Securing the industrial network

Aug. 19, 2014 – As connectivity expands between machines on the factory floor to devices and corporate offices managing the supply chain, industrial networks require enhanced security to help ensure data is protected and flowing efficiently between network assets.

Network expansion into the field is most easily accomplished by using industrial routers to provide secure, reliable, high-speed communication. But before making investments in these industrial routers, there are some key factors to keep in mind.

One of the downsides to increasing connectivity is the potential for industrial networks to be more vulnerable to cyber threats, such as remote attacks and viruses. This is one of the reasons why it is important for decision-makers to evaluate security features before investing in networking equipment.
 
When deploying wired routers to monitor and control industrial assets, data security should be a top consideration. Best practices should be put in place to address communication across the network, the type of data being processed and the users who have access to both the data and hardware.
 
Some wired routers utilize Virtual Private Networks (VPNs) to securely extend the private (corporate) network to remote locations, like factory floors. Companies should look for products that allow the use of IPSEC and OpenVPN — each of which offers unique VPN features for different network applications. IPSEC uses robust encryption and shared parameters to secure data traffic from the head end to remote assets. OpenVPN utilizes shared certificates to ensure data security while providing secure data transmissions between routers.
 
The next layer of security is a firewall that uses Stateful Packet Inspection (SPI). The SPI process scans individual packets of data and approves or denies each packet based on known services that are currently running. For instance, a remote site may only be allowed to transmit Modbus data packets to limit the usage of data required. In this case, any non-Modbus data would be rejected by a firewall in the router.
 
Similar to a firewall, which approves or denies data packets, routers and RTUs should also offer an Access Control List (ACL) — a list of approved or denied user credentials that allow or deny users access to the cellular device. Coupling an ACL with user-level authentication adds security by only allowing certain services to be accessed by specified users. 
 
Devices should also offer the ability to meet varying environmental requirements, such as wide operating temperature ranges, fluctuating input power voltages and air with particulate matter that may cause failure in devices with moving parts. As a primary WAN connection or a backup to existing network links, the right wired routers should also be well-suited for harsh industrial environments, such as oil and gas, energy and water/wastewater applications where security and reliability is paramount. 

Increasing industrial network connectivity on the factory floor is a sound investment to enhance communication among offices, plant locations and devices. Decision-makers should take the steps necessary to protect their infrastructure by evaluating security options alongside network performance.

Diane Davis is director of product management, networking, at Red Lion Controls.