Let us help you protect your industrial networks from unauthorized access and malware.
In the age of digitalization, there is nothing more important than protecting data – not just your personal data, but your company’s data too. Worldwide, around 66% of small and medium-sized industrial companies have already been the target of cyber attacks. While many companies are aware of the threat of cybercrime, they underestimate the costly consequences for their machines and systems. Industrial IT security can prevent failures, sabotage or data loss and thus protect your production operations against significant financial losses.
The security of your company is rooted in two different worlds: IT (information technology) and OT (operational technology). In order to properly protect your networks and systems in the age of Industry 4.0. both worlds need to be considered and a comprehensive security concept is required.
This is because the measures defined by IT need to be extended with additional OT security solutions and the different protection objectives must be taken into consideration.
The advantages of the growing use of networking, such as increased productivity or greater flexibility, are obvious. However, with increasing networking and the resulting rapid fusion of IT and OT, company networks are inevitably more vulnerable to attack. As a result, critical infrastructures are also increasingly targeted by all kinds of cyber attacks: criminals repeatedly succeed in exploiting potential vulnerabilities in the IIOT (Industrial Internet of Things) and thus gain access to companies and infrastructures. This raises the question of how large-scale automation environments can be networked while simultaneously ensuring that industrial systems and critical infrastructure are protected from hacker attacks and malware.
The following points provide an overview of the biggest threats and possible precautionary measures.
Malfunctions and viruses, e.g., from the office environment, can be transferred directly to the production area.
Solution: Network segmentation
By splitting large networks into small segments, data exchange between the various zones, e.g., between production and the office or between different system parts, can be controlled. The individual segments can be separated using VLANs or firewalls. Routers or layer 3 switches then need to be used for communication between the individual network segments. These devices intercept typical network errors, preventing them from spreading further to the rest of the network.
Malware is generally designed to spread to neighboring systems and infect them as well. One example of this is the WannaCry malware that infected unpatched Windows systems.
Solution: Restricting communication
The spread of malware can be restricted or prevented by using firewalls. If you were to eliminate all of the communication options that are not technically necessary, many of these attacks would not even be possible. In addition, industrial integrity monitoring (e.g., CIM) helps you detect and halt the impact of changes and manipulations to Windows-based systems, such as controllers, operator interfaces or PCs, in good time.
Criminals can copy data or make changes to the system via an open Internet connection.
Solution: Encrypted data transmission
It should not be possible to access automation systems from the Internet. This is achieved by using a firewall for Internet access, which restricts all incoming traffic as well as the outgoing traffic to the requisite, authorized connections. All wide area connections should be encrypted, e.g., by VPN with IPsec.
Infected hardware, like USB sticks or laptops, can transfer malware to the network.
Solution: Protect ports
Using the port security function, you can make settings directly on your network components preventing unknown devices from exchanging data with the network. Furthermore, any available ports that are not required should be switched off. Some components also offer the option of sending alerts via SNMP and signal contact if unauthorized access to the network is registered.
Changes are inadvertently made to the wrong system from a remote location.
Solution: Secure remote access
Secure remote access to one or more machines can be implemented using different technological solutions. First, outbound communication can be encrypted, e.g., via IPsec or OpenVPN. Second, remote maintenance can be initiated via a key switch on the machine.
This ensures that only intended changes are made to the machine. At the same time, the key switch also enables the communication rules in the network to be blocked while remote maintenance is being carried out.
Collective passwords are often used for user access. When employees leave the company, passwords are not changed or access is not blocked. The collective password is therefore known to many users and can be abused.
Solution: Central user management
This problem can be solved by central user management where each employee is assigned individual access rights. Many Phoenix Contact devices support integration into a central user management system.
Unauthorized smart devices connect themselves via the WLAN interface.
Solution: Secure WLAN password assignment
If WLAN passwords are known and have not been changed in a long time, this also affords third parties uncontrolled access to the machine network. WLAN components from Phoenix Contact therefore enable automated key management by the machine control system. This means that secure WLAN machine access can be easily implemented in the form of one-time passwords.
In addition, WLAN communication can be protected and isolated from the rest of the network using a demilitarized zone (DMZ).
The default configurations of devices are designed so that the components function correctly and can be easily started up. Security mechanisms are often a secondary consideration here.
Solution: Device and patch management
When it comes to managing multiple devices, intelligent and efficient device and patch management can automate time-consuming processes and reduce the risk of incorrect configuration. It provides support for the configuration, roll out, and management of devices, and reduces security and compliance risks thanks to shorter patch and upgrade cycles. Device and patch management enables the central creation and management of all security-related device settings and provides support for firmware upgrades.
Secure services
Our trained and knowledgeable security specialists will advise you on how to minimize the specific security risks in your system and will create a security concept (certified in accordance with IEC 62443-2-4) on request. In addition, we can share our knowledge with you in training courses to bring your employees up to speed on cybersecurity.
Secure solutions
Our security concepts protect your critical processes, e.g., with the help of zone concepts, data flow control, and the use of hardened components. Secure processes are also established and documented.
Secure products
Security is firmly rooted in the entire life cycle of our products – from the secure development process (certified in accordance with IEC 62443-4-1) through the integration of important security functions to regular updates and security patches.
Phoenix Contact is one of the first companies to have been certified by TÜV SÜD in accordance with the IEC 62443 series of standards for IT security, Part 4-1:2018 Edition 1.0 (application of the full process profile).
PSIRT is the central team for Phoenix Contact and its subsidiaries, and is ready to respond to potential security vulnerabilities, cyber incidents, and other cybersecurity issues related to Phoenix Contact products, solutions, and services.
This checklist is intended to help you get an initial overview of the state of cybersecurity in your system. If you have any queries or answered no to one or more of these questions, please get in touch with us. We will be happy to advise you and support you with the appropriate consulting services and products.
"$pageName" on