Managing network security is more about risk avoidance than return on investment (ROI). Security must be of paramount concern to corporate IT departments and increasingly manufacturing environments. Grantek seeks to educate our clients to the very real threat of manufacturing as a target – the threat landscape has increased exponentially in the last 10 years, with dangers ranging from run-of-the mill hackers to corporate espionage to government-sponsored threats from unfriendly nation-states. The threats to the power grid, the food supply, and the water supply from malicious hacking are very real.
Your company has a large set of diverse users for whom security is not the focus of their daily operations. Some of these users are not even your employees, yet they need to access some of your most critical systems to perform their tasks. As a response, corporate IT departments work to safeguard the corporate/enterprise side of the network, but corporate IT departments do not necessarily understand the security needs of the network within the manufacturing environment. As your enterprise is connected, from operations to corporate, protecting your operational network is equally critical. Grantek does and is ready to help our customers lock down their manufacturing network to prevent intrusion, while maintaining the necessary access for support personnel who are both employees and vendors.
Grantek takes a Defense in Depth approach to network security. We seek to implement more than one method of security, such as segregating production lines on their own VLANs or cells, and implementing DMZs at the interface between the enterprise network and the controlled manufacturing network. We restrict access to the manufacturing network to only those users who truly need it to perform their jobs, and provide segregation within the manufacturing network based on the function and criticality of each subsystem.
We recognize that in data and network security, standardizing some of the best practices in ISO 27001 and 27002 are critical. Identifying your assets, regular auditing, access control, managing mobile devices and even your hiring practices should be understood. A large percentage of security breaches are caused by insiders. And sensitive data, if only deleted, still exists and is vulnerable if disposed of improperly. Investing in secure wiping utilities or services, and properly destroying old equipment are useful practices.
The flat networks of yesterday are not scalable or secure. They are unplanned and organically grown with a “plug and hope” mentality that everything stays functional. The manufacturing network today is an IACS – a network with definable subnetworks and components with specific functions and connectivity requirements. Designing a scalable network in this fashion also enhances security. Grantek is heavily involved in MESA, including in their cybersecurity workgroup and is committed to driving consistent methodologies for implementing network security in the manufacturing environment and to responding appropriately to threats or intrusions that do occur to minimize damage.
Wi-Fi inherently provides more access points into the network. This increases the need for security, while still allowing authorized users access via smartphones and other wireless devices. Frequently corporate authentication is per-user, whereas manufacturing is still per-device. This drives a different consideration when properly implementing security protocols like WPA2 Personal or Enterprise. Grantek can help configure your system to increase security without placing undue burdens on authorized network users.
Security concerns include not only malicious intrusion or corporate espionage, but also adverse consequences in the manufacturing environment. Care must be exercised in designing and configuring network access to PLCs and PACs to help prevent dangerous situations from occurring as a result. For example, without the proper safeguards in place, a worker in a remote location could inadvertently turn on a machine while it is undergoing maintenance, risking injury to personnel and damage to equipment. To prevent this a holistic approach from Level 0 policy (LOTO) to Enterprise/DMZ (remote access) process must be understood and appropriate designs used at every step of the design, implementation and verification.
Deployment of security updates is also very important in a manufacturing environment. Many manufacturers are lax when it comes to installing security upgrades and patches, resulting in vulnerabilities ripe for exploitation. Grantek can help develop and implement a proper up to date protocol to ensure that manufacturing devices get the latest software updates. However, there is always the risk that a patch may cause problems and thus a roll-back process must also be in place. It is important that software patches and updates are verified in a limited area before deploying them throughout the manufacturing system to avoid unplanned downtime.
Grantek has the expertise and experience to help maximize the network security in your production environment.