Industrial security How secure is your company?

Malfunctions and viruses, e.g., from the office environment, can be transferred directly to the production area.

Solution: Network segmentation

By splitting large networks into small segments, data exchange between the various zones, such as between production and the office or between different system parts, can be controlled. The individual segments can be separated by using VLANs or firewalls. Routers or layer 3 switches then need to be used for communication between the individual network segments. These devices intercept typical network errors, preventing them from spreading further to the rest of the network.

Malware is generally designed to spread to neighboring systems and infect them as well. One example of this is the WannaCry malware that infected unpatched Windows systems.

Solution: Restricting communication

The spread of malware can be restricted or prevented by using firewalls. If you were to eliminate all of the communication options that are not technically necessary, many of these attacks would not even be possible. In addition, industrial integrity monitoring (e.g., CIM) helps you detect and halt the impact of changes and manipulations to Windows-based systems, such as controllers, operator interfaces, or PCs, in good time.

Criminals can copy data or make changes to the system via an open Internet connection.

Solution: Encrypted data transmission

It should not be possible to access automation systems from the Internet. This protection is achieved by using a firewall for Internet access, which restricts all incoming traffic as well as the outgoing traffic to the requisite, authorized connections. All wide area connections should be encrypted, for example by VPN with IPsec.

Infected hardware, such as USB sticks or laptops, can transfer malware to the network.

Solution: Protect ports

Using the port security function, you can make settings directly on your network components preventing unknown devices from exchanging data with the network. Furthermore, any available ports that are not required should be switched off. Some components also offer the option of sending alerts via SNMP and signal contact if unauthorized access to the network is registered.

Changes are inadvertently made to the wrong system from a remote location.

Solution: Secure remote access

Secure remote access to one or more machines can be implemented using different technological solutions. First, outbound communication can be encrypted, such as via IPsec or OpenVPN. Second, remote maintenance can be initiated via a key switch on the machine.

This ensures that only intended changes are made to the machine. At the same time, the key switch also enables the communication rules in the network to be blocked while remote maintenance is being carried out.

Unauthorized smart devices connect themselves via the WLAN interface.

Solution: Secure WLAN password assignment

If WLAN passwords are known and have not been changed in a long time, this also affords third parties uncontrolled access to the machine network. WLAN components from Phoenix Contact therefore enable automated key management by the machine control system. This means that secure WLAN machine access can be easily implemented in the form of one-time passwords.

In addition, WLAN communication can be protected and isolated from the rest of the network using a demilitarized zone (DMZ).