![Page 1: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/1.jpg)
1
Building Secure Networks for the Industrial WorldAnders Felling
Vice President, International Sales Westermo Group
Managing Director Westermo Data Communication AB
![Page 2: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/2.jpg)
2
Westermo – What do we do?
Robust data communication devices for harsh environments
We supply products that:
provide the communication infrastructure for control and monitoring systems
are used in mission critical systems, where commercial grade products are not
sufficiently resilient
are derived from proven commercial communication technology
The built in safety, reliability and redundancy is a high value for customers
![Page 3: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/3.jpg)
3
Founded in 1975
Turnover: 33 MEur
Uninterrupted growth since 1994
No. of employees: 160
14% R&D spend
Extensive IPR portfolio for key technologies
Production 100 000 units
Sales and support units in 10 countries, distributors in another 36
Member of the Beijer Electronics Group
Westermo Group 2010
![Page 4: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/4.jpg)
4
Westermo Group
Sweden
Västerås
Westermo Head Office Westermo Branch Offices
Sweden
Stora Sundby
United Kingdom
Southampton
Germany
Waghäusel
France
Paris
Singapore
Singapore
Taiwan
Taipei
United States
Chicago
Switzerland
Leimbach
Austria
Wien
Belgium
Chievres
+ 36 Distributors
Worldwide
![Page 5: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/5.jpg)
5
Critical Infrastructure Projects
![Page 6: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/6.jpg)
6
Cyber Security and Physical Security
![Page 7: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/7.jpg)
7
Security Awareness -
Physical and Cyber
Physical & cyber security is now a key issue
The threat of terrorist attacks is real
CCTV, intruder and chemical detectors are now
part of every system
Cyber attacks are an increasing problem
One UK utility reported that they are
dealing with 8000 attacks a day!
There is now a worm virus actively
seeking and attacking PLC’s
Most serious attacks or infections are
from within i.e. the employees
![Page 8: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/8.jpg)
8
Security Issues and how these can be Addressed
Creating secure connections over insecure networks like the Internet
Security issues and vulnerabilities need to be addressed from the start
It is too late once a vulnerability has been exposed and the system
compromised
How can we address these vulnerabilities using;
Firewall
VLAN’s
DMZ
VPN’s
![Page 9: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/9.jpg)
9
Firewall
![Page 10: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/10.jpg)
10
Effective means of stopping unwanted intrusions from insecure networks
Block unauthorised traffic from the remote site
Block IP ports
Prevent unauthorised access to the management of the router
Prevent the router from replying to probing traffic (ping, port scanning)
Firewall
![Page 11: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/11.jpg)
11
195.168.1.xxx
10.10.10.xxx
172.10.10.xxx
Connection from corporate
LAN 192.168.10.xxx
VLAN 4
VLAN 2
VLAN 5
VLAN 1
VLAN 3
192.168.245.159
Firewalls in Industrial networks
This would
normally require 5
discrete Firewalls
![Page 12: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/12.jpg)
12
VLANs - (Virtual LANs)
![Page 13: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/13.jpg)
13
How Would You Use VLANs?
Automation network VLAN ID 100
Corporate network VLAN ID 200
Security network VLAN ID 300
![