Presented @ 2016 ISA Process Control & Safety Symposium, November 10, 2016
The exchange of key information between business operations, suppliers, customers, production, and ultimately the production equipment itself can provide significant financial and productivity advantages. This presentation will discuss some practical approaches to utilizing the cyber security principles from ISA/IEC 62443 in order to integrate the business and production environments. It will also present some of the different solutions for meeting a variety of scenarios, such as data historians, patching/updating, and remote maintenance.
3. Overview
⢠Why Integrate Business & Production?
⢠Things to Consider
⢠Potential Solutions
⢠Questions
4. Why Integrate Business & Production?
⢠Production to Business
â Production Data
â Historical Data
â Regulatory Requirements
â Network/Security Monitoring
⢠Business to Production
â Remote Maintenance
â Patch Management
â File Exchange
â Configuration Data
Complete isolation is rarely an option
6. Things to Consider
⢠Isolated Zones
⢠Network Segmentation
⢠Wireless Integration
⢠Remote Connections
⢠Public Infrastructure Integration
⢠File/Data Transfer
⢠Monitoring
7. Isolated Zones
⢠Are there zones that require network isolation?
⢠Safety-related systems are a good example
⢠Set it & forget it!
⢠May require re-calibration over time
⢠Can be connected via signal wiring
8. Network Segmentation
⢠Firewall vs. Data Diode
â Is bidirectional communication required?
â Human interaction vs. automated bi-directional communication
â âAir-gapâ requirement
â Mixed firewall & data diode
⢠Multi-legged vs. Dual Firewall
â Establish DMZ
â Product diversity
â IT/OT
9. Wireless Integration
⢠Will wireless be used?
⢠What communication protocols?
⢠What frequency bands?
⢠Point-to-point vs. omnidirectional?
⢠Star vs. mesh topology?
⢠Bandwidth requirements?
⢠Tolerance for drop-outs?
⢠Where to integrate into architecture?
10. Remote Connections
⢠Personnel, vendors, contractors, MSSP?
⢠On-site vs. off-site access?
⢠Continuous vs. scheduled vs. sporadic connectivity?
⢠Method of connectivity?
⢠Single-factor vs. multi-factor authentication?
⢠Connection points within architecture?
⢠Types of communication allowed?
11. Public Infrastructure Integration
⢠More of an issue with SCADA
⢠Wired vs. terrestrial wireless vs. satellite
⢠Dedicated vs. leased-line connections
⢠Service level agreements for ISP
⢠Contingencies for backup/secondary communications
12. File/Data Transfer
⢠Restricting data flows through zone boundaries
⢠Direct communications vs. servers in DMZ
⢠File transfer server vs. removable media
⢠File transfer through remote management connections
13. Monitoring
⢠Malware checking
⢠Ingress/egress filtering
⢠Continuous monitoring vs. human interaction
⢠Push vs. pull of monitoring data
⢠Legacy equipment
⢠HIDS/NIDS
⢠Non-networked equipment
14. People Will Get Things Done
⢠One way or another, people will get their job done
⢠Security canât be seen as an impediment to that
⢠Provide methods that work easily, but are more secure
24. Summary
⢠There are benefits to connecting business and production networks
⢠There are a variety of things that need to be considered when
connecting business and production networks
⢠There are practical solutions for security