At first look, keeping modern industrial networks cybersecure is a daunting task. After all, they merge systems traditionally as separate, into one shared ecosystem: a site’s machines network and the information technology network.
When discussing industrial cybersecurity, the word ‘architecture’ often comes up in conversation. For, like the factory buildings that house the machines, a cybersecure network architecture must be structurally sound – with no parts missing. If you imagine industrial cybersecurity as a physical representation of a warehouse, we could say the firewall is the roof, keeping out the deluge of malware and junk data, the walls are device-to-device connections, and the doors are the gateways to endpoints or remotely accessible devices.
You can think of industrial cybersecurity as layers of protection – known in the cybersecurity industry as defense in depth. Under this framework, a cybersecure network is one that has many built-in protections to defend against bad actors. Let’s look at the five steps on how to deepen your defenses.
By now, most industries use Virtual Private Networks. VPNs keep corporate data safe by sending all traffic through an encrypted tunnel. When properly used, VPNs are an excellent shield to keep devices secure from bad actors and the open internet. Understandably, VPNs are a reliable tool of the modern Industrial cybersecurity arsenal.
But any system is only as cybersecure as the processes employed by the people using the system. Did you know most cyber-attacks start with employee error? According to IBM, that figure is as high as 95% – an overwhelming amount. For remote repairs, VPNs are often paired with device-to-device tunnelling software or remote desktop solutions – providing convenient access through a segregated, encrypted connection. But bad actors will often attempt to subvert the protection offered by VPNs via social engineering. For example, an attacker may impersonate a trusted user to obtain the necessary credentials to gain access to the network.
A cybersecure system can reduce the risk of human factors by arming IT with complete overview of access authorization. Through use of a dedicated access management server, IT departments can conveniently manage all remote access users in one interface. Every user needs to be approved here, making the task of weeding out unauthorized users simple.
Time management is great for productivity, right? You’ll be surprised to learn that it is also excellent methodology for stopping cyberattacks. Since potential attackers will rarely know when a repair session has been scheduled, limiting a user’s access to selective timeslots will also limit exposure to cybersecurity threats. Via a central device management server, companies can ensure that devices are only accessible by certain users at certain times, vastly reducing the risk of unsecured, neglected endpoints, leaving exploitable holes in the company’s network.
Another excellent tool for defense-in-depth is two-factor authentication – introducing a second level of protection against unauthorized logins and password theft. Two-factor authentication pairs traditional passwords with an additional credential provided from a device owned by the technician. This means that a simple stolen password won’t be enough for a potential cybersecurity threat to break into your network. As a bonus, logins protected by two-factor authentication require no more brainwork than a conventional login.
The diverse production machines of modern industries may not be all that modern. As machinery lifetime can exceed a quarter century, standardization networking is vital. Differing communications protocols are ideally made consistent before leaving a remote network and keeping full view of data traffic is a must.
IIoT gateways kill both birds with one product. The I in IIoT stands for industrial, and the best industrial IIoT gateways can combine a range of industrial communications protocols into a single outbound connection. This makes firewall management simple, as companies avoid opening and additional ports in the firewall for regular repairs. The best IIoT gateways give manufacturers expanded options to fleet manage devices as a group, bringing peace of mind and ease of configuration. Moreover, IIoT gateways protect the PLCs by routing all traffic from the PLC through a dedicated encrypted network, preventing IT headaches, and can have their connectivity toggled with the flick of the switch.
When it comes to choosing a data and device management server, industries are spoilt for choice. But security and control are synonyms, and not every hosting platform offers companies complete privacy over their data. When a data breach could lead to embarrassment at best and a production stop at worst, leading manufacturers are understandably cautious over entrusting remote maintenance to third-party servers or clouds. This need only grows as companies scale – tier one manufacturers are choicy targets for ill-gotten data theft, and, consequentially, have every interest in keeping liability for their data reserved to themselves. Bringing in an additional company to host a service on their behalf may introduce an additional factor that the company needs to watch out for.
One way to bypass this problem is to cut it out entirely. The best machine data collection platforms on the market today allow manufacturers to take full control by hosting them as a private, in-house server. From an IT perspective, this cuts out the middleman, giving tier-one companies the ability to take ownership of remote access management without sharing their network.
Cybersecurity is an evolving problem with ever-changing requirements. A system considered cybersecure several years ago may not remain that way. Bad actors are always on the lookout for zero-day vulnerabilities that may rear their ugly head long after a software solution has been implemented. No matter how sophisticated, nor how layered your defense-in-depth network model may be, the specter of the unexpected can never be fully planned for.
Complacency is a killer, and the best defense against emerging threats is vigilance. By choosing industrial internet-of-things platforms with current cybersecurity audits, companies can keep their network compliant with current international security standards.