Strategies to Safeguard Data

Strategies To Safeguard Data

Industrial networks see advances in security and surveillance

Industrial security has always been a challenge, with often vast areas needing coverage that is effective—and efficient. As with many other technologies, advances in electronic security and surveillance, both physical and cyber, have created new challenges as they have addressed and conquered earlier problems.

IP networks fall into this pattern: They increase protection but also trigger new security challenges. The huge quantity of sensitive data moving across large network “pipes” provides a target for cyber attack, from inside or outside the facility, that adds an additional layer of complexity to surveillance and security strategies.

With the recent proliferation of such cyber threats, it has become increasingly clear that no business or industry is completely safe from attacks. The Ponemon Institute released a survey in June of almost 600 U.S. IT and IT security practitioners that provided some sobering statistics:

  • 90 percent of organizations surveyed have had at least one breach.
  • 59 percent say they have had two or more breaches in the past year.
  • 48 percent of respondents identified complexity as one of their biggest challenges to improving network security, with the same percentage citing resource constraints.
  • 75 percent believe their effectiveness would increase by developing end-to-end solutions.

Integrated Networks and Multiple Layers of Defense
Digital access control devices have dramatically increased the effectiveness of access control strategies. Today, sophisticated scanners of irises, fingerprints or other identifying biometrics can instantly authenticate a person by matching his or her information with data in a server running Radius or another type of authentication application. New data can be updated within seconds.

In the IP age, many organizations are finding it effective to allow security and surveillance data to coexist on the same network as other operational and nonoperational data. Fiber solutions offer high-bandwidth, low-cost sharing of data transport inside a single facility, throughout a campus or even across town to a corporate data processing center. Integrated data transport and management reduce both hardware and staff costs, but they also add challenges.

Distributed networks, where data is entered, acted upon and/or transported from various locations in the network, hold new potential for those looking to breach security perimeters, both the old-fashioned physical kind and the new cybersecurity perimeters. Defense-in-depth, as it applies to IP networks, is an adaptation of a military strategy: Use a layered defense that provides multiple and varied defense strategies against any attack vector rather than relying on a single line of defense.

A strategic defense of an industrial site will include measures designed to protect and support both physical security data and other data that coexist in the same physical network infrastructure.

General Industrial Network Topology
Here is a simplified look at a general-purpose industrial network, where the key network components include:

  • Main industrial campus and/or facility control center;
  • One or more remote locations;
  • Enterprise access portal;
  • Partners and remote access portal; and
  • Multiple public and private transit networks, including the intranet and Internet.

With multiple access points and multiple network hops—private and public— the following rundown illustrates a network that is wide-open to abuse from cyber or physical attacks.

Firewalls are a first line of defense, and they are usually an option on network routers. Typically located at the entry points to the core network and to all remote facilities, a firewall acts as a gate would, ensuring that nothing private goes out and nothing malicious comes in. Its value is in its ability to regulate the flow of traffic between computer networks of different trust levels, such as the Internet, an internal network and possibly a perimeter network. Thus, it inspects network traffic passing through and denies or permits passage based on a set of rules. Modern firewalls target packet information for Layers 3 and 4 (transport and link layer), providing an additional level of security by examining the state of the connection as well as the packet itself.

Virtual Private Networks (VPNs) make sure that the connections going outside of the firewall are protected. Non-secure VPNs are used to transport, prioritize and allocate bandwidth for various customers over a multi-purpose transport network, while secure VPNs should be used whenever control messaging, protection messaging, configuration sessions, SCADA traffic or other sensitive data will traverse networks where security could be compromised. VPN sessions are tunneled across the transport network in an encapsulated, typically encrypted and secure format, making them “invisible” for all practical purposes. This creates a secure path between two devices or applications or establishes a secure tunnel between two locations that can be used by many devices or end points.

Virtual LANs make it possible to segregate the different traffic flows—such as VoIP, video, management and control applications—into separate broadcast/multicast domains. If one of the applications is compromised, the VLANs keep the other applications isolated and safe.

