Segmenting a Network for Increased Reliability and Security

9 December, 2020 | White paper

Paul Haughey

Paul Haughey, CET, PMP, GICSP

Industrial control systems cybersecurity specialist

icon linkedin

Abstract

We all have experienced browsing the internet at home when the connection speed has slowed to a crawl. This might be because your child has started a session of World of Warcraft or your spouse, or even the neighbor down the street, is streaming a movie. They have taken over all available bandwidth, leaving you waiting and wondering how long it will take to update your web page. Now imagine if this scenario were to happen on an industrial control system at a substation, a refinery or even a nuclear power plant. The results could be disastrous.

With the introduction of Ethernet to the plant floor, we should pay more attention to network design for industrial control systems. In the past, there were primarily vendor proprietary networks, so we did not commonly experience the same vulnerabilities and effects that multiple users or devices can have
with Ethernet. It was not possible for someone to easily access Modbus Plus, Data Highway or a Field Bus network directly. With Ethernet implementation, we have seen companies combine operational control system network traffic with email and web browsing. I have even witnessed an open wireless connection to a programmable logic controller on-site without even a login or password. There is a trend for plant owners and operators to implement additional connectivity to field devices using ethernet. Bring your own device creates new challenges to networks and system administrators.
Ethernet is more open than previous proprietary networks, which is great for interconnectivity and reduced cost, but can lead to real problems if not implemented and managed correctly.

There are numerous benefits to connected field devices with open architecture, such as the ability to monitor real time data, reduced equipment and cabling costs, access to machine data for advanced analytics, and troubleshooting. With the benefits of an interconnected plant come new operational
risks and vulnerabilities. System owners need to pay more attention to the network design and security aspects. In the past, these networks were air gapped with limited access methods available for online attacks. All this has changed with ethernet at the plant industrial equipment. Automation and security professionals must ensure that all connected field devices are properly password protected, patched and meet regulatory requirements or minimum-security baselines. It only takes a single misconfigured device to have a weak link in the chain. This can put the company at risk for a remote attack or failure. An innocent mistake made by an employee could have a huge negative impact to the reliability of the system. Without effective segmentation of industrial control system networks, ransomware or other, cyber threats can easily access operational systems, enabling potential disruptions or damage to operational assets or human life.

It is clear that cyber risk mitigation can directly impact the bottom line, not just in terms of potential business loss and penalties, but also in terms of future investment. Almost half (49%) of 600 global institutional investors identified cyberattacks as the number one risk expected to impact the investment
landscape over the next five years. A further 75% will be raising data privacy and cybersecurity as the number one risk topic with executive boards in 2020 according to Edelman’s annual Trust Barometer institutional investor special report.

This paper is about a recent project that BBA completed to re-design a facility’s electrical protection network from a flat network to a segmented network. The goal was to increase network reliability and security. The client was experiencing failures of network devices due to overwhelming broadcast
messages flooding the network. This introduced potential safety concerns because the network was used to sending trip commands to open breakers located in remote substations. The increased load also restricted operations from monitoring the facility in real time. This paper will review the project
requirements, design and process used to implement the changes.

To receive a copy, please visit: https://cigreconference.ca/papers/2020/D2/370/segregating-a-flat-network-for-increased-reliability-and-security-123-paper.pdf

SUBSCRIBE 
TO OUR NEWSLETTER!

Stay connected and find out how BBA can help you maximize the value of innovation.

NEWSLETTER - EN