SPONSORED by:

www.honeywellforge.ai

INDUSTRIAL
CYBER
SECURITY
Design Guide

brought to you by:

www.designworldonline.com
INDUSTRIAL CYBER SECURITY I DESIGN GUIDE

Core to the operation of IIoT-capable automated installations is industrial-grade cybersecurity.

Most of these security elements take global views of data protection and machine access.

Determining the most suitable cybersecurity elements for a given machine depends on the
likelihood and scale of consequence of an attack or breach. That’s why in this Design Guide,
we’ll review vulnerability and attack types as well as leading solutions today.

TABLE OF CONTENTS
Cybersecurity threats specific to industrial automation ......... 3

IT/OT security challenges and opportunities .......................... 5

LISA EITEL
Ways to employ access control for Executive editor

industrial cybersecurity ............................................................... 9

Types of end-to-end industrial cybersecurity protection ..... 13

CIP Security elements to prevent cyberattacks ..................... 16

Employing zero-trust architecture ........................................... 17 JODY MUELANER

Contributing writer

Basics of an IDMZ ..................................................................... 20

SPONSORED by:

www.honeywellforge.ai

© Copyright 2024 WTWH Media I March 2024

www.wtwhmedia.com I marketing.wtwhmedia.com I www.designworldonline.com I www.motioncontroltips.com
@designworld /DesignWorldNetwork @motion_control
 CYBERSECURITY THREATS SPECIFIC
TO INDUSTRIAL AUTOMATION

I
ndustry 4.0 has lowered production and industrial-operation
costs while boosting flexibility, output, and quality. Core to
IIoT advancements are connectivity, data accessibility, and
interoperability with network standardization — especially on
Ethernet, enterprise, and cloud-based systems.

The caveat is that IIoT connectivity brings with it vulnerability

to infiltration or attack — and the need for industrial-grade
cybersecurity measures.

For years, manufacturing and industrial communities saw the

need for protecting device and machine data exchanges as well
as industries’ generally lacking protection against cyber losses.
The average installation fell short of satisfying recommended
levels of protection, especially those for top-level security and
encryption to secure data transmission. Now, new standards
have spurred machine builders, end users, governmental bodies,
and international organizations to promote and embrace more
comprehensive (and more easily upgradable) security measures.

In fact, recent developments in manufacturing and automation

have created unique cybersecurity challenges. For example,
globalization and the ubiquitous use of certain semiconductor
products from a handful of extremely large manufacturers have
created unique cybersecurity threats. After all, one ubiquitous
technology can serve as the vehicle for a cyberattack with
reach that’s tantalizingly large and dramatic. In addition, the
supply-chain challenges caused by the COVID-19 pandemic
spurred many OEMs to source parts via nontraditional
channels, exposing some organizations to the vulnerabilities of
new and less-proven suppliers.

Especially for manufacturing and machine-building operations,

supply-chain attacks have become more common over the last
decade. These typically introduce components with malicious or Image: Dreamstime
compromised code to allow disruptions or unauthorized access
to sensitive information at a future date. and digital manufacturing (with modest cobot installations and
low-volume 3D printing, just to give two examples) has also
Perhaps more dramatic, the ballooning scale of certain automated meant an ever-widening array of equipment is now being used
operations (especially in the food and beverage industry) has to create end products. The systems and hardware to support
rendered some organizations increasingly attractive targets for such operations (no matter how disparate) must be secure to
cyberterrorism through sabotage of product safety. a degree commensurate with posed risks, should a workcell or
produced product be compromised or fail.
Yet another challenge is the vast proliferation of connected
components and devices over the last 15 years (with still-in- The vast proliferation of connected components has also made
service legacy hardware into the billions and counting) sporting command-and-control or C2 attacks potentially more lucrative
various vulnerabilities, including rare instances of malware sitting for cybercriminals. These often leverage covert connections
dormant until activated. The democratization of automation that can go undetected over long time periods to exact

3 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Cybersecurity threats specific
to industrial automation Industrial organizations
can mitigate cybersecurity
threats with holistic
larger-scale damage to the targeted system or organization. security measures.
These are complete
Unsecured IoT devices and mobile devices such as
with data encryption
smartphones, tablets, and laptops are common targets. Here, wherever practical;
scams increasingly complemented by artificial intelligence (AI) network segmentation;
have come to dupe even the savviest organization personnel timely software updates
and patches; personnel
into granting attacker access to the latter.
data-safety training;
and continuous systems
A final challenge is the increased comfort with and reliance on monitoring. Image:
automatic software updates for security patches. While the Dreamstime
only practical way to maintain cybersecurity for many systems,
automatic software updates (especially spoofed and counterfeit
updates) have sometimes become the vehicles through which
bad actors have sabotaged industrial systems.

SPECIFIC CYBERSECURITY-BREACH
CONSEQUENCES
The regularity of data breaches has also made credential
stuffing — attacks that try breached IDs and passwords from
one organization on user accounts elsewhere — commonplace.
For many industrial operations, patented and proprietary A sizable percentage of any online portal’s login page are in fact
technologies are among the organization’s most valuable assets. credential-stuffing login attempts.
But because of the reliance on digital communications and other
digital systems, IIoT operations can be vulnerable to intellectual
In other cases, breached industrial systems can be remotely
property exfiltration and theft — especially when digital design
or locally loaded with computer viruses or ransomware
documentation must be intermittently made more accessible
designed to halt operations or damage equipment. Where
for legitimate uses. Stolen trade secrets and details surrounding
such malware is deployed to extract a payoff from an
product designs and processes are difficult or impossible to
organization, the payoff required to have systems decrypted
retrieve from competitors or black-market sales.
and released can be significant. In fact, large-scale industrial
operations are prime targets of ransomware deployments due
In other cases, bad actors target sensitive customer and employee to the public nature of their sizable financials.
information to extract financial value or degrade an organization’s
reputation. Regulatory penalties and legal consequences for such
data breaches incur still more financial losses. MORE FROM DESIGN WORLD ON INDUSTRIAL
CYBERSECURITY:
“If the cloud is hacked or breached, then personal content can
be used to blackmail people,” said Saswata Basu, data security Ewon and NVISO partner to bring IIoT cybersecurity to new levels
expert and the founder and CEO of Züs (formerly 0Chain) in a
A Cybersecurity System That Learns from the Hackers Themselves
comment for Design World. “False information can be inserted
into the content body without being noticeable, and no one will Digitalization and the importance of cybersecurity
suspect a data breach … and this malcontent can be used to Eight Steps to a Stronger Cybersecurity Strategy
damage reputation.”
FDA, DHS Partner to Speed Response to Medical Device
Cybersecurity Threats
Basu continued: “Data should be ideally distributed and encrypted
and then stored on the cloud. But encryption must be done on the Honeywell launches new industrial cybersecurity services to
client side, and the data must be in the user’s control rather than address customer skills gap
the cloud. That way, if the cloud is hacked, data can’t be decrypted Researchers Enable Realtime Forensic Analysis with New
by the hacker. What’s more, even if it’s not encrypted, distributed Cybersecurity Tool
data would ensure that only a small fragment is revealed to the
compromised server — and not the entire data.” Eight Cybersecurity Tools Business Needs Today

4 I www.designworldonline.com
IT/OT SECURITY CHALLENGES
AND OPPORTUNITIES

I
T/OT convergence is the integration of information technology
(IT) and operational technology (OT). Traditionally, general-
purpose IT for business administration, data processing, and
communication operated separately from the specialized
OT to monitor, control, and automate manufacturing
machinery, power generation, and transport networks. Often
OT and IT networks would’ve been physically airgapped with
no data connections (wired to wireless) between them. While
this afforded a relatively high level of OT network security, it
limited interoperability and forced operators to physically transfer
commands and data between systems.