Secure Access Management systems protect the network and sub-systems by enforcing “Triple-A” security (authentication, authorization and accounting). Only specifically authorized users are able to access the control system components or other network devices electronically. A SAM also logs all actions or changes that are made for later retrieval and analysis and circumvents “insider attacks” by enforcing security policies. While insider attacks can be malicious, they are often simply careless acts carried out by employees just trying to get their jobs done.

Any user trying to connect to a system is transparently connected to an access management system (AMS) server. An AMS server obtains credentials from the end user and then can interrogate other security systems—such as Microsoft’s Active Directory or twofactor authentication systems, such as RSA SecurID servers—as well as its own profile data base. It authenticates users for both system access and access to specific target devices.

Centralized Logging and Auditing require that all network components be able to enter comprehensive logging and reporting information into a common repository. Recording and tracking “when, where and what” in a central system supports real-time detection and correlation of security threats. When something looks wrong, the information is immediately transmitted as an alert for immediate action. The information is also useful for detecting incident trends. Protocols such as SNMP, SNTP for time synchronization and Syslog provide simple tools to support forensic research.

Secure Network Management is another aspect of securing the network. It will ensure that the networking components themselves are secure: Each network element must implement secure management interfaces requiring rigorous authentication/authorization, as well as both local logging and remote event notification. Many of the traditional access methods, such as HTTP and TELNET, have open security and passwords in plain text. These should be replaced by more-secure methods, such as SSH/SSL(HTTPS) for console access, SNMPv3, secure FTP and Syslog remote logging.

The Secure Data Network is a secure network topology that significantly reduces the risk of physical or cyber attacks, and looks much like this:

Defense-in-Depth in Action
Each industrial facility will address its own needs in its own way, and most agree that implementing a cybersecurity program with defense-in-depth is an incremental process.

In the following example, a rural electric power cooperative, “Ridgemont Utility,” underwent a security audit several years ago that convinced its administrators it was time to take security more seriously.

Ridgemont used outside security experts as well as internal teams to develop the solution. Dedicated experts provided a level of sophistication and expertise often not possible for internal employees, who often view security as only part of their job.

The utility chose to develop and maintain separate networks for corporate and SCADA, to limit the effect an incursion in one network would have on the other.

Firewalls, with hot-standby firewalls for failover protection, guard gateways between networks, and they are backed by redundant switching behind firewalls and redundant links. VLANs, which use VPNs between firewalls for double protection and use different logical and physical networks for different functionalities, make it difficult for intruders to penetrate the system. Authorized users, though, can move easily among networks to get what they need.

Ridgemont uses serial tunneling devices to run serial SCADA operations through the network, using routers designed to provide integrated support for serial and IP. The utility also defaults to blocked ports, unblocking a port only after it has been connected to a new piece of equipment. To foil intruders, Ridgemont also changes default port numbers to make it more difficult to gain unauthorized access.

Ridgemont has defined policies that determine which users will have access to which network, and to which specific resources on that network. When outside access to a network is necessary, it passes through a connection using SSL and both per-port and per-user authorization. The authentication process uses a local active directory rather than a central one. It also implements password protection with a different, randomly generated password for each piece of equipment that can be protected.

With thousands of pieces of equipment within the system, password management is difficult but deemed essential. IP addresses are removed from equipment to protect the network in case of physical breach.

A Syslog server and SNMP management allow Ridgemont to track not only who is logging into the IP-based equipment, but when the logon occurred and what was changed.

WiFi access is isolated on a separate network that links directly to the cable company and is offered only as a convenience for outside visitors. Internally, employees access the Internet through VPN appliances using SSL. Ridgemont also ensures that employees keep firmware and software up to date and have deployed the latest security patches.

Security Matters
The clock is ticking. It is practically a matter of when, not if, a physical or cyber attack will occur in any industrial facility.

Fortunately, there are off-the-shelf, industrial-strength networking equipment and cost-effective tools and systems available for deploying defensein- depth protection for any type of industrial network.

Industrial security is not a onetime goal but a continual process of assessing network vulnerabilities, updating security policies and adding emerging technologies in a continual cycle in order to protect valuable cyber and physical assets.

This article originally appeared in the September 2011 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3