Strategies to Safeguard Data

Strategies To Safeguard Data

Industrial networks see advances in security and surveillance

Industrial security has always been a challenge, with often vast areas needing coverage that is effective—and efficient. As with many other technologies, advances in electronic security and surveillance, both physical and cyber, have created new challenges as they have addressed and conquered earlier problems.

IP networks fall into this pattern: They increase protection but also trigger new security challenges. The huge quantity of sensitive data moving across large network “pipes” provides a target for cyber attack, from inside or outside the facility, that adds an additional layer of complexity to surveillance and security strategies.

With the recent proliferation of such cyber threats, it has become increasingly clear that no business or industry is completely safe from attacks. The Ponemon Institute released a survey in June of almost 600 U.S. IT and IT security practitioners that provided some sobering statistics:

  • 90 percent of organizations surveyed have had at least one breach.
  • 59 percent say they have had two or more breaches in the past year.
  • 48 percent of respondents identified complexity as one of their biggest challenges to improving network security, with the same percentage citing resource constraints.
  • 75 percent believe their effectiveness would increase by developing end-to-end solutions.

Integrated Networks and Multiple Layers of Defense
Digital access control devices have dramatically increased the effectiveness of access control strategies. Today, sophisticated scanners of irises, fingerprints or other identifying biometrics can instantly authenticate a person by matching his or her information with data in a server running Radius or another type of authentication application. New data can be updated within seconds.

In the IP age, many organizations are finding it effective to allow security and surveillance data to coexist on the same network as other operational and nonoperational data. Fiber solutions offer high-bandwidth, low-cost sharing of data transport inside a single facility, throughout a campus or even across town to a corporate data processing center. Integrated data transport and management reduce both hardware and staff costs, but they also add challenges.

Distributed networks, where data is entered, acted upon and/or transported from various locations in the network, hold new potential for those looking to breach security perimeters, both the old-fashioned physical kind and the new cybersecurity perimeters. Defense-in-depth, as it applies to IP networks, is an adaptation of a military strategy: Use a layered defense that provides multiple and varied defense strategies against any attack vector rather than relying on a single line of defense.

A strategic defense of an industrial site will include measures designed to protect and support both physical security data and other data that coexist in the same physical network infrastructure.

General Industrial Network Topology
Here is a simplified look at a general-purpose industrial network, where the key network components include:

  • Main industrial campus and/or facility control center;
  • One or more remote locations;
  • Enterprise access portal;
  • Partners and remote access portal; and
  • Multiple public and private transit networks, including the intranet and Internet.

With multiple access points and multiple network hops—private and public— the following rundown illustrates a network that is wide-open to abuse from cyber or physical attacks.

Firewalls are a first line of defense, and they are usually an option on network routers. Typically located at the entry points to the core network and to all remote facilities, a firewall acts as a gate would, ensuring that nothing private goes out and nothing malicious comes in. Its value is in its ability to regulate the flow of traffic between computer networks of different trust levels, such as the Internet, an internal network and possibly a perimeter network. Thus, it inspects network traffic passing through and denies or permits passage based on a set of rules. Modern firewalls target packet information for Layers 3 and 4 (transport and link layer), providing an additional level of security by examining the state of the connection as well as the packet itself.

Virtual Private Networks (VPNs) make sure that the connections going outside of the firewall are protected. Non-secure VPNs are used to transport, prioritize and allocate bandwidth for various customers over a multi-purpose transport network, while secure VPNs should be used whenever control messaging, protection messaging, configuration sessions, SCADA traffic or other sensitive data will traverse networks where security could be compromised. VPN sessions are tunneled across the transport network in an encapsulated, typically encrypted and secure format, making them “invisible” for all practical purposes. This creates a secure path between two devices or applications or establishes a secure tunnel between two locations that can be used by many devices or end points.

Virtual LANs make it possible to segregate the different traffic flows—such as VoIP, video, management and control applications—into separate broadcast/multicast domains. If one of the applications is compromised, the VLANs keep the other applications isolated and safe.

Secure Access Management systems protect the network and sub-systems by enforcing “Triple-A” security (authentication, authorization and accounting). Only specifically authorized users are able to access the control system components or other network devices electronically. A SAM also logs all actions or changes that are made for later retrieval and analysis and circumvents “insider attacks” by enforcing security policies. While insider attacks can be malicious, they are often simply careless acts carried out by employees just trying to get their jobs done.

Any user trying to connect to a system is transparently connected to an access management system (AMS) server. An AMS server obtains credentials from the end user and then can interrogate other security systems—such as Microsoft’s Active Directory or twofactor authentication systems, such as RSA SecurID servers—as well as its own profile data base. It authenticates users for both system access and access to specific target devices.

Centralized Logging and Auditing require that all network components be able to enter comprehensive logging and reporting information into a common repository. Recording and tracking “when, where and what” in a central system supports real-time detection and correlation of security threats. When something looks wrong, the information is immediately transmitted as an alert for immediate action. The information is also useful for detecting incident trends. Protocols such as SNMP, SNTP for time synchronization and Syslog provide simple tools to support forensic research.

Secure Network Management is another aspect of securing the network. It will ensure that the networking components themselves are secure: Each network element must implement secure management interfaces requiring rigorous authentication/authorization, as well as both local logging and remote event notification. Many of the traditional access methods, such as HTTP and TELNET, have open security and passwords in plain text. These should be replaced by more-secure methods, such as SSH/SSL(HTTPS) for console access, SNMPv3, secure FTP and Syslog remote logging.

The Secure Data Network is a secure network topology that significantly reduces the risk of physical or cyber attacks, and looks much like this:

Defense-in-Depth in Action
Each industrial facility will address its own needs in its own way, and most agree that implementing a cybersecurity program with defense-in-depth is an incremental process.

In the following example, a rural electric power cooperative, “Ridgemont Utility,” underwent a security audit several years ago that convinced its administrators it was time to take security more seriously.

Ridgemont used outside security experts as well as internal teams to develop the solution. Dedicated experts provided a level of sophistication and expertise often not possible for internal employees, who often view security as only part of their job.

The utility chose to develop and maintain separate networks for corporate and SCADA, to limit the effect an incursion in one network would have on the other.

Firewalls, with hot-standby firewalls for failover protection, guard gateways between networks, and they are backed by redundant switching behind firewalls and redundant links. VLANs, which use VPNs between firewalls for double protection and use different logical and physical networks for different functionalities, make it difficult for intruders to penetrate the system. Authorized users, though, can move easily among networks to get what they need.

Ridgemont uses serial tunneling devices to run serial SCADA operations through the network, using routers designed to provide integrated support for serial and IP. The utility also defaults to blocked ports, unblocking a port only after it has been connected to a new piece of equipment. To foil intruders, Ridgemont also changes default port numbers to make it more difficult to gain unauthorized access.

Ridgemont has defined policies that determine which users will have access to which network, and to which specific resources on that network. When outside access to a network is necessary, it passes through a connection using SSL and both per-port and per-user authorization. The authentication process uses a local active directory rather than a central one. It also implements password protection with a different, randomly generated password for each piece of equipment that can be protected.

With thousands of pieces of equipment within the system, password management is difficult but deemed essential. IP addresses are removed from equipment to protect the network in case of physical breach.

A Syslog server and SNMP management allow Ridgemont to track not only who is logging into the IP-based equipment, but when the logon occurred and what was changed.

WiFi access is isolated on a separate network that links directly to the cable company and is offered only as a convenience for outside visitors. Internally, employees access the Internet through VPN appliances using SSL. Ridgemont also ensures that employees keep firmware and software up to date and have deployed the latest security patches.

Security Matters
The clock is ticking. It is practically a matter of when, not if, a physical or cyber attack will occur in any industrial facility.

Fortunately, there are off-the-shelf, industrial-strength networking equipment and cost-effective tools and systems available for deploying defensein- depth protection for any type of industrial network.

Industrial security is not a onetime goal but a continual process of assessing network vulnerabilities, updating security policies and adding emerging technologies in a continual cycle in order to protect valuable cyber and physical assets.

This article originally appeared in the September 2011 issue of Security Today.


  • Achieving Clear Communications

    Achieving Clear Communications

    Technology within the security industry has adapted to numerous changes through the years, from the early days of analog devices to today’s IP-based solutions, networked cameras, and access control solutions, in addition to analytics, cloud-based products, virtual security guards, and more. Read Now

  • Taking Flight

    Taking Flight

    Airport security is a complex system that incorporates multiple technologies to ensure the safety and security of travelers, employees and the facility itself. Sound-based technologies are integral pieces of this system, providing means of communication, notification and monitoring. Read Now

  • Live From ISC West 2023 Preview

    Live From ISC West 2023 Preview

    ISC West 2023 is right around the corner! This year’s trade show is scheduled from March 28–31 at the Venetian Expo in Las Vegas, Nevada. The Campus Security & Life Safety and Security Today staff will be on hand to provide live updates about the security industry’s latest innovations, trends, and products. Read Now

    • Industry Events
    • ISC West
  • A Break from Routine

    A Break from Routine

    It was three years ago right about now that COVID was bringing the world to its knees. In mid-March of 2020, the president put travel restrictions on all flights in and out of Europe, the NBA suspended its season, and Tom Hanks announced that he’d tested positive for the disease—all in the same night. It was officially a national emergency two days later. Read Now

    • Industry Events
    • ISC West

Featured Cybersecurity

New Products

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3

  • Kangaroo Home Security System

    Kangaroo Home Security System

    Kangaroo is the affordable, easy-to-install home security system designed for anyone who wants an added layer of peace of mind and protection. It has several products, ranging from the fan-favorite Doorbell Camera + Chime, to the more comprehensive Front Door Security Kit with Professional Monitoring. Regardless of the level of desired security, Kangaroo’s designed to move with consumers - wherever that next chapter may be. Motion sensors, keypads and additional features can be part of the package to any Kangaroo system in place, anytime. Additionally, Kangaroo offers scalable protection plans with a variety of benefits ranging from 24/7 professional monitoring to expanded cloud storage, coverage for damage and theft. 3

  • Dinkle DKU Barrier Terminal Blocks

    Dinkle DKU Barrier Terminal Blocks

    New DKU screw type terminal blocks use a spring-guided system where the screws are integrated and captive within the terminal enclosure. These screws can be backed out so that ring- or U-shaped cable lugs can be inserted, without the possibility of losing the screw. 3