Increased connectivity and standardized communication of IT/OT

convergence arise from direct communications between digital
systems and greater collaboration between IT and OT teams. IT- Image: Dreamstime
derived data analytics combined with OT-derived operational data
yield valuable insights into processes, equipment performance, Protecting an attack surface that encompasses inherently more
energy consumption, and operational efficiencies. The result is vulnerable OT can be a major undertaking.
unprecedented forms of data-driven decision-making that have
increased efficiency and productivity for organizations of all sizes. Heightening the importance of protecting OT is how it connects
to machinery and physical equipment that (if compromised) can
create physical-world problems quite different from those caused
CYBERSECURITY CHALLENGES by attacks on IT networks. Infiltrated OT can cause major ecological
IN INDUSTRIAL SETTINGS disasters; costly manufacturing disruptions; damage to very
expensive machinery; deadly malfunctions of medical equipment;
and economically devastating power-distribution disruptions.
Despite its advantages, IT/OT convergence can also challenge Cyberattacks on OT used in nuclear power and chemical
cybersecurity efforts. After all, IT and OT systems were separately processing operations have the potential to cause mass fatalities.
developed and (historically at least) independently operated.
Persistent differences in security capabilities are common, Lacking cybersecurity awareness among OT operators is an
especially for OT encompassing industrial control systems or ICSs. additional challenge. Cybersecurity is much better understood by
IT personnel, but IT staff may not understand the unique challenges
ICSs often include hardware several decades old running various of the OT environment. Therefore, increased security awareness
operating systems and communication protocols. For older across both domains is needed for sound understanding and
ICS hardware, firmware and software updates may no longer holistic protection of IT/OT converged environments.
be available, or operators may elect to forgo updates if there’s
a risk of fouling complex communications between different Still, another challenge is many OT systems’ need for continuous
devices and interrupting critical operations. But many legacy ICS operation. While IT systems can often afford to shut down for a
interfaces cannot authenticate and authorize communication period in response to some threat detection (or for installation
requests, let alone monitor for behavior patterns that indicate a of updates), interrupting the functions of OT can be much
possible attack. Opening such vulnerable systems to IT networks more challenging. Shutdowns can incur results that range from
and the internet is clearly a major security risk. exceptionally costly (in the case of manufacturing production
systems) to deadly (in the case of municipal power and hospital
Historically, IT has been exposed to much more cybersecurity life-support systems). Maintaining security for such systems without
risk than OT. So, IT is geared towards resisting the implantation interrupting operations requires careful planning to accommodate
of malware, ransomware, and other code introduced by phishing viable update procedures, responses to security incidents that do
attempts. IT hardware and software are also updated fairly frequently, occur, and necessary backup and recovery systems.
so they have well-developed defenses against cyberthreats.

5 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
IT/OT security challenges and opportunities

All these considerations must be resolved while maintaining Image: Dreamstime

compliance with regulations such as GDPR and HIPAA, as well
as OT-specific standards such as NIST SP 800-82 and IEC 62443.
Satisfaction of multiple standards presents its own challenges.

One last cybersecurity benefit of converged systems is how

they support centralizing security management for consistent
approaches to gating, patching, and configuring. This reduces the
Leading the use of systems that integrate information technology risk of vulnerabilities going undetected. Centralization also allows
(IT) and operational technology (OT) are healthcare, manufacturing, for shared analysis of threats across OT and IT domains. This too
and utilities organizations. Leading cybersecurity for such operations can simplify malicious-act detection.
can unify disparate technologies (often on different networks) while
boosting efficiencies. Image: Dreamstime
CREATING A SECURE IT/OT
CONVERGED ENVIRONMENT
IT/OT CYBERSECURITY OPPORTUNITIES

The inherent uniqueness of every OT installation demands an

In addition to optimization benefits and cybersecurity challenges, integrated and tailored approach to mitigating cybersecurity
converged IT and OT systems also provide opportunities for challenges with access control, segmentation, and threat
enhanced security. Exceptional activity monitoring across the entire monitoring. Complementing these approaches are vulnerability
converged environment gives visibility into OT functions, user management and incident response planning, security awareness
activity, and threats that would otherwise go unseen. Increased training, and regular security assessments to identify and find
visibility essentially renders threats possible to detect and address. solutions to the changing threat landscape.

In addition, many mature security tools and approach frameworks Because it’s often impossible to implement authentication and
developed for IT apply to OT environments. Case in point: re-authentication protocols needed for a zero-trust architecture
The U.S. National Institute of Standards and Technology (NIST) at the ICS level, mediation of external communication is
Cybersecurity Framework is a set of guidelines first established in often executed by an industrial demilitarized zone or IDMZ.
2014 to mitigate cybersecurity risks. Due to the rapidly evolving Fundamentally, the OT’s ICS level cannot provide necessary
nature of cyberthreats, this Framework is continually refined with security checks, so this must be separated from the rest of the
updates … including those applicable to OT. As we’ll explore network. Then only some OT elements are integrated into the
in more detail later in this Design Guide, such methods include enterprise environment on the IT side.
segmentation, zero-trust, authentication, and encryption.
For example, factory-floor devices to monitor inventory and

“
track material flows likely use internet protocols and do not need
While converged environments are subject to direct communication with ICS hardware. Such devices are better
heightened security challenges, the operational located on the IT network. That said, the ICS must be able to
benefits and opportunities for improved security continue operating if the IDMZ stops all communication (as when
“
mean upgrading to a connected enterprise often
a major attack is detected). Therefore, ICS networks must contain
ranges from worthwhile to necessary to
all systems needed for independent operation.
stay competitive.

6 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
IT/OT security challenges and opportunities

INDUSTRIAL CYBERSECURITY SERVICES

Holistic digital transformations include well-integrated

industrial cybersecurity — often procured via cybersecurity
services. These services are subscription programs that give
machine builders and end users up-to-date synergistic tools to
keep machines and operations safe.

