Strategies To Safeguard Data -- Security Today

Strategies To Safeguard Data

Industrial networks see advances in security and surveillance

By Jim Krachenfels
Sep 01, 2011

Industrial security has always been a challenge, with often vast areas needing coverage that is effective—and efficient. As with many other technologies, advances in electronic security and surveillance, both physical and cyber, have created new challenges as they have addressed and conquered earlier problems.

IP networks fall into this pattern: They increase protection but also trigger new security challenges. The huge quantity of sensitive data moving across large network “pipes” provides a target for cyber attack, from inside or outside the facility, that adds an additional layer of complexity to surveillance and security strategies.

With the recent proliferation of such cyber threats, it has become increasingly clear that no business or industry is completely safe from attacks. The Ponemon Institute released a survey in June of almost 600 U.S. IT and IT security practitioners that provided some sobering statistics:

90 percent of organizations surveyed have had at least one breach.
59 percent say they have had two or more breaches in the past year.
48 percent of respondents identified complexity as one of their biggest challenges to improving network security, with the same percentage citing resource constraints.
75 percent believe their effectiveness would increase by developing end-to-end solutions.

Integrated Networks and Multiple Layers of Defense
Digital access control devices have dramatically increased the effectiveness of access control strategies. Today, sophisticated scanners of irises, fingerprints or other identifying biometrics can instantly authenticate a person by matching his or her information with data in a server running Radius or another type of authentication application. New data can be updated within seconds.

In the IP age, many organizations are finding it effective to allow security and surveillance data to coexist on the same network as other operational and nonoperational data. Fiber solutions offer high-bandwidth, low-cost sharing of data transport inside a single facility, throughout a campus or even across town to a corporate data processing center. Integrated data transport and management reduce both hardware and staff costs, but they also add challenges.

Distributed networks, where data is entered, acted upon and/or transported from various locations in the network, hold new potential for those looking to breach security perimeters, both the old-fashioned physical kind and the new cybersecurity perimeters. Defense-in-depth, as it applies to IP networks, is an adaptation of a military strategy: Use a layered defense that provides multiple and varied defense strategies against any attack vector rather than relying on a single line of defense.

A strategic defense of an industrial site will include measures designed to protect and support both physical security data and other data that coexist in the same physical network infrastructure.

General Industrial Network Topology
Here is a simplified look at a general-purpose industrial network, where the key network components include:

Main industrial campus and/or facility control center;
One or more remote locations;
Enterprise access portal;
Partners and remote access portal; and
Multiple public and private transit networks, including the intranet and Internet.

With multiple access points and multiple network hops—private and public— the following rundown illustrates a network that is wide-open to abuse from cyber or physical attacks.

Firewalls are a first line of defense, and they are usually an option on network routers. Typically located at the entry points to the core network and to all remote facilities, a firewall acts as a gate would, ensuring that nothing private goes out and nothing malicious comes in. Its value is in its ability to regulate the flow of traffic between computer networks of different trust levels, such as the Internet, an internal network and possibly a perimeter network. Thus, it inspects network traffic passing through and denies or permits passage based on a set of rules. Modern firewalls target packet information for Layers 3 and 4 (transport and link layer), providing an additional level of security by examining the state of the connection as well as the packet itself.

Virtual Private Networks (VPNs) make sure that the connections going outside of the firewall are protected. Non-secure VPNs are used to transport, prioritize and allocate bandwidth for various customers over a multi-purpose transport network, while secure VPNs should be used whenever control messaging, protection messaging, configuration sessions, SCADA traffic or other sensitive data will traverse networks where security could be compromised. VPN sessions are tunneled across the transport network in an encapsulated, typically encrypted and secure format, making them “invisible” for all practical purposes. This creates a secure path between two devices or applications or establishes a secure tunnel between two locations that can be used by many devices or end points.

Virtual LANs make it possible to segregate the different traffic flows—such as VoIP, video, management and control applications—into separate broadcast/multicast domains. If one of the applications is compromised, the VLANs keep the other applications isolated and safe.

Secure Access Management systems protect the network and sub-systems by enforcing “Triple-A” security (authentication, authorization and accounting). Only specifically authorized users are able to access the control system components or other network devices electronically. A SAM also logs all actions or changes that are made for later retrieval and analysis and circumvents “insider attacks” by enforcing security policies. While insider attacks can be malicious, they are often simply careless acts carried out by employees just trying to get their jobs done.

Any user trying to connect to a system is transparently connected to an access management system (AMS) server. An AMS server obtains credentials from the end user and then can interrogate other security systems—such as Microsoft’s Active Directory or twofactor authentication systems, such as RSA SecurID servers—as well as its own profile data base. It authenticates users for both system access and access to specific target devices.

Centralized Logging and Auditing require that all network components be able to enter comprehensive logging and reporting information into a common repository. Recording and tracking “when, where and what” in a central system supports real-time detection and correlation of security threats. When something looks wrong, the information is immediately transmitted as an alert for immediate action. The information is also useful for detecting incident trends. Protocols such as SNMP, SNTP for time synchronization and Syslog provide simple tools to support forensic research.

Secure Network Management is another aspect of securing the network. It will ensure that the networking components themselves are secure: Each network element must implement secure management interfaces requiring rigorous authentication/authorization, as well as both local logging and remote event notification. Many of the traditional access methods, such as HTTP and TELNET, have open security and passwords in plain text. These should be replaced by more-secure methods, such as SSH/SSL(HTTPS) for console access, SNMPv3, secure FTP and Syslog remote logging.

