3 things to consider when securing IIoT network devices

Info12 Jul 2018Networking
For many organisations, their cyber-security focus may be to formulate and apply security standards suitable to the network as a whole, however local device security may be less understood.
Securing industrial network devices is becoming ever more relevant within the growing Industrial Internet of Things (IIoT) eco-system, which sees industrial applications transferring mission critical or operational data via rugged computing devices located in challenging locations and harsh environments.

As IIoT expands, more devices are being connected to industrial networks, resulting in increased traffic between devices, servers, control rooms and the cloud. Therefore, securing network data transmissions at device level is paramount so that industrial organisations minimise the risk of a security breach or cyber-attack.

The impact of not thoroughly securing your IIoT network could have an enormous effect on data processing, management, and analytics. Additionally, having a fragmented approach to your IIoT security could result in real downtime for your organisation.

Whilst network security encompasses many different factors like wifi, anti-virus software and intrusion detection & prevention, Impulse Embedded’ in-house FAE and networking specialist, Matt Lundberg discusses 3 considerations for securing industrial networking devices such as Ethernet switches, and how these could go some way to benefiting your organisations IIoT network security as a whole.

1. Passwords and admin access

Most organisations know that a strong password policy is at the core of a good network security strategy, however, many manufacturer’s devices are configured as standard with default usernames and passwords, and since this data can often be repeated for all devices of the same make and model, taking time to modify configured manufacturer’s devices is crucial in securing your network of devices.

Utilising cyber-security standards like IEC 62443-4-2 level 2, prompts the use of complex passwords of four elements of numerical, mixed case and special characters for a more robust approach to password security. Additionally, if the hardware you are using supports ‘User Account Management’ this can be used as a method to restrict user access to read only.  Where hardware allows it, the use of RADIUS or TACACS servers can be used for a very granular and central authentication process. Logging events such as user logons, interface status changes, device restarts etc. can help when analysing security issues relating to access and other security breaches.

Furthermore, restricting access to only allow communication from predetermined and trusted IP addresses, as well as using encrypted protocols to pass data across the network, in even its most basic form could make any interception much more difficult to decipher.

2. Physical access to devices

Have you considered how easily accessible your devices are? In environments where multiple people have access to these devices, examining the physical security of each one could be beneficial.

The simplest form of denial of service could involve physically removing power cables, pressing the reset button or pulling communication cables out of the device. This type of attack doesn’t require skill or effort and relies merely on physical access to the devices, therefore it would be advisable to consider locking devices away in cabinets or secure rooms, reducing the risk of physical tampering.

In many IIoT applications, devices can be located in more isolated environments that are subject to the demands of extremes in weather, temperature, or where the network devices could be subject to shock and vibration. This places high importance on ensuring network switches are robust enough to withstand these conditions eliminating the chance of secure connections being disrupted.

3. Port security and Access Control Lists

Robust Port security and Access Control List (ACL) are other elements of your security strategy that may require consideration. Good practice could be to disable or shut down any ports that are not being used to stop the device passing any traffic from unauthorised devices plugged into unused ports. If the device supports it, a port can also be locked to a certain MAC address, which can go towards ensuring that only authorised devices are plugged into the network.
Similarly, as ACL’s consider data passed through a port, they can be used to permit or deny traffic based on source and destination, IP or MAC address. Depending on the device traffic, ALC’s can also be restricted by protocol and by VLAN. An ACL is configured and applied to one or more interfaces for incoming or outgoing traffic. ACL’s analyse traffic before passing it on, therefore having a direct effect on CPU usage.

The complexities of IIoT

The industrial environment is facing increasing complexities relating to the relationship between OT/IT. This relationship requires careful management since office and industrial protocol may operate under different security standards. However, before an effective security management strategy for industrial networks can be implemented, essential measures to ensure an in-depth and layered approach should be made.

Enterprise IT systems have been evolving for many years, whilst IIoT is merely in its infancy. To bridge the security gap between OT and IT, organisations need to act quickly in instigating a process to secure their IIoT networks. Hardening switches is simply the start of a much bigger, holistic approach to adopting the types of multi-layered strategies necessary for the IIoT explosion predicted between now and 2020.

Therefore, starting with device level security and examining how an entire network is made up of the various security layers, would be the pragmatic approach needed to better securing your devices and a valuable step in a much higher level approach to securing your organisations IIoT network.

Key takeaways

Securing network data transmissions at device level is paramount to minimising the risk of network security breaches.

Things to consider:
  • Think about your devices default passwords and whether your current password policy is complex enough
  • Consider features like ‘User Account Management’
  • Do you restrict or deny IP Addresses?
  • Consider who has physical access to your network devices
  • Examine your Port Security & Access Control Lists
  • Do you have encrypted traffic management and configuration files?
  • Think about whether your existing devices meet the challenges of an industrial or harsh environment

Impulse recommends

With the adoption of Industrial Ethernet Switches, organisations can address technical security requirements whilst also ensuring that devices are rugged and capable of operation in demanding industrial environments.

Impulse have been partnering with Moxa, experts in tailor made Industrial Ethernet solutions for a number of years, supplying high-quality industrial grade Ethernet switches for smart factories and other infrastructure’s throughout the UK market.

Currently, Moxa’s devices have connected around 30 million devices worldwide, and with their Industrial Network Management suite, organisations can now better manage their IIoT security.
Some of the more recent products from Moxa’s portfolio of Industrial switches demonstrate the drift towards better device level security with the inclusion of firmware like Turbo Pack 3 to meet the requirements of the IEC 62443-4-2 level 2 standard, whilst also supporting MAC Address and RADIUS authentication to further enhance the security of the industrial network.

Additionally, Moxa’s sophisticated MXStudio management software can be used in conjunction with their range of rugged Ethernet switches, and with the addition of their enhanced ‘Security View’ features, users can easily check the current security status of their network devices based on industrial security standards like IEC to further enhance network security as well as reducing the effort required from operators.

To find out how Impulse can support your next networking project, please contact us on +44 (0)1782 337 800 or email sales@impulse-corp.co.uk

Disclaimer: All recommendations here are for reference only and any features covered in this article are subject to availability and will differ depending on manufacturer and model.
Want more articles like this in your inbox?
Get in touch
Our technical sales team are ready to answer your questions.
T: +44 (0)1782 337 800 • E: SALES@IMPULSE-EMBEDDED.CO.UK
We want you to be the first to know about new products, technology solutions and exclusive industry news. To stay connected and receive marketing communications, select YES. (Remember, you are free to unsubscribe at any time.)

MediaInfo3 things to consider when securing IIoT network de...
Your Favourites
Wherever you see this heart symbol around the site, you can click to add things like products, articles and more to your favourites.