Services featuring security operations centers or SOCs can

continuously protect operations with strategies specific to
an industry or organization. These SOC services function as
centralized defense systems for organizations that require
cohesive programs or lack sufficient in-house cybersecurity
personnel — a common issue in manufacturing and other
industries employing automation. These SOC services can detect
nefarious actions over far-reaching and disparate systems so
that the organization’s security managers aren’t forced to assess
impossibly numerous alerts and network warnings. SOC services
also eliminate reliance on otherwise inefficiently disjointed
Image: Dreamstime
conglomerates of systems having separate security features.

The IDMZ mediates all communication from the insecure IT network

to vulnerable ICS devices. It authenticates and re-authenticates
users plus monitors for threat signatures and anomalies. Users
aren’t just authenticated and given full and perpetual access to
the ICS. Instead, they’re authenticated for a specific request, and
(if they then make a different request) re-authentication may be
required. Requests for particularly sensitive data or actions should
always need re-authentication and authorization.

If necessary, the IDMZ may sever all connections between the

IT network and ICS system. This then leaves the ICS system
intact to continue operating while the external threat is
investigated and eliminated.

The IDMZ is generally implemented using a combination of

firewalls, intrusion detection, load balancing, reverse proxies,
application gateways, and intrusion-protection systems.
It’s essentially a small network set between the IT and OT
networks with firewalls fully isolating it. Firewalls from different
manufacturers at each end can ensure the vulnerabilities of one
are detected by the other. Next-generation firewalls go beyond
protocol and port inspection to provide data analysis that detects
malware transmission. A server within the IDMZ runs a broker
service to provide authentication and authorization of requests.

Employing a well-designed IDMZ and other network-security

elements can render a converged environment more secure than
an airgapped industrial network.
Image: Dreamstime

7 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
IT/OT security challenges and opportunities

Services featuring sandbox tools give programmers safe [read: AI can also determine whether a machine is merely malfunctioning
isolated] spaces to write, install, run, and observe code (whether on its own (due to a need for servicing, for example); incorrectly
new or otherwise untrusted) before deployment on a working operated by inexperienced plant staff; or truly being attacked
network. Such tools prevent host-machine malware infection. with nuanced systems for detecting saboteurs — especially those
Blocking access to suspicious URLs and domain name system actively damaging or detrimentally changing machine settings.
(DNS) names is another service to prevent ingress of operations
via an attacking command and control server. These command MORE ON INDUSTRIAL CYBERSECURITY:
(via an under-monitored backdoor or DNS tunneling) equipment
on the compromised network to transmit data and perform other
detrimental actions. Some services work to protect the initial What an end-to-end digital manufacturing approach might look like
intrusion and any pivot spread of malware to other equipment Retrofitting CNC systems to safeguard against cyberattacks
should a breach occur to prevent the establishment of botnets and
Make the pitch for automation security with this updated tech note
other potentially catastrophic and overwhelming developments.
Securing the IIoT
Keeping the bad guys out of industrial networks
THE ROLE OF AI IN INDUSTRIAL CYBERSECURITY
Army researcher minimizes the impact of cyber-attacks in cloud
computing
The use of artificial intelligence’s computing power has seen Why 50,000 ships are so vulnerable to cyberattacks
exponential rise over the last two years. In fact, AI is employed
by industrial cyberattackers and cybersecurity teams alike.
“Cybersecurity positives stretch across industries,” said Quad9
chief security officer Danielle Deibler in a recent interview about
AI with Design World. “Machine learning and AI can analyze
network traffic to identify anomalies and suspicious activity …
and potentially help predict future threats based on patterns it
recognizes in the data.” AI can perform this function a lot faster
than a human, she added.

For efforts to protect assets and operations, the latest AI

cybersecurity offerings:

• Scan the internet and dark web for malicious code.

• Automate and speeds data-intensive tasks previously

done manually by analysts.

• Monitor networks for unfamiliar devices, workcells,

servers, and software.

• Prioritize and allocate industrial security defenses

against spyware.

• Incorporate the descriptions of emerging cybercriminal

techniques for be-on-the-lookout directives and higher-
level cyberthreat intelligence requirements.

8 I www.designworldonline.com
WAYS TO EMPLOY
ACCESS CONTROL
FOR INDUSTRIAL
CYBERSECURITY
Image: Dreamstime

Access control should also include multifactor authentication that

includes user-to-service, user-to-device, and device-to-service
authentication while balancing usability with security. Not all accounts
and access levels necessarily need multifactor authentication.

Thorough access control also includes increased security for

privileged accounts, using a tiered system so that accounts with
the highest level of privileges are only used when they’re really
needed, and system administrators have ordinary user accounts
for other activity. The most privileged accounts must use
multifactor authentication.

Finally, access control should include monitoring to detect

malicious behavior, such as log-in attempts that fail the second
stage of multifactor authentication.

Mobile devices with connectivity to the enterprise pose special

cybersecurity risks. Image: Dreamstime

A
ccess control is about controlling who and what can
see and use internal systems and data. Establishing
good access-control rules starts with identifying who or
what needs access and the conditions under which they
need it. Then the industrial-network designer can define how the
organization will identify users, devices, and systems.

The designer must consider the level of confidence appropriate

for the systems and data being accessed and how identity will
be determined at this confidence level. It’s better to start by
considering to whom the organization wants to allow access and
how it will identify these individuals. Such procedures make it
difficult for attackers to gain access — a far better situation than
waiting to identify attackers. Of course, confidence levels that only
admit authorized users and systems should also make it as easy as
possible for true users to access the automated machine elements
and systems they need.

A good access-control system should include access management

policies and procedures that consider who has access to what,
Image: Dreamstime
how new accounts are created and deleted, and how access is
given to external parties.

9 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Ways to employ access control for industrial cybersecurity

ESTABLISHING GOOD IDENTITY APPROPRIATE USE OF MULTIFACTOR

AND ACCESS MANAGEMENT AUTHENTICATION

The first step in developing appropriate identity and access Multifactor authentication demands at least two forms of
management policies and processes is to consider the users verification to authenticate a user’s identity. These may include
and devices that need access to data, devices, and systems, as passwords, codes sent to SMS or email accounts, biometrics,
well as when they will need this access, why they need it, and codes generated by authentication apps on user devices, or
under what conditions. Then the industrial network designer can physical tokens such as USB sticks or keys. It’s also known as two-
define how the organization will identify users and devices. It’s factor authentication. Authentication factors can be conveniently
important to cover as many possible types of users as possible at categorized into four groups:

• A physical object the user possesses, such as a USB stick,

bank card, or physical key.

• Knowledge known only by the user, such as a password,

PIN, or other personal information.

• Biometrics — physical characteristics of the user such

as fingerprints, eye iris, voice, facial structure, or typing
speed and patterns of key presses.

