require greater knowledge and IT skills.
While these two techniques may seem basic, used together they are a very effective technique to prevent unwanted access to network infrastructure devices.
Control User Access
Users should have unique passwords that are robust. Implement a password policy that requires passwords to have:
- A minimum length
- At least one upper case character, lower case character, number and special character
Also set a maximum number of login attempts.
It is hard not to overstate the importance of this. Over the past few years, a number of ICS vulnerabilities have concerned devices with default passwords that could not be changed. The reasons for this may have been ease of maintenance, concerns about fast recovery or easy integration with other systems. Operationally it makes things simpler, but it is an insecure practice.
You should establish a login authentication list and then store the list either locally or remotely on a RADIUS server.
Example of setting up device authentication to occur locally or on a RADIUS server.
Another aspect of device protection is to encrypt its configuration file when storing it on external memory. While this makes it more complex to replace a device, it does make unauthorized access to the configuration file more difficult.
Detect IP Address Conflicts
Duplicate IP addresses could indicate that an attacker is attempting to get around the IP address restriction. Alternatively, they could be executing a deliberate denial of service attack, which would prevent a network management station from seeing the device.
Or, IP address conflicts can be an indicator of human error, which is itself a security risk.
There are two ways to detect if the IP address of a network infrastructure device is also being used by an end device. One is to have the device actively check for whether an IP address is already in use. The other way is to have the device passively analyze network traffic and watch for its own address.
If another IP address is detected, the switch tries to defend its IP address by forcing the other device to change the IP address it is using. If this does not work, the network device stops using the problematic IP address.
In a perfect world, an engineer who configures the network never makes a mistake. In reality, when configuring security functionality on network infrastructure devices, it is all too easy to accidently overlook something. That one small oversight could provide the doorway an attacker needs.
The latest switches and network management software (such as Industrial HiVision) provide an overview of the security status of network infrastructure devices at a glance. Even if you are not a security expert, this will bring security weaknesses in the infrastructure to your attention, before a person with malicious intent can take advantage of the mistake.
Device Defenses Enhance Industrial Cyber Security
While security can be a complex topic, it really comes down to utilizing a few key guiding principles, of which Defense in Depth is one. When thinking about Defense in Depth in your own context, remember to include reviewing and implementing the security measures possible with network devices, such as managed switches.
This blog has looked at just a few of the security measures available in switches, including those from our Hirschmann and GarrettCom product lines. In future articles, we will look at how the security functionality built into network infrastructure devices can be used to enforce a network access policy for end devices, and to prevent malicious traffic spreading across a network.
How important are device level security measures in your Defense in Depth strategy?