According to the latest research from ARC Advisory Group, industry has really woken up to the issue of cyber security, not just from the point of view of protecting traditional IT networks, but also looking at the risk to the industrial control system (ICS). Bob Mick, author of the report ‘ICS Cyber Security Worldwide Outlook’ commented: “ICS cyber security is extremely dynamic, requiring constant attention and bringing today’s market practices into question.”
Clearly cyber security needs addressing. A key issue, though, as identified in the report, is that a cyber security solution is not a single product; instead it is a combination of architecture, practices, behaviour, security components – both hardware and software – and third party services. Some ‘best practices’ have surfaced, but actual solutions must take into account business situation and risk.
From a control network point of view, in the march to industrial Ethernet as the networking standard of choice, there’s no doubt that security considerations have been left somewhat behind. To date, security has focused largely on making layer 2 secure, but the very fact that industry is embracing Ethernet, and thereby opening up the plant floor to attach from the outside world, means that network security requirements are evolving, driving a need to look beyond Layer 2 Ethernet connectivity. Under the seven layer model, all it takes is for one layer to fall to an attack before the whole communications system is compromised – potentially without the other layers being aware that there is a problem. Security is only as strong as the weakest link, and Layer 2 can be very weak indeed.
Any secure system has to start with effective Layer 2 and port based security mechanisms and combined routers and managed switches that create enhanced integrated solutions for security for Ethernet networks, meeting the emerging demand for Layer 3 (IP) and Layer 4 (TCP and UDP) security networks. Then there has to be a binding software glue that delivers network-centric solutions for cyber security protection, while providing a framework for the overall control and information systems infrastructure, and further software to provide effective electronic perimeter protection.
Building all of that from scratch is a big ask of the personnel charged with protecting a company’s industrial control system. But there are vendors out there who can offer virtually the whole package off the shelf, while still delivering the flexibility to allow the control systems infrastructure to evolve over time in line with market and business development.