3 things to consider when securing IIoT network devices

Most organisations know that a strong password policy is at the core of a good network security strategy, however, many manufacturer’s devices are configured as standard with default usernames and passwords, and since this data can often be repeated for all devices of the same make and model, taking time to modify configured manufacturer’s devices is crucial in securing your network of devices.

Utilising cyber-security standards like IEC 62443-4-2 level 2, prompts the use of complex passwords of four elements of numerical, mixed case and special characters for a more robust approach to password security. Additionally, if the hardware you are using supports ‘User Account Management’ this can be used as a method to restrict user access to read only.  Where hardware allows it, the use of RADIUS or TACACS servers can be used for a very granular and central authentication process. Logging events such as user logons, interface status changes, device restarts etc. can help when analysing security issues relating to access and other security breaches.

Furthermore, restricting access to only allow communication from predetermined and trusted IP addresses, as well as using encrypted protocols to pass data across the network, in even its most basic form could make any interception much more difficult to decipher.

Have you considered how easily accessible your devices are? In environments where multiple people have access to these devices, examining the physical security of each one could be beneficial.

The simplest form of denial of service could involve physically removing power cables, pressing the reset button or pulling communication cables out of the device. This type of attack doesn’t require skill or effort and relies merely on physical access to the devices, therefore it would be advisable to consider locking devices away in cabinets or secure rooms, reducing the risk of physical tampering.

In many IIoT applications, devices can be located in more isolated environments that are subject to the demands of extremes in weather, temperature, or where the network devices could be subject to shock and vibration. This places high importance on ensuring network switches are robust enough to withstand these conditions eliminating the chance of secure connections being disrupted.

Robust Port security and Access Control List (ACL) are other elements of your security strategy that may require consideration. Good practice could be to disable or shut down any ports that are not being used to stop the device passing any traffic from unauthorised devices plugged into unused ports. If the device supports it, a port can also be locked to a certain MAC address, which can go towards ensuring that only authorised devices are plugged into the network.
 
Similarly, as ACL’s consider data passed through a port, they can be used to permit or deny traffic based on source and destination, IP or MAC address. Depending on the device traffic, ALC’s can also be restricted by protocol and by VLAN. An ACL is configured and applied to one or more interfaces for incoming or outgoing traffic. ACL’s analyse traffic before passing it on, therefore having a direct effect on CPU usage.

The industrial environment is facing increasing complexities relating to the relationship between OT/IT. This relationship requires careful management since office and industrial protocol may operate under different security standards. However, before an effective security management strategy for industrial networks can be implemented, essential measures to ensure an in-depth and layered approach should be made.

Enterprise IT systems have been evolving for many years, whilst IIoT is merely in its infancy. To bridge the security gap between OT and IT, organisations need to act quickly in instigating a process to secure their IIoT networks. Hardening switches is simply the start of a much bigger, holistic approach to adopting the types of multi-layered strategies necessary for the IIoT explosion predicted between now and 2020.

Therefore, starting with device level security and examining how an entire network is made up of the various security layers, would be the pragmatic approach needed to better securing your devices and a valuable step in a much higher level approach to securing your organisations IIoT network.

Securing network data transmissions at device level is paramount to minimising the risk of network security breaches.

Things to consider:
 

• Think about your devices default passwords and whether your current password policy is complex enough
• Consider features like ‘User Account Management’
• Do you restrict or deny IP Addresses?
• Consider who has physical access to your network devices
• Examine your Port Security & Access Control Lists
• Do you have encrypted traffic management and configuration files?
• Think about whether your existing devices meet the challenges of an industrial or harsh environment

With the adoption of Industrial Ethernet Switches, organisations can address technical security requirements whilst also ensuring that devices are rugged and capable of operation in demanding industrial environments.

Impulse have been partnering with Moxa, experts in tailor made Industrial Ethernet solutions for a number of years, supplying high-quality industrial grade Ethernet switches for smart factories and other infrastructure’s throughout the UK market.

Currently, Moxa’s devices have connected around 30 million devices worldwide, and with their Industrial Network Management suite, organisations can now better manage their IIoT security.
Some of the more recent products from Moxa’s portfolio of Industrial switches demonstrate the drift towards better device level security with the inclusion of firmware like Turbo Pack 3 to meet the requirements of the IEC 62443-4-2 level 2 standard, whilst also supporting MAC Address and RADIUS authentication to further enhance the security of the industrial network.

Additionally, Moxa’s sophisticated MXStudio management software can be used in conjunction with their range of rugged Ethernet switches, and with the addition of their enhanced ‘Security View’ features, users can easily check the current security status of their network devices based on industrial security standards like IEC to further enhance network security as well as reducing the effort required from operators.

To find out how Impulse can support your next networking project, please contact us on +44 (0)1782 337 800 or email sales@impulse-corp.co.uk

Disclaimer: All recommendations here are for reference only and any features covered in this article are subject to availability and will differ depending on manufacturer and model.