The Secure Data Network is a secure network topology that significantly reduces the risk of physical or cyber attacks, and looks much like this:

Defense-in-Depth in Action
Each industrial facility will address its own needs in its own way, and most agree that implementing a cybersecurity program with defense-in-depth is an incremental process.

In the following example, a rural electric power cooperative, “Ridgemont Utility,” underwent a security audit several years ago that convinced its administrators it was time to take security more seriously.

Ridgemont used outside security experts as well as internal teams to develop the solution. Dedicated experts provided a level of sophistication and expertise often not possible for internal employees, who often view security as only part of their job.

The utility chose to develop and maintain separate networks for corporate and SCADA, to limit the effect an incursion in one network would have on the other.

Firewalls, with hot-standby firewalls for failover protection, guard gateways between networks, and they are backed by redundant switching behind firewalls and redundant links. VLANs, which use VPNs between firewalls for double protection and use different logical and physical networks for different functionalities, make it difficult for intruders to penetrate the system. Authorized users, though, can move easily among networks to get what they need.

Ridgemont uses serial tunneling devices to run serial SCADA operations through the network, using routers designed to provide integrated support for serial and IP. The utility also defaults to blocked ports, unblocking a port only after it has been connected to a new piece of equipment. To foil intruders, Ridgemont also changes default port numbers to make it more difficult to gain unauthorized access.

Ridgemont has defined policies that determine which users will have access to which network, and to which specific resources on that network. When outside access to a network is necessary, it passes through a connection using SSL and both per-port and per-user authorization. The authentication process uses a local active directory rather than a central one. It also implements password protection with a different, randomly generated password for each piece of equipment that can be protected.

With thousands of pieces of equipment within the system, password management is difficult but deemed essential. IP addresses are removed from equipment to protect the network in case of physical breach.

A Syslog server and SNMP management allow Ridgemont to track not only who is logging into the IP-based equipment, but when the logon occurred and what was changed.

WiFi access is isolated on a separate network that links directly to the cable company and is offered only as a convenience for outside visitors. Internally, employees access the Internet through VPN appliances using SSL. Ridgemont also ensures that employees keep firmware and software up to date and have deployed the latest security patches.

Security Matters
The clock is ticking. It is practically a matter of when, not if, a physical or cyber attack will occur in any industrial facility.

Fortunately, there are off-the-shelf, industrial-strength networking equipment and cost-effective tools and systems available for deploying defensein- depth protection for any type of industrial network.

Industrial security is not a onetime goal but a continual process of assessing network vulnerabilities, updating security policies and adding emerging technologies in a continual cycle in order to protect valuable cyber and physical assets.

This article originally appeared in the September 2011 issue of Security Today.

Genetec, SaferWatch Bring Real-Time Vehicle Intelligence to Public Safety Agencies
05/08/2025
ZBeta Strengthens Its Advisory Bench with New Appointment
05/05/2025
Security Trends Reshaping Enterprise Resilience Into 2027
05/05/2025
Amerant Bank Selects Omnilert AI Technology for Enhanced Video Surveillance Security
05/02/2025
Minnesota County Is Still Reaping Huge Benefits from ASAP Service
05/01/2025
Winsted Unveils Pinnacle Collection with Sliding Worksurface
04/30/2025
Everon Awarded Sourcewell Cooperative Purchasing Contract
04/30/2025
Honeywell Signs Global Distribution Agreement With Milestone Systems
04/28/2025

Featured

TSA Begins REAL ID Full Enforcement Today

Today, the Transportation Security Administration (TSA) announced the imminent implementation of its REAL ID enforcement measures at TSA checkpoints nationwide. Read Now
Body-Worn Cameras on the Rise

On the evening of Oct. 29, 2024, the owner of 300 Guard based in Houston, was shot while on duty at a convenience store. He returned fire. He was wearing a plated vest and thankfully recovered in the hospital. Read Now
- Government
Brazil Port Enhances Surveillance and Supports Wildlife Conservation with Sustainable Technology

Ferroport, which operates the iron ore terminal at the Port of Açu in São João da Barra, Rio de Janeiro, Brazil, has deployed state-of-the-art video surveillance cameras from Axis Communications to enhance nighttime security and visibility, while decreasing environmental impact and prioritizing sustainability. With cutting-edge technology, the port now has precise surveillance cameras that capture high-quality nighttime images, while reducing the amount of artificial lighting that negatively impacts the surrounding ecosystem. Read Now
- Government
Fast-Forward from 1,000 B.C.E. to Today

The lock and key have been around since time immemorial. In fact, the locksmith profession is one of the oldest in the world when you consider the earliest wooden tumbler lock debuted three-plus millennia ago. Read Now
- Access Control
Verizon’s 2025 Data Breach Investigations Report Notes Alarming Cyberattack Surge Through Third Parties

Verizon Business recently released its 2025 Data Breach Investigations Report (DBIR), which reveals a significant increase in cyberattacks. The report found that third-party involvement in breaches has doubled to 30%, and exploitation of vulnerabilities has surged by 34%, creating a concerning threat landscape for businesses globally. Read Now
- Cybersecurity

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

Mobile Safe Shield

SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.
AC Nio

Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.
Hanwha QNO-7012R

The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection.