Best Practices Cyber Security: Are You Managing Your Risks?
The defense-in-depth security is a five-layer approach focusing on physical, network, computer, application and device security. Physical Security covers guards, gates and other physical security mechanisms.
Network Security is the infrastructure framework, and it should be equipped with various hardware elements, such as firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as managed switches and routers configured with their security features enabled. Zones establish domains of trust for security access and smaller local area networks (LANs) to shape and manage network traffic.
Zones for Security: IT Systems and Barriesrs
Rockwell Automation recommends establishing an Industrial Demilitarized Zone (IDMZ), which is a barrier between the Industrial and Enterprise Zones that still allow data and services to be shared securely (see illustration).
All network traffic from either the Enterprise or Industrial Zones terminates in the IDMZ. Within this layer, asset owners should follow the ‘Principle of Least Route.’ Stemming from the IT Principle of Least Privilege, this concept was designed by Rockwell Automation to guide customers in giving access only to the information and resources necessary for each operator’s specific job. This limits the paths into a security system, making it harder to penetrate.
Know your Weaknesses
Well-known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of computer hardening include the use of antivirus software, application whitelisting, host intrusion-detection systems (HIDSs) and other endpoint security solutions, removal of unused applications, protocols and services, closing unnecessary ports, etc. Computers on the plant floor, such as a human-machine interface (HMI) or an industrial computer, are susceptible to malware cyber risks including viruses and Trojans.