The second instalment on how to ensure your facility's industrial systems are not compromised.
A solution to protect your site is to adopt encrypted communications.
Encryption is the process of transforming plain text, using an algorithm, to make "the message" unreadable to anyone, except those possessing the encryption key.
It is a common method for protecting information in commercial systems and with wireless communication.
One of the questions is where to encrypt the data - at rest or in transmission.
Encryption, by itself, can protect the confidentiality of messages, but other techniques are needed to protect the integrity and authenticity of a message.
For process control, we recognise the need to protect against modification from sender and receiver end-points.
Today, with Internet Protocol security (IPsec), we can perform end-to-end authentication, allowing the protection of the message without encrypting the data. As an IPsec configuration option, data can be encrypted as well.
One point to be considered, however, is how some network intrusion detection features are implemented. For example, encrypting data can cripple network intrusion detection capabilities.
The security strategy for the control system environment must balance the benefits and select the appropriate set of options.
Incident detection and response
Intrusion Detection Systems (IDS) are applications that can include both hardware appliances and software solutions. The IDS resides on the network and is useful in detecting attempts to access the network.
An IDS will act to alert the network administrator of intrusion attempts and record all alert information, according to parameters set by the administrator.
There are network-based as well as host-based IDS'. Some control systems today are integrated with network-based IDS.
However, over time we expect to see a migration towards greater pervasiveness of this technology as well as the application of host-based IDS.
IDS' have the capability to inspect the network packets as they flow through the system.
Today very few control system protocols are understood by IDS' and we see that changing in the future as more of the protocols are defined and implemented making the IDS for control systems more effective.
In addition to intrusion detection, the idea of intrusion prevention is very attractive. Intrusion Prevention Systems (IPS) are relatively new to the world of incident detection, and offer the benefit of preventing the intrusion, not just detecting an intrusion and reporting on it after it has occurred.
Remote security operations centres
Remote centres for network and security management help to ensure optimal performance and administration of a process control network and security infrastructure via a set of remote services.
Many process control organisations today are challenged to address areas requiring specialised skills - skills that are more closely aligned with the IT organisation.
While these capabilities are both valuable and necessary, focusing on business results ranks higher with in-house resources.
For these reasons, many organisations will turn to a solution that provides the skills and services necessary to keep the process control network running in a secure environment. Over the coming years, we expect to see an increased utilisation of this type of remote service.
Future plant security
The Plant of the Future will be compliant with IEC 62443, plus we will see more individual accountability, which will be achieved through more role-based control and access-enforced end points instead of "in the middle" approaches.
Today, change points are detected and made on the server. In the future, these change points will move closer to where the impact of the change resides; closer to the controller.
For role-based access control, a way of increasing individual accountability, we will see encryption used as a step in the right direction.
We need to adopt a security mindset, based on the premise that all trust is limited.
One element of that mindset is compartmentalisation in order to minimise what must be defended, minimising the increment of potential loss.
Another aspect of a security mindset is Defence in Depth. Trust is an important element in our security mindset, but we must understand that unverified trust decays over time.
Verification testing then becomes an important aspect - we must re-verify the basis for trust and our verification testing should not be predictable.