Industrielle Cybersicherheit

Industrial Ethernet Switches verbessern die Cybersicherheit ohne Kosten

Mark Cooksley

Defense in Depth gilt als eines der bewährtesten Verfahren für die Sicherheit von industriellen Netzwerken. It involves using multiple types of defenses at different layers in the network in order to provide higher resistance to attacks than is possible with a single defense, such as a perimeter firewall.

 

Okay, great, we know this … but, what are the practical ways to put this concept into practice? Your first step should be to do a risk assessment and to prioritize your risks and their countermeasures.

 

In parallel, think about your current defenses, which likely include the perimeter firewall. Do they also include taking advantage of the security functions built in to other network devices?

 

As network hardware has become more powerful, it has expanded to include security capabilities. Most managed Ethernet switches include cyber security features to protect themselves and they are a way to enhance the security of your network at no extra cost.

 

To make sure you are not missing any easy to implement security enhancements, let’s take a look at some of the security features built into switches, such as those from our Hirschmann brand.

 

Great-Wall-of-China-Image-2

Singular defenses, such as a wall, will inevitably be breached. Similarly, a perimeter firewall needs to be supplemented with multiple layers of defense to truly protect industrial Ethernet network infrastructure.

 

Limit Communication Protocols

One type of straight-forward protection is to limit communication protocols to only those that are needed to manage a network infrastructure device. The table below shows recommended restrictions for common management protocols used by industrial control systems (ICS).

 

Protokoll

Restriction

SNMP

Disable v1 and v2

Telnet

Disable

HTTP

Disable

HTTPS

Change the certificate

 

Change the port number

SSH

Use RSA

Change the Key

Set an idle timeout


Table 1: Management protocols should be limited or changed as above to protect network infrastructure.

 

Restrict the IP Addresses that Can Access Devices

Another layer of defense is to restrict the IP addresses that can access devices. To do this, specify which IP addresses are allowed to access the device management interfaces. Specify, which protocols each IP address can use.

 

An attacker would then need to spoof the IP address of the management station to reach the devices, which would require greater knowledge and IT skills.

 

While these two techniques may seem basic, used together they are a very effective technique to prevent unwanted access to network infrastructure devices.

 

Control User Access

In terms of user access, take the time to provide individual logins to individual users. Assign an appropriate role to each user and give guests read-only access. Operators need read/write access, but should not have access to security parameters. Of course, the administrator needs full read/write access.

 

Users should have unique passwords that are robust. Implement a password policy that requires passwords to have:

  • A minimum length
  • At least one upper case character, lower case character, number and special character

Also set a maximum number of login attempts.

 

Authentifizierung

It is hard not to overstate the importance of this. Over the past few years, a number of ICS vulnerabilities have concerned devices with default passwords that could not be changed. The reasons for this may have been ease of maintenance, concerns about fast recovery or easy integration with other systems. Operationally it makes things simpler, but it is an insecure practice.

 

You should establish a login authentication list and then store the list either locally or remotely on a RADIUS server.

 

Authentication-List-Image-2 

Example of setting up device authentication to occur locally or on a RADIUS server.

 

Another aspect of device protection is to encrypt its configuration file when storing it on external memory. While this makes it more complex to replace a device, it does make unauthorized access to the configuration file more difficult.

 

Detect IP Address Conflicts

Duplicate IP addresses could indicate that an attacker is attempting to get around the IP address restriction. Alternatively, they could be executing a deliberate denial of service attack, which would prevent a network management station from seeing the device.

 

Or, IP address conflicts can be an indicator of human error, which is itself a security risk.

 

There are two ways to detect if the IP address of a network infrastructure device is also being used by an end device. One is to have the device actively check for whether an IP address is already in use. The other way is to have the device passively analyze network traffic and watch for its own address. 

 

If another IP address is detected, the switch tries to defend its IP address by forcing the other device to change the IP address it is using. If this does not work, the network device stops using the problematic IP address.

 

Security Status

In a perfect world, an engineer who configures the network never makes a mistake. In reality, when configuring security functionality on network infrastructure devices, it is all too easy to accidently overlook something. That one small oversight could provide the doorway an attacker needs.

 

The latest switches and network management software (such as Industrial HiVision) provide an overview of the security status of network infrastructure devices at a glance. Even if you are not a security expert, this will bring security weaknesses in the infrastructure to your attention, before a person with malicious intent can take advantage of the mistake.

 

Device Defenses Enhance Industrial Cyber Security

While security can be a complex topic, it really comes down to utilizing a few key guiding principles, of which Defense in Depth is one. When thinking about Defense in Depth in your own context, remember to include reviewing and implementing the security measures possible with network devices, such as managed switches.

 

This blog has looked at just a few of the security measures available in switches, including those from our Hirschmann product line. In future articles, we will look at how the security functionality built into network infrastructure devices can be used to enforce a network access policy for end devices, and to prevent malicious traffic spreading across a network.