OT: Cyber Security Seminars

[jdbrandt]

Good Grief.
.
I GUARANTEE YOU that if I were to include a generic 'security appliance' in every one of my quotes in the next 2 years, not a single one would be accepted.
I have also noticed questionable connections to PLC and HMI systems, and, when I've pointed them out to the plant's staff, they are universally met with "yeah, so what?"
So, while I think an industry-led approach would be the best, its clear in my experience that this will need to be another of those terrible unfunded mandates from the big-bad government before anyone will act.
Until then, my universal answer to "gee, I wonder how that code changed//I wonder how that program got wiped out" questions will be 'its the infrustructure, dummy'
.
The Sky Is Falling.

 

[surferb]

Ha ha - fair enough. In that case I'd defer to their IT department, who *should be responsible, have experience, and some budget to deal with securing the network.

Or maybe some bad incident will cause the evil government to overreact and mandate some security settings. Either way, higher security standards are bound to happen eventually.

 

[jnewbill]

The extent that I have seen security is only the things I have done thus far. Making sure the PLCs are on a separate and secure vlan with no internet access. Machines that are allowed on both networks are fully patched at all times and locked down. Layer 2 switches have the latest firmware and configuration backups. Never thought of running any Rockwell security software. I was of the mind that antivirus, anti-malware, and secure layer 2 management would be enough.

 

[Lancie1]

Making sure the PLCs are on a separate and secure vlan with no internet access.

That's it, forget the IT guys and all their blather.

 

[jnewbill]

That's it, forget the IT guys and all their blather.

Well I have to think there is simply more to it then that. I am new to PLCs. Matter of fact I am just an IT manager for a company that has to use them. I don't know much at all about programming them but they are on the network so I have to make sure they are safe and able to operate. Nobody at my plant knows really how to program them either (they'll say they do but we still hire outsiders to do all the work). It is all done by outside vendors and contractors whom we see quite a bit. Our operations are too critical for me to pick up some things here and there and save the company some money on consulting fees.

Of course I feel I did them a world of good when I got there because they had their PLCs on the business network and the CEO could ping the PLC from his office laptop. No good. I fixed that good and quickly. They would have continued operating this way if no one had put their foot down.

 

[The Plc Kid]

The extent that I have seen security is only the things I have done thus far. Making sure the PLCs are on a separate and secure vlan with no internet access. Machines that are allowed on both networks are fully patched at all times and locked down. Layer 2 switches have the latest firmware and configuration backups. Never thought of running any Rockwell security software. I was of the mind that antivirus, anti-malware, and secure layer 2 management would be enough.

Rockwell security software is pretty good and is getting better with newer products but you have to remember that is geared more toward the inside threat than anything. keeping the wrong people out of systems is the primary goal.

Your plc network really should be on it's own LAN meaning physical not justa VLAN and there should be a clear point of physical demarcation to disconnect the automation LAN from the rest of the network.

Typically there is a DMZ where automation resouces sit that need access from the buiness LAN and the automation LAN or have the devices such as historians, rockwell securuty servers,HMI servers, etc sit on the automation LAN and pass traffic though designated ports through the DMZ.

If you use a lot of outside contractors I recommend making them use laptops /computers thatn you control so you know the machines are patched and exactly what's on them both physical and virtual machines. This will also ensure that the contractors are using the same versions of plc software that your in house group is and will eliminate in possible problems in that arena.

A dual firewall DMZ is the best approach IMHO to join the 2 physical networks together for data sharing/recipes,etc.

The firewall on the automation LAN side of the DMZ should be a firewall of industrial autmation grade such as a tofino appliance http://www.tofinosecurity.com/products/tofino-security-appliance as it has the abilty to work with specific industrial protocols and to spot anomolies in industrial protocol traffic.

If you do any outside remote access to your automation LAN for service /repair you should also strongly consider 2 factor authentication for that access.

CDC

 

[jnewbill]

This is relevant information. Thank you for the firewall recommendation. I am currently using a heavily licensed Sonicwall system. You make some valid points about the 2 factor issues, Team Viewer was used for a while temporarily. Since my shop is 24/7 it took some real wrangling with upper management to get them to shut everything down so I could make the address changes on the PLCs. I had to convince them that this was in their best interest. I put it to one of them like this in an offline discussion: I think of these systems as if they are mine. Everyone else uses them to do their job. These things (network connected devices) ARE my job so please let me secure them so you can continue doing your job.

 

[The Plc Kid]

I use sonicwall for my edge firewall and a SRA VPN appliance for remote access http://www.sonicwall.com/us/en/products/SRA_4600.html#tab=Resources

This unit has 2 factor one time use passwords.

You can also do 2 factor with Duo Security https://www.duosecurity.com/

and Phone Factor https://www.phonefactor.com/

Both are free up to like 10 users I think and will run on any old x86 dual nic system or retired server.

I have setup all 3 of these solutions for several different people to give their engineers and contractors remote access and they all work well.