Risk Mitigation Measures
The specific mitigation measures an organization implements will depend on its unique set of security risks and their potential impacts on safety. However, there are some key mitigation measures that most manufacturers and industrial operators should implement as a best practice:
• Segmentation into zones: This is a core security best practice. Every plant should do it as part of a holistic defense-in-depth security approach to help limit access to safety systems. An industrial demilitarized zone (IDMZ) with firewalls and data brokers can securely segment the plantwide network from the enterprise network. Also, using virtual LANs (VLAN) and a layer-2 or layer-3 switch hierarchy can create functional sub-zones to establish smaller domains of trust and simplify security policy enforcement.
• Physical access: Quite a few organizations use RFID cards to manage facility access control. But physical-access security should go further than that to protect safety systems. Lock-in, block-out devices should end up used to prevent the unauthorized removal of cables and to close unused or unnecessary ports. And users should lock control cabinets to restrict walk-up and plug-in access to the industrial automation and control system devices. More advanced physical-access security also is emerging, such as IP video surveillance systems that can use analytics for facial recognition.
• Network-integrated safety and security: CIP Safety and CIP Security are extensions to the common industrial protocol (CIP), which is the application-layer protocol for EtherNet/IP. CIP Safety allows safety devices to coexist on the same EtherNet/IP network as standard devices, and enables a safe shut down in the event of a denial-of-service attack. CIP Security incorporates data integrity and confidentiality into EtherNet/IP communications. Working together, devices that incorporate CIP Safety and CIP Security can help protect against data corruption and malicious attacks on safety systems.
• Safety products with built-in security: Safety systems and other hardware should include built-in security features. For example, a safety controller that uses keyed software can ensure firmware only downloads from a trusted source, while an access door can restrict physical access to the controller. An industrial managed switch with access control lists (ACL) also can be sure only authorized devices, users and traffic are accessing a network.
• Authentication and authorization: Security software features can restrict wired and wireless access to the network infrastructure. For example, authentication and authorization security is a key element in human-machine interface software and can limit safety-system access to only authorized individuals. This can help protect against malicious and accidental internal threats. Security personnel can define who can access the software, what specific actions they can perform and on which specific hardware, and from where they can perform those actions.
• Asset and change management: Asset-management software can automate the discovery of new assets and centrally track and manage configuration changes across an entire facility, including within safety systems. It can detect malicious changes in real time, log those activities and report them to key personnel. If unwanted changes occur, the software can access archived copies of a device program for fast recovery.
• Vulnerability management: Processes and procedures should make sure fast action occurs after safety and security advisories release. This includes having processes in place to immediately review advisories and determine their potential impact. It also includes implementing patch-management procedures for affected products.