You can use the checklist below to make sure you do not forgot any of the defense-in-depth security measures and select solutions that fit your needs.
Strengthen industrial cybersecurity
without compromising production efficiency
While companies are tapping into the opportunities that the Industrial Internet of Things (IIoT) has to offer, digitalization has become a key initiative for industries. Digitalization has allowed the industrial control system (ICS) landscape to develop quickly in recent years. Originally, ICS networks were physically isolated and almost immune to cyberattacks. However, recently, there has been a rise in the sophistication of cyber attacks, which has prompted everyone from IT to OT personnel to produce solutions that enhance industrial cybersecurity. Thus, understanding industrial cybersecurity requirements will help companies mitigate cybersecurity risks. Read on to learn more.
There are some myths about industrial cybersecurity that may put your facilities and businesses at risk. Watch the video to learn how to debunk the myths and build defense-in-depth security for your industrial networks to ensure continuous operations and the safety of personnel.
IT  |
OT  |
|
|---|---|---|
No. 1 Priority |
Confidentiality |
Availability |
Focus |
Data integrity is key |
Control processes cannot tolerate downtime |
Protection Target |
Windows computers, servers |
Industrial legacy devices, barcode readers |
Environmental Conditions |
Air-conditioned |
Extreme temperatures, vibrations and shocks |
To enhance our Device Security, Moxa has identified a big set of cybersecurity features based on the component requirements of IEC 62443. The set of security features have been implemented in a wide portfolio of devices, including Secure Routers, Rackmount Switches, EDS-500E series DIN Rail Switches, select models of Device Sever, and Protocol Gateways.
To prevent network intrusions and attacks, it is essential to have a good access control mechanism in place that can identify, authenticate, and authorize users. Moxa’s network devices support user account management, password policy, and authentication interface management features that meet the technical security requirements of the IEC 62443 standard.
Moxa’s devices support advanced HTTPS/SSH features, which provide a secure channel for data transfer over unsecure networks ensuring reliable processing and retrieval of data. To protect data from being stolen or corrupted, Moxa provides functions such as SNMP password encryption and network configuration encryption, which ensure the highest level of protection for your network devices.
The NPort 6000 secure servers use SSL to implement secure data transmission for Secure TCP Server, Secure TCP Client, Secure Pair Connection, and Secure Real COM modes.. The NPort’s drivers follow the SSL standard and automatically negotiate the encryption key. To prevent hacker attacks, the NPort will automatically switch from DES/3DES to AES encryption for highly secure data transmissions.
Your cybersecurity journey does not end when your network security solution is up and running. You must constantly monitor your networks and audit network events for potential threats. Although it is quite difficult to detect breaches in real time, security event logs can help you identify the source of the issue. Information from these data logs can be used to track network activities, analyze potential threats, or identify devices that are incorrectly configured, which you can then use to disconnect user access, delete user accounts, or restart devices.
Industrial Control System (ICS) networks used to be isolated and used air-gap protection to keep secure networks separate from unsecured networks. Even though industrial networks are continuing to connect more devices, most OT operators still rarely take cybersecurity defense into consideration. Due to the number of cyberattacks targeting the critical manufacturing sector, it is clear that ICS networks are at high risk of attack.
Segment networks to secure communications between components in different automation zones and cells.
Click here to view the security architecure
The defense-in-depth security architecture divides the ICS network into protected individual zones and cells. The communication in each zone or cell is secured by firewalls, which further reduces the chance that the entire ICS network will fall victim to a cyberattack. Moxa's EDR Series consists of industrial secure routers that help operators provide zone and cell protection by using a transparent firewall that protects control networks and critical devices such as PLCs and RTUs against unauthorized access. By using this solution, there is no need to reconfigure network settings, which makes deployment faster and easier. The EDR-810 Series supports Moxa’s Turbo Ring redundancy technologies, which makes the deployment of network segmentation more flexible and economical. Moreover, Moxa’s Ethernet switches can create a virtual LAN (VLAN) to decompose each of the ICS domains into smaller networks that isolate traffic from other VLANs.
Learn How to Choose the Right Industrial Firewall: The Top 7 Considerations
Identify and scrutinize traffic between zones within the ICS network. View the security architecture here.
Traffic passing between zones in an ICS network must be scrutinized in order to enhance security. There are several ways to implement this. One method is to have data exchanged via a DMZ, where the data server is accessible between the secure ICS network and insecure networks without a direct connection. Moxa's EDR-G903 Series can help achieve secure traffic control by utilizing user-specific firewall rules. The second method is for the EDR routers to perform deep Modbus TCP inspection by using PacketGuard to control actions and enhance traffic control. This method simplifies administration tasks and can protect against unwanted traffic from one network to another. In addition to firewalls, an Access Control List can be used to filter switches’ ingress packets by IP address or local IP, which allows network administrators to secure networks by controlling access to devices or parts of the network.
There are currently two solutions available to deal with the main requirements for secure remote access to applications. For constant connections, standard VPN tunnels are recommended. Moxa's EDR Series can use IPsec, L2TP over IPsec, or OpenVPN to set up encrypted IPsec VPN tunnels or OpenVPN clients. These methods protect data from being manipulated when it is being transmitted and ensure secure remote access between industrial networks and remote applications. Alternatively, if remote access is only required to be accessible on demand to specific machines or sensitive areas, then a management platform for all remote connections is required.
As ICS networks keep expanding and more networks continue to converge, it is important to understand the benefits of the defense-in-depth approach when designing security architecture. However, having cybersecurity building blocks deployed in an ICS network is not sufficient to completely protect critical assets from unauthorized access. According to a report published by ICS-CERT, a sound security management model should include the following stages:
Those with malicious intent can still access the secure network if individuals who use the ICS network do not adhere to the security management model. In order to guarantee that the network has not been compromised, check if the ICS network is following the management principles and ensure that all users have read the guidelines to ensure a more secure ICS network.
MXconfig’s Security Wizard Saves You Time and Effort for Security-Related Parameter Setup
Customer: Oil & Gas Service Company
High-capacity oil and gas pipelines are very volatile and often span thousands of kilometers. The pump stations along the pipeline are equipped with analyzers and PLCs. The company found it challenging to maintain a secure and stable network connection between the stations and the remote SCADA system because the PLCs and I/O devices did not have any security features.
Customer: Automotive Parts Plant
An automotive parts plant manager planned to digitalize their production processes. The field devices run on the EtherNet/IP protocol for control unification and data acquisition. As the network infrastructure in this plant is on a large scale, it is very difficult for the plant manager to monitor all devices and visualize the network topologies. In addition, to realize digitization, all networks are interconnected from the field site all the way to the ERP and even to the cloud. It is essential to have good cybersecurity measures to allow this transformation to occur, without compromising production efficiency.
Customer: CNC Machine Builder
Maximizing network uptime enhances machine productivity. Therefore, a leading manufacturer of mechanical power presses needed to provide a timelier and more efficient after-sales service in order to ensure improved machine performance and effective troubleshooting. At first, the machine builder adopted Windows-based Remote Desktop Control (RDC) technology, but security risks and additional costs came at a high price. Furthermore, the Windows-based computer by itself is susceptible to security risks, and the possibility of attacks increases even more when the computer connects to the Internet.
To close the gap between the OT and IT worlds, Moxa offers coordinated solutions that are designed to completely protect your industrial networks.
Your local NZ Moxa distributor and partner for more than 20 years.
ECS is an Official NZ Moxa Distributor and part of the Moxa Technical College, with certified, in-house specialists. As an official NZ distributor, ECS has Moxa Certified Engineers who are fully trained and accredited to assist with network design and complete installation support for your project.