• Location is primarily used to determine risk level and

therefore the degree of other authentication required. For
Image: Dreamstime example, when physically located on a company network,
a single password may be sufficient to grant access, while
this initial planning stage, as making exceptions later can create off-site users may be needed to use multiple factors.
vulnerabilities. Users may be full-time onsite personnel, part-time A user who moves a large distance around the world
staff, home-working staff, contractors, design engineers, students, between log-in attempts within a short time could also
and volunteers. The policy should also include the details of indicate that one of the attempts isn’t genuine.
what audit records will be stored and how they will be stored to
ensure they’re not tampered with. This should include processes
requiring more than one person to authorize sensitive actions that
could compromise audit records.

User account management processes must include ways to

deal with joiners, movers, and leavers, ensuring that access
is changed or revoked appropriately. It can also be useful
to allow for temporary accounts, for testing or guests, that
automatically expire after a defined period. If anyone from outside
the organization is given access that could include sensitive
information, there must be processes to ensure they have
nondisclosure agreements in place. It must also be possible to
revoke accesses when required.

Policies should go beyond internal systems to consider how

organizational identities may be externally used — for example,
to create accounts for online services using company email
addresses. For online services provided by the company, it may
be appropriate to ensure that company emails are only used
to create certain account types and that access can be easily
removed when a person leaves the organization.

Image:
Dreamstime

10 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Ways to employ access control for industrial cybersecurity

Financial institutions extensively use multifactor authentication

and re-authentication for online banking offerings. For
example, a typical online banking interaction might need
three authentication factors to initially log in to the account: a
password, a second knowledge factor such as randomly selected
digits from a PIN, and a code sent to an SMS or email account.
To transfer money to an external account, re-authentication is
then also required, with additional factors combined by inserting
a bank card into a card reader and typing a PIN. The card reader
then generates a code which is entered into the online banking
app to authorize the payment. This is an example of a very
secure use of multifactor authentication.

Appropriate use of multifactor authentication may mean that

it’s needed in some form for all users and types of accounts.
However, for some users with few privileges and little security risk, Image: Dreamstime
this may be unnecessary and unjustifiably harm usability. Key are
authentication methods used to establish who users are at a level
of confidence proportionate to the risk they pose. With careful
As in consumer settings, password rules must strike the right
consideration of the way people naturally work, it will be possible
balance between usability and security. Easily guessed passwords
to ensure sufficient security with minimum inconvenience. As well
(such as those containing only common words or a few letters
as user-to-service and user-to-device access, it’s also important to
or numbers) must be forbidden. System users mustn’t reuse any
consider how multifactor authentication can be applied to device-
password. However, if users need to remember many complex
to-service authentication.
passwords, they may resort to writing them down, which is also
One way to minimize user inconvenience is to give choices highly insecure. This means that balancing usability and security
about which factors are required. One common example is the doesn’t mean that one must be sacrificed for the other — they’re
option to receive a code by email or SMS. There is a wide range interlinked. Using single sign-on or password managers allows
of authentication factors, as described previously, so offering users to create unique and complex passwords for each account
choices that will suit a wide range of users should be possible. without remembering them all. Other measures to prevent brute
It’s especially important to use multifactor authentication where force methods of password guessing include throttling and
password-guessing or theft may occur, such as in online accounts. lockouts after multiple failed attempts.

While all sensitive data should be protected at rest and in

transit, this is especially true of authentication credentials. These
provide the key to all other data and critical systems and must be
adequately protected by encryption.

SINGLE SIGN-ON AND PASSWORD MANAGERS

Single sign-on is an authentication policy that allows users to

sign into multiple independent systems using a single set of
authentication factors (for example, using the same username
and password). When fully implemented, it lets users sign in
once and then access the different services without re-entering
any authentication factors. For networks using internet
protocols, it’s often implemented using cookies. Eliminating
the need for users to continually re-authenticate increases their
Multifactor authentication demands at least two forms of verification convenience and productivity while making it less likely that
to authenticate a user’s identity. Image: Dreamstime
they will write down passwords.

11 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Ways to employ access control for industrial cybersecurity

As in consumer settings, industrial systems should require unique MORE ON INDUSTRIAL CYBERSECURITY
passwords for each account on a network and each privilege.
At the same time, each password should be especially strong
— which ideally means a random string of letters, numbers, and Unnerving: Public safety systems aren’t exempt from
special characters. Remembering all these different passwords cybersecurity vulnerabilities
becomes virtually impossible and inevitably leads to users writing Army scientists revolutionize cybersecurity through
them down without password managers. A password manager quantum research
stores the passwords in a securely encrypted form, removing the
Gigabit Ethernet switches simplify configuration and boost security
need to remember them and the risk of them being stolen from
where they’re written. New approach to machine lifecycle support benefits people,
parts, and processes

USE MULTIFACTOR AUTHENTICATION

AND OTHER MITIGATIONS FOR
PRIVILEGED ACCOUNTS

Accounts with higher levels of privileges need greater security

and should not be used for ordinary tasks that don’t need
increased access. Accounts that give privileges, such as domain
admin or global admin, should only be used when absolutely
necessary. Admin users need separate accounts for doing things
such as checking email or accessing the internet. To ensure that
the admin accounts are not exposed, there must be a strong
separation between the accounts. This may mean using different
physical devices or simply needing email and browser software to
be closed before the admin log-in occurs.

Privileged accounts should always be protected by multifactor

authentication. The strongest methods should be included in the
needed factors, such as hardware security tokens. Stricter rules
around time and location may also be appropriate.

EMPLOY SECURITY MONITORING TO DETECT

POTENTIALLY MALICIOUS BEHAVIOR

All authentication and authorization activity must be recorded

and monitored for anything indicating a malicious access attempt.
Suspicious behavior can include multiple password attempts, failing
an additional multifactor authentication, or access for an unexpected
location. It’s important that when such activity is detected, it can be
linked to the system, user, or account carrying it out.

Good access control is a fundamental part of a strong

cybersecurity system. By applying these principles, a key
ingredient of a secure system will be properly implemented.

12 I www.designworldonline.com
TYPES OF END-TO-END INDUSTRIAL
CYBERSECURITY PROTECTION

A
pproaches to industrial cybersecurity include network Segmentation may be implemented using firewalls and virtual
segmentation, perimeter security, access control and local area networks (VLANs). A segmentation policy may control
authentication, endpoint protection, data encryption, traffic by type, source, or destination. Microsegmentation gives
intrusion detection and prevention, security monitoring even more control over access to different network areas with
and analytics, security training and awareness, supply chain things such as application-layer information to control access.
security, and incident response.
Besides protecting sensitive areas from cyberattacks,

“
“
Methods can be combined to provide
an end-to-end defense.
segmentation may also protect performance-critical operations
from being slowed by heavy network traffic.

PERIMETER SECURITY IN INDUSTRIAL SETTINGS

End-to-end cybersecurity protection uses a mixture of these
methods to provide a layered defense against all potential
attack points. Perimeter security in the form of walls, ditches, watch towers,
and sentries has protected physical locations since the dawn
NETWORK SEGMENTATION FOR CYBERSECURITY of civilization. The aim is to make it difficult for intruders to get
within the perimeter without first being checked and permitted
entry. Then the space within the perimeter is considered safe, and
anyone inside is allowed to move freely about.
Network segmentation is the division of a network into small
parts to boost both security and performance. Also called In industrial networking, this basic perimeter concept is adapted
network segregation or partitioning, segmentation allows traffic to police all system connections.
flow-control types between different segments. The key is that
sensitive network areas get more stringent access controls than Before the internet became an integral part of the way we work,
commonly used and less sensitive parts of the network. only computers physically attached to a company network could
access its systems. The network perimeter was clearly defined by
physical hardware, often bound to a single building. Infiltrating
that network typically meant a bad actor had to physically enter
the building and log in on a company-managed computer
connected to the local area network.

Even as networks slowly became connected to the internet for

basic file transfers and email, connections with the outside world
remained limited and clearly defined. It became possible for
hackers to access sensitive data, but firewalls provided reasonable
defense to maintain the network perimeter by blocking any
external network traffic that looked suspicious.

Today, industrial networks include massive connectivity between

devices and the expectation of user accessibility at all enterprise
levels. So, it’s essentially impossible to achieve sufficient security
by perimeter defenses alone. Cloud computing has rendered
physical perimeters a quaint concept that’s rarely meaningful for
Achieving cybersecurity means having an end-to-end solution that today’s industrial networks. After all, OEMs, integrators providing
integrates all reasonably applicable elements. These are not separate
systems to be deployed in isolation. Instead, they’re parts of an overall technical support, and plant personnel especially have grown
strategy that must be carefully designed as one. Image: Dreamstime accustomed to accessing much of an operation’s internal data and

13 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Types of end-to-end industrial
cybersecurity protection
services from any location, regardless of whether they’re physically
attached to the company network. At the same time, they expect
to have access to data and services anywhere in the world, using
the internet unrestrictedly while they’re attached to the company
network. Remote desktop software further weakens the network
perimeter because users anywhere in the world can access
devices that are physically connected to the network.

AUTHENTICATION AND
MACHINE ACCESS CONTROL

Industry 4.0 presents unique cybersecurity opportunities and

Authentication is a process that verifies a user’s identity. In vulnerabilities. Image: Dreamstime
contrast, access control (authorization) is a process that grants
or revokes access to data or systems based on a user’s identity. systems against malware created by state actors, organized crime
Authentication and authorization go hand in hand. groups, hacktivists, and loosely affiliated criminal associations.
The most basic form of endpoint security is antivirus software that
First, a user requests access to a given resource, such as an detects and neutralizes threats. Regular software updates are
item of data or service, or even to an entire network. Then via critical, as vulnerabilities to known and newly crafted threats are
authentication, the system verifies the identity of the user. Finally, constantly being identified. Software is expanded to eliminate
an authorization program determines whether the user should be these weaknesses and detect, analyze, block, and contain attacks
given access and either grants or blocks it. in progress. The latter usually involves communications with other
security technologies.
User authentication and authorization together may serve as an
element of perimeter security (with the ability to grant access to
an entire network) or guard access to each new request, as in a DATA ENCRYPTION IN INDUSTRIAL
zero-trust approach. In either case, authentication and access APPLICATIONS
control are key to any cybersecurity program.

All authentication involves credentials checks — whether via a Codes have been used throughout history to transmit secret
simple user ID and password requirement (increasingly considered messages and render them useless if intercepted. This is the basic
inadequate) or login information plus an additional element for concept of industrial data encryption, which encodes files and data
multifactor authentication via some blend of password, biometric, into formats that are completely unintelligible without decoding.
security token, and mobile push-notification checks.
Within cryptography, codes called ciphers are employed to convert
Authorization may be statically determined using an access- readable messages into ciphertext via a process called encryption.
control list — simply checking a list to see whether a user has Converting the data back into a readable format is known as
been granted access to the resource requested, for example. decryption. Early codes substituted letters, words, or phrases for
More sophisticated dynamic authorization processes may also code words, and senders and recipients would use a codebook
consider the broader context of the requests, such as whether the to obscure and decode messages. Such systems can be defeated
user’s system has security updates, their physical and temporal relatively easily by tracking patterns such as word frequency. Brute-
location when making the request, and any suspicious behavior force methods, involving the use of all possible substitutions until
they may have exhibited. Such an approach may use sophisticated an intelligible message is reconstructed, can also be effective.
data analytics or artificial intelligence (AI) to check for anomalies.
In contrast, most modern cryptography uses mathematical
Endpoint security: Endpoint security fortifies user-access points algorithms to encode data in extremely complex patterns. Although
against exploitation. Endpoints are devices such as computers theoretically breakable, data encrypted in this way could only be
and phones that serve as entry points into sensitive data and cracked by prohibitively expensive brute-force methods employing
service systems. Malicious actors typically seek to remotely or massive computational effort, essentially rendering them secure.
automatically use devices’ access via malware, such as viruses and However, the information needed to unlock the algorithm can be
worms. In fact, endpoint security is most important for shielding represented by a relatively concise passcode known as a key.

14 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Types of end-to-end industrial
cybersecurity protection

In industrial networking, this basic perimeter concept is adapted to control external connections. Image: Dreamstime

