It has become one of the most important topics for discussion in today’s world. Cyber security is important because it is the most important cause of, data loss, loss of production and loss of capital when automation systems are concerned. The big question is, how will we know we are secure, but also able to use the comforts that modern computer system bring the process automation environment,
Having a secure system start with not connecting your process automation system to the internet. Obviously this limits a lot of the nice to heave, comfort features that we have come to expect, or we actually need. So connecting your process automation system to the internet will bring risk, but it will also bring advantages. Considering those advantages is very important, because defining the things you want to gain for having an internet connection, also allows us to define what we will not be using. With that information we can decide how to secure our internet connection. Securing an internet connection, or any external connection coming in to a process automation, can and should be done with a firewall.
To make sure a system can be open, and yet secure, it is important to always use a layered system approach to designing firewall security. This means that whenever an internet connection is connected to a process automation system, 2 firewalls should be put in, one to secure the internet connection to a switching unsecure layer, and then a second firewall the blocks most traffic accept the traffic coming from the switching layer. This means that we can separate and better secure the data flowing through the 2 firewalls and thus the data between the process automation system and the internet.
Usually the internet connection on a process automation system is connection because of maintenance actions, an so will have to route remote access. If this is properly setup, a two factor authentication can be setup to create a VPN connection to the main internet connection firewall (with a FortiGate for instance). On the connected network, a terminal server should then be used to authenticate and redirect the user to a remote access screen that they have been allow permission to use. This data will only then be allow through the second firewall. This means that most other data will be block by the firewall, and so any data or data locking mechanisms will not work.
This also helps when data needs to be transferred from the process automation environment to the “office” computer network. Because dat now only has to travel through the inside firewall, a lot more freedom can be given, and so some data tracks can be opened if the destination of the traffic is the office network. This way data or backups, or even web reporting tools can be used by the office network with data from the process automation network. This helps data stay safe, and gives the IT team the ability to back up the process data, or the Industrial IT team the ability to backup data to an office IT storage location.
Obviously it is not so easy to check whether you are safely connected to the internet. But the most important thing is always to make sure no suppliers use their own built in modem solution in your factory. Always manage the connections in a secure way, and create a VPN system with a user account for each supplier. Make sure VPN accounts have two factor authentication, this makes it less of a viable option for people to hack your system. Also make sure to layer the firewall system, and have an internal terminal server that authenticates the user, keeps track of their actions, and makes sure all sessions are watched over by an anti virus program that scans all data files that are being exchanged.
Also always look at the network plans of the systems in you process automation network, and make sure the internet is not connection directly to a switch. Even if it is internet coming from an office internal source, make sure to even secure that internet with a firewall. Office internet connections are often very open, and the outer firewall will allow most traffic. But whatever you do, make sure to install virus scanners that are compatible with the process automation software, and run the virus scanners periodically, update your windows systems and make sure to not allow people to connect USB devices. Cyber security becomes a lot more manageable if you use our tips.
iAUTOMATION is an automation specialist that focuses on industrial automation, IT and the links between these two fields. With many years of experience in the industrial automation and IT world, iAUTOMATION is a mature partner that will benefit you.
iAUTOMATION provides complete projects for the industrial automation world with a specialty in PCS 7 consultancy and engineering. But other systems are also known to us and can be implemented by iAUTOMATION.
With knowledge of virtualization, networks, domains and IT management, iAUTOMATION is also a very suitable partner for all your IT questions and projects. We will always assist you with great enthusiasm and knowledge in your projects, and try to relieve our customers by proactively and positively tackling your project.