Lock in front of a networked world map

Industrial security How secure is your company?

In the age of digitalization, there is nothing more important than protecting data – not just your personal data, but your company data too. Worldwide, around 66% of small and medium-sized industrial companies have already been the target of cyber attacks. Many companies are aware that cyber crime poses a danger, but underestimate the costly consequences to their machinery and plant equipment. Industrial IT security can prevent failures, sabotage, or data loss, and thus protect your production operations against significant financial losses.

Overview of the different features of IT and ICS security

Comparison of ICS and IT security requirements

Combination of IT and OT

The security of your company is rooted in two different worlds: IT (information technology) and OT (operational technology). To properly protect your networks and systems in the age of Industry 4.0, both worlds need to be considered and a comprehensive security concept is required.

This is because the measures defined by IT need to be extended with additional OT security solutions and the different protection objectives must be taken into consideration.

Data protection affects every industry Click on the hotspots to find out more

Interactive image map: Overview of industrial security industry
Machine manufacturers
Cybersecurity increases the reliability and availability of your machines. A secure remote connection is also required to conduct remote maintenance at the customer’s site.
Automotive industry
Industrial security mechanisms ensure and in some cases even increase the availability of your production lines.
System operators
Industrial security not only ensures the availability and reliable running of your industrial systems and processes, but also safeguards your production know-how.
Energy
Companies in the energy industry play an important role in supplying people with basic services. This is why in many countries the operators of systems within this critical infrastructure are required by law to protect their systems against unauthorized access.
Water/wastewater
To guarantee constant drinking water supply and wastewater treatment, you need to ensure your remote access to far-flung pumping stations and lifting stations, and therefore protect your automation systems from increasing Internet cyber attacks.
Oil and gas
A hacked system can quickly not only result in a financial loss, but also present a safety risk to your employees. In explosive and highly flammable areas, industrial security is regarded as a safety requirement.

Networking offers significant opportunities, but also has some drawbacks

The benefits of expanding networks, such as increased productivity or flexibility, are obvious. But increased networking and the rapid fusion of IT and OT that it brings mean that corporate networks have more points that are vulnerable to attack. As a result, critical infrastructures are also increasingly targeted by all kinds of cyber attacks: Criminals repeatedly succeed in exploiting potential vulnerabilities in the IIoT (Industrial Internet of Things) and thus gain access to companies and infrastructures. This raises the question of how large-scale automation environments can be networked while simultaneously ensuring that industrial systems and critical infrastructure are protected from hacker attacks and malware.

The following points provide an overview of the biggest threats and possible precautionary measures.

Topology of a segmented network

Solution: Network segmentation

Malfunctions from the office

Malfunctions and viruses, e.g., from the office environment, can be transferred directly to the production area.

Solution: Network segmentation

By splitting large networks into small segments, data exchange between the various zones, such as between production and the office or between different system parts, can be controlled. The individual segments can be separated by using VLANs or firewalls. Routers or layer 3 switches then need to be used for communication between the individual network segments. These devices intercept typical network errors, preventing them from spreading further to the rest of the network.

Topology: CIFS Integrity Monitoring detects changes to system controllers and halts them in good time

Solution: Restricting communication

Malware attack

Malware is generally designed to spread to neighboring systems and infect them as well. One example of this is the WannaCry malware that infected unpatched Windows systems.

Solution: Restricting communication

The spread of malware can be restricted or prevented by using firewalls. If you were to eliminate all of the communication options that are not technically necessary, many of these attacks would not even be possible. In addition, industrial integrity monitoring (e.g., CIM) helps you detect and halt the impact of changes and manipulations to Windows-based systems, such as controllers, operator interfaces, or PCs, in good time.

Topology: Secure remote maintenance with firewalls on the Internet access

Solution: Encrypted data transmission

Hacker attacks

Criminals can copy data or make changes to the system via an open Internet connection.

Solution: Encrypted data transmission

It should not be possible to access automation systems from the Internet. This protection is achieved by using a firewall for Internet access, which restricts all incoming traffic as well as the outgoing traffic to the requisite, authorized connections. All wide area connections should be encrypted, for example by VPN with IPsec.

Switch with ports switched off

Solution: Protect ports

Infected hardware

Infected hardware, such as USB sticks or laptops, can transfer malware to the network.

Solution: Protect ports

Using the port security function, you can make settings directly on your network components preventing unknown devices from exchanging data with the network. Furthermore, any available ports that are not required should be switched off. Some components also offer the option of sending alerts via SNMP and signal contact if unauthorized access to the network is registered.

Topology: Control of remote maintenance using a key switch

Solution: Secure remote access

Unauthorized access to systems

Changes are inadvertently made to the wrong system from a remote location.

Solution: Secure remote access

Secure remote access to one or more machines can be implemented using different technological solutions. First, outbound communication can be encrypted, such as via IPsec or OpenVPN. Second, remote maintenance can be initiated via a key switch on the machine.

This ensures that only intended changes are made to the machine. At the same time, the key switch also enables the communication rules in the network to be blocked while remote maintenance is being carried out.

 Topology: Secure integration of mobile end devices with one-time passwords and DMZ

Solution: Secure WLAN password assignment

Mobile end devices

Unauthorized smart devices connect themselves via the WLAN interface.

Solution: Secure WLAN password assignment

If WLAN passwords are known and have not been changed in a long time, this also affords third parties uncontrolled access to the machine network. WLAN components from Phoenix Contact therefore enable automated key management by the machine control system. This means that secure WLAN machine access can be easily implemented in the form of one-time passwords.

In addition, WLAN communication can be protected and isolated from the rest of the network using a demilitarized zone (DMZ).

The 360° Security Circle, consisting of secure products, secure services, and secure solutions

Our comprehensive 360° security concept

360° security – our comprehensive range without compromises

Good protection against cyber attacks can only be achieved if coordinated technical and organizational measures are intermeshed. We therefore provide 360° security, which simplifies the protection of systems and secures them from all sides:

Secure services
Our trained and expert security specialists provide consultation on how to minimize individual security risks in your plant and will develop a security concept (certified in accordance with IEC 62443-2-4) on request. In addition, we can share our knowledge with you in training courses to bring your employees up to speed on cybersecurity.

Secure solutions
Our security concepts protect your critical processes, e.g., with the help of zone concepts, data flow control, and the use of hardened components. Secure processes are also established and documented.

Secure products
Security is rooted in the entire lifecycle of our products. It starts with a development process (certified in accordance with IEC 62443-4-1) and includes the integration of critical security functions and regular updates and security patches.