It’s now possible to encrypt messages that are uncrackable even • IDS stateful protocol analysis also detects anomalies
via unlimited computational time and effort. However, such by comparing behavior with predetermined profiles for
encryption is impractical and rarely used to protect data. This benign activity.
uncrackable one-time pad method was first described in the
19th century; it requires a single-use key at least as large as the Security monitoring and analytics shift the focus from a perimeter-
message being encrypted. In fact, more recent mathematical security mentality to a zero-trust approach so that all activity is
proofs have confirmed that unbreakable ciphers must use a key at monitored, not just access originating external to a network.
least as large as the data that it encrypts.
Security training and awareness: All security systems must be
current and correctly working together. Ensuring they’re up to
INTRUSION DETECTION AND PREVENTION date requires thoroughly proficient network personnel having
knowledge that is also current. Therefore, it’s key to regularly train
staff responsible for cybersecurity and ensure everyone involved
Authentication and access control systems sometimes fail to in running the network fully understands cybersecurity measures
prevent unauthorized users from accessing network resources. in place at the organization.
The next line of defense consists of intrusion detection systems or
Supply chain security: Extensive supply chains involving many
IDSs that monitor network traffic for signs of possible intrusions.
suppliers have myriad vulnerabilities. Securing such commerce
The latter can include exploit attempts or anything that may
and distribution should begin with an understanding of the data
damage the network. Intrusion prevention systems or IPSs go
sensitivity held by each supplier and what security arrangements
one step further by stopping intruders once they’re detected
each has in place. Control begins with communication and
dropping data packets and terminating sessions. These functions
setting clear, appropriate, and achievable minimum-security
are typically carried out by a next-generation firewall.
requirements. Once set, such standards must be verified and
Attackers often try to exploit known vulnerabilities within devices continuously revised for improvement.
and software. IDS and IPS systems can detect these exploit
Incident response: A cyber incident response or CIR is a set of
attempts to block the attacker before gaining access to an
actions taken after a security incident is detected. These should
endpoint or gathering compromising information about network
quantify the impact of the incident on the organization’s systems,
vulnerabilities.
manage immediate impacts, remove specific vulnerabilities that
• Signature-based IDS detection compares observed allowed the incident to occur, and summarize lessons learned to
behavior against known threat patterns. boost security more generally across the network. A cyber incident
report should be produced to detail all these items for internal use
• Anomaly-based IDS detection looks for anything unusual, and distribution to impacted trade partners. For serious incidents,
including new and unknown threats. national cybersecurity agencies may need to be notified.

15 I www.designworldonline.com
 Image: Dreamstime

CIP Security elements to prevent cyberattacks

T
he CIP Security network extension from the Open protect bulk electric systems from physical and cyber threats,
DeviceNet Vendors Association (ODVA) network- these are maintained by the international regulatory authority
standards body protects converged environments, system known as the North American Electric Reliability Corp. or NERC.
data, and individual devices from man in the middle Compliance with NERC CIP standards helps utilities maintain
(MitM) attacks and much more. In fact, as the Common Industrial power continuity for the good of public safety. The standards
Protocol links EtherNet/IP, DeviceNet, and other communications require comprehensive programming that includes identification
in industrial automation, CIP Security is suitably positioned on and protection measures for key infrastructure assets and defined
networks to manage and execute device authentication, integrity, responses to security incidents.
and keys; trust domains and user authentications; and data
confidentiality for modest yet IoT-connected field devices. Policy
SOME SPECIFICS OF ODVA CIP SECURITY
enforcement via a proxy or gateway is also possible.

As mentioned earlier in this Design Guide, much OT — including

vast swaths of low-cost IIoT devices — doesn’t enjoy cybersecurity
protections or Ethernet connectivity. Now, single-pair Ethernet
has expanded EtherNet/IP connectivity to new IIoT devices to
give even modest elements communications for diagnostics and
parameterization capabilities as well as device-level security. A
constrained CIP security profile specifically for modest devices
imparts data confidentiality and authenticity.

CIP Security makes devices mutually authenticate before

“ CIP Security protections in a lightweight version (with
“
fewer mandatory features) give even the smallest and
most cost-constrained devices secure EtherNet/IP
communication and control.
communicating. Its device-level location in defense-in-depth
or DiD architectures (employing layered defensive methods)
makes it particularly well suited to this function.
Access policy information renders devices more capable so
components such as gateways can serve as proxies for personnel
authentication and device authorization.
SIDE NOTE ON ANOTHER CIP INDUSTRIAL
CYBERSECURITY STANDARD
MORE FROM DESIGN WORLD
ON INDUSTRIAL CYBERSECURITY
Note that CIP in this context should not be confused with
mandatory Critical Infrastructure Protection (CIP) standards
CIP Security updated to support
for certain electric utilities owners and operators. Designed to
user-level authentication

16 I www.designworldonline.com
EMPLOYING
ZERO-TRUST ARCHITECTURE
N
ever trust — always verify. The zero-trust security model is Zero trust architecture is increasingly being deployed across
based on this general principle and treats all connections organizations in diverse sectors, including business, government,
as hostile until verified. It’s also known as zero-trust defense, cloud services, banking, and healthcare. Traditionally,
architecture or ZTA and sometimes perimeterless airgapped networks were perceived as the most secure, with no
security. That’s because users and devices aren’t trusted simply wired or wireless connection to the outside world. However, even
because they’re already inside — in other words, previously verified systems with the most hardened perimeters have vulnerabilities.
or already connected to a permissioned network. This contrasts Malicious infiltrators can attach portable devices to or directly
with traditional security models, which protect a perimeter around enter code into airgapped networks. There have also been
sensitive data with devices such as firewalls. demonstrations of radio and acoustic-wave attacks bridging
airgaps. Lack of an internet connection means software updates
Trust is never implicitly granted and must instead be occur much less regularly, so the system will be more vulnerable
continuously evaluated. to attack when the perimeter is breached. Furthermore, as
humankind increasingly depends on the internet, airgapped
A zero-trust approach means the same level of security is
networks are increasingly impractical. Both factors explain the rise
available regardless of where a user accesses a network from. This
of zero-trust architecture.
is more secure than relying on perimeter defense, and it’s also a
very scalable approach. It also gives greater convenience to users
because they have the same access rights when off-site as when ZTA BACKGROUND AND STANDARDS
physically connected to a network.

Zero-trust principles were first covered by Stephen March and

Sun Microsystems in the early 1990s. Then, the Jericho Forum
discussed de-perimeterization in 2004, which was progressively
implemented by Google starting in about 2009.

The first serious implementation of a zero-trust architecture was

BeyondCorp. Google created this open-source implementation
in response to Operation Aurora — a series of advanced
cyberattacks linked to the Chinese military in 2009. While Google
was the first to openly acknowledge these attacks, Operation
Aurora affected many American companies, including Northrop
Grumman, Morgan Stanley, and Dow Chemical. It’s believed
the attack was intended to access and possibly modify source
code for advanced and defense-related technologies. After
these attacks, it was realized that this source code was extremely
valuable and poorly protected.

BeyondCorp uses a device database that allows device

verification using a digital certificate. Every change to a device
must be recorded in a device inventory database that then
requires additional information to verify the device. BeyondCorp
uses a trust inferrer that checks whether users and devices are
Critical operations benefit from the stringent measures of zero-trust authorized to access resources, such as files and applications, and
cybersecurity. Image: Dreamstime

17 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Employing zero-trust architecture

whether they’re in an appropriate state to do so. For example,

the trust inferrer can require that a device has software updates
installed and security settings enabled. An access control engine
then enables the appropriate access.

In 2018 NIST published the SP 800-207 standard for Zero Trust

Architecture. It employs an approach much like that previously
employed by Google with new terminology to describe it. Access
is granted through a policy decision point (PDP), such as Google’s
trust inferrer, and a policy enforcement point (PEP), such as
Google’s Access Control Engine. Each connection request must
be assessed for authentication or authorization.

Authentication routines ask whether the entity making the

request is authentic. In other words, are they who they say they
are? What is the level of confidence in their identity? In contrast,
authorization routines ask whether a user has the right to access
the resource in the way requested. Authorization routines also
ask whether the confidence level in the user’s identity is sufficient
for this unique request. In other words, do they have the proper
security posture, software updates, and security settings?

An Implicit trust zone is an area where all entities are trusted to at

least the level of the last PDP/PEP gateway.

The SP 800-207 standard describes physical access like that at

an airport. After passengers are screened by the airport security Zero-trust cybersecurity systems go beyond traditional approaches
checkpoint (PDP/PEP), they can access the boarding gates. All that assume all entities within the organization’s network are
trustworthy. This prevents saboteurs and outside agents from
passengers, airport staff, and aircraft crew can move freely around moving laterally and access or sensitive data due to a lack of
the departure lounge and are considered trusted to at least the level granular security controls. Image: Dreamstime
of the passengers. However, passenger identification is validated
again before moving through the gate towards the aircraft. SP
800-207 notes that while ZTA stresses the importance of not relying 3. Access to individual enterprise resources is granted on
on wide-area perimeter defenses, such as enterprise firewalls, most a per-session basis. Trust is evaluated with respect to a
approaches continue to define security regarding perimeters. given request and should be granted with the minimum
privileges needed to complete the task. Authentication
While some industrial operations may render implicit trust zones with authorization for one resource doesn’t give access to
necessary, the latter should be as small as possible — and users a different resource.
should be revalidated before being allowed to access more
important resources. 4. Access to resources is determined by dynamic policy.
So, the current states of resources (including software
SP 800-207 defines seven basic tenets: versions, network location, time and date of request, and
previously observed behavior) are verified. Access rules
1. All data sources and computing services are considered
can be defined by dynamic policies and acceptable levels
resources. These can include personally owned devices
of risk.
that can access enterprise-owned resources.
5. The enterprise monitors and measures the integrity and
2. All communications are secured, regardless of location. A
security posture of all owned and associated assets. The
request from an asset located on the network doesn’t imply
security posture of assets is always evaluated when a
trust. Therefore, an access request from within a legacy
resource is requested, and no asset is inherently trusted.
network perimeter should be validated in the same exact
way as an external request.

18 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Employing zero-trust architecture

6. All resource authentication and authorization are 5. Implement continuous monitoring and analytics to track user
dynamic and strictly enforced before access is allowed. behavior and network traffic. This will enable any anomalies
Authentication and authorization are happening on to be identified, leading to realtime threat intelligence.
a continuous cycle of identity, credential, and access
management (ICAM) throughout user transactions — 6. Ensure that data is encrypted both during transfer and
including the use of multifactor authentication (MFA) for storage.
at least the most important resources. The criteria for
7. Define an incident response plan for the event of a
reauthentication and reauthorization may be based on
security breach.
time, new resource requests, resource modification, or
suspicious behavior. 8. Carry out regular audits to continuously improve the
security system.
7. The enterprise collects as much information as possible
about the current state of assets, network infrastructure, and “Zero trust isn’t something one can buy or implement; it’s a
communications and uses this information to improve its philosophy and a strategy,” said IBM chief information security
security posture. officer Koos Lodewijkz. “To be frank, at IBM, we wouldn’t even
characterize zero-trust as a security strategy. It’s an IT strategy

“
done securely.”
As data and services move into the cloud, zero-trust

approach to cybersecurity.
“
architecture is increasingly becoming a preferred
ZTA is an approach to security that revolves around the cloud.
Cloud-based computing isn’t just about users having consistent
access to data and applications from any device and location.
It’s also about protecting data because the internal network
The UK National Cybersecurity Centre defines ten principles for can be considered hostile. It’s also important that continuous
ZTA that are more vague than the NIST tenants. These principles re-authentication and re-authorization don’t become a massive
come with some general directives: know the architecture — inconvenience for users; ideally, it would work seamlessly in the
including users, devices, and services; create a single strong background. Microsoft aims to create this seamless zero-trust
user identity and create a strong device identity; authenticate environment using gate access based on realtime analytics
everywhere and know the health of devices and services. combined with monitoring and control of user actions.

There are other general directives: Focus monitoring on devices Following the principles set out in this article will give a good
and services. Set policies according to the value of the service or guide to defining a strategy for its implementation. When it
data. Control access to services and data. Don’t trust the network, comes to the nuts and bolts of setting up the IT systems for ZTA,
including the local network. Choose services designed for zero trust. expert guidance will be needed for specific systems.

IMPLEMENTING A ZERO-TRUST ARCHITECTURE

A simple checklist for implementing ZTA in a company network

could include:

1. List all network assets (devices, applications, and data)

and categorize them based on their security sensitivity.

2. Define micro-perimeters around specific assets, where

authentication and authorization are needed before
access can be granted.

3. Identify role-based access control (RBAC) with access to

specific resources needed to perform a task and ensure
Zero-trust networks protect systems by prioritizing assets and how
users are given the minimum permissions required. much shielding each requires. Leading options simplify this so-called
granular access structure. Image: Dreamstime
4. Define strong multifactor authentication methods,
which may include passwords, biometrics, security
tokens, and mobile push notifications.

19 I www.designworldonline.com
BASICS OF AN IDMZ
Image: Dreamstime

A
n IDMZ is a cybersecurity network segment that serves • Firewalls at the perimeter of the DMZ control traffic, enforce
as a middle-ground buffer between an exposed security policies and restrict access to authorized services.
network segment and a protected sensitive segment.
The acronym IDMZ can refer to an internet demilitarized • Intrusion Detection and Prevention Systems (IDPS)
zone or (in newer technical references including this one) an monitor network traffic to and from the IDMZ to detect
industrial demilitarized zone. An internet demilitarized zone is an potential security threats.
older concept; here, it’s just called a DMZ.
• Load balancers distribute network traffic across multiple
More specifically, a DMZ protects a company network from servers hosting the services in the DMZ. This improves
vulnerable publicly accessible web services, while an IDMZ protects performance, availability, and scalability of the publicly
an industrial control system or ICS from the rest of the network. accessible services.

Firewalls isolate DMZs and IDMZs. • Reverse proxies handle requests from the external
network to the internal services in the DMZ, providing an
The ICS is often critical to safety and high-value business operations additional layer of security by validating requests before
— controlling things such as manufacturing machinery, medical forwarding them to relevant internal servers.
equipment, power generation, and transportation networks.
Although such systems need maximum security, they still need to • Application gateways inspect and filter traffic at the
communicate with quality, enterprise, supply chain, and energy application layer, protecting against attacks aimed at
management systems. All this connectivity employs various vulnerabilities in specific applications.
protocols for database and web connections as well as file transfers.
• Intrusion prevention systems (IPSs) monitor and analyze
network traffic to identify patterns that indicate a potential
HOW A DMZ NETWORK SEGMENT WORKS threat and then take action to block or mitigate them.

Cloud computing now means there’s little need for a conventional

DMZ, with web services hosted on the cloud. Enterprise IT
A DMZ sits between the rest of the internal network and the
networks are now more commonly protected through zero-trust
external world. This allows publicly accessible services such as
architecture and segmentation.
web and email servers to operate from the DMZ while protecting
the core network. The IDMZ isolates the very vulnerable internet-
accessible services from the rest of the network as a form of
perimeter defense. Typical components of a DMZ are:

20 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Basics of an IDMZ

HOW AN IDMZ NETWORK SEGMENT WORKS Reliance solely on perimeter defense doesn’t satisfy modern
standards for zero-trust cybersecurity. The latter requires all
communications to be validated — even when coming from
within the network segment. Zero-trust also requires every
An IDMZ can work essentially like a conventional DMZ. The
individual request to be evaluated using a dynamic policy that
key difference is that in traditionally arranged legacy networks,
evaluates the threat level at hand based on various factors —
internet services were mostly separate from the core business
not simply user credentials. However, the NIST standard for Zero
activities of most system users. Risky activities could therefore
Trust Architecture (SP 800-207) does concede that implicit trust
stay separate from the main network. With an IDMZ, this
zones may be necessary. It states that these zones should be as
situation is now reversed so that users on the enterprise network
small as possible, requiring users to revalidate before moving
are continuously accessing the internet, such that the internet
closer to important resources. Within the implicit trust zone,
becomes the risky area, and the industrial network becomes the
users must have established trust to at least the level of the last
area needing protection.
gateway. The use of an IDMZ to protect critical equipment is
entirely aligned with such an approach.

A zero-trust system also maintains skepticism of users even when

they have access to the IDMZ. Requests for particularly sensitive
data or actions are only granted after re-authentication and
authorization. Furthermore, all activity is monitored to flag any
anomalies or suspicious behavior. These additional layers of security
are often lacking and difficult to implement in an ICS environment.

The Purdue Enterprise Reference Architecture (PERA) is a well-

established model for digital systems in enterprises. It breaks
down decision-making and control into five levels, from zero to
four. Level zero contains the actual physical process. Level one
contains the intelligent devices that sense and manipulate the
physical processes — sensors, PCL controllers, and actuators.

Level two involves control systems that humans might interact

Image: Dreamstime with human-machine interface (HMI), supervisory control,
and data acquisition (SCADA). Level three contains the
manufacturing operations systems that manage workflow, batch
management, manufacturing execution, and data historians.
Level four is for business logistics systems, such as enterprise
resource planning or ERP systems, operating at the level of
factory production schedules and inventory. Typically, levels
three and four sit on the enterprise network, and everything at a
lower level sits on the industrial ICS network.

CHALLENGES OF THE ICS ENVIRONMENT

A typical enterprise IT network has hardware of a similar age, a

standard operating system that is updated regularly, a relatively
small number of standard business applications that are also
regularly updated, and standard security software.

In contrast, an ICS environment is often far more complex. It

may contain hardware produced over several decades with
many different operating systems and communication protocols.
Image: Dreamstime

21 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Basics of an IDMZ

Image: Dreamstime

Firmware and software may no longer be supported, and even The key is correctly choosing what will be located on the
when updates are available, managers often elect to leave enterprise network and what will be located on the protected
machines un-updated for fear of disturbing the complex data industrial network. Some choices are obvious, but others need
ecosystem enabling critical operations to continue. more thought. Clearly, computers used to run office applications,
send emails, and access customer databases sit on the enterprise
What’s more, legacy ICS devices usually have no built-in security. network. Similarly, machine controllers running legacy firmware
Rather, they completely trust any communication they receive, simply sans built-in authentication will sit on the industrial network.
responding without any authentication or authorization process. They
also have no way of detecting attack signatures or anomalies. But what about a barcode scanner used for tracking inventory on
the shop floor?
These challenges highlight the need for an IDMZ. ICS devices
are often more critical than the ordinary IT network and far more At first, it may seem that barcode scanners should be part of the
vulnerable. For legacy systems, it’s impossible to implement a industrial network. However, scanners use internet protocols to
zero-trust architecture at the level of the ICS devices, so a strong send information to a manufacturing execution system (MES) or
perimeter defense is all the more vital. ERP system. Therefore, these should sit on the enterprise network
where this type of communication largely takes place.

CREATING A STRONG IDMZ How about an IIoT sensor used to monitor a machine tool?

IIoT sensors also use internet protocols, but because they must
The IDMZ is a middle ground between the insecure enterprise more directly interact with the machine controller, they’re most
network and the secure ICS network. If ICS devices can’t execute suitably connected to the industrial network. Here, the IMDZ is
additional checks for suspicious behavior or highly sensitive key to ensuring that internet connections established by the IIoT
requests, these security functions must be handled at the IDMZ sensor won’t expose the entire ICS network to threats.
level. This means authentication and authorization to the ICS
In fact, for continued operation of the IDMZ in the event of a
shouldn’t simply grant perpetual and universal access. Users
connectivity disruption, all resources needed to operate the ICS
should be re-authenticated and authorized when they make
should be located on the ICS network.
different requests, and all traffic should be monitored for threat
signatures and anomalies.

22 I www.designworldonline.com
 INDUSTRIAL CYBER SECURITY I DESIGN GUIDE
(continued)
Basics of an IDMZ

An IDMZ typically involves a small network Shown here are the Purdue Enterprise Reference Architecture (PERA) model levels.
with servers that process the inter-network
communication, connected to both networks via
firewalls. Next-generation firewalls (NGFWs) help
to secure an IDMZ. While conventional industrial
firewalls provide protocol and port inspection,
NGFWs also conduct data analyses at the
application level. This lets them filter out malware
from network-based communication. When a
user attached to the enterprise network wants
to establish a connection with a resource on the
industrial network, the connection is made through
a broker server within the IDMZ. Authentication and
authorization are handled by this broker server.

Using two different brands of firewall can provide

additional protection — one between the enterprise
network and the IDMZ, and the other between the
IDMZ and the industrial network. The broker server
running in the IDMZ will run a dedicated IDMZ
service, typically on VMware or a hypervisor. This
enables file transfer and remote access.

Does the industrial design at hand need an

IDMZ? If the design has mission- or safety-critical
equipment that is networked to internet-connected
devices, an IDMZ is advised. If this equipment
runs basic control firmware with no authentication
or malware detection, or if it has old firmware or
software that isn’t regularly patched, then an IDMZ
is of critical importance.

Image: Dreamstime

23 I www.designworldonline.com
REDUCE
OT CYBERSECURITY
RISK

Honeywell’s innovative OT cybersecurity

solutions are designed to help you identify risks
and protect your assets, data and employees.

LEARN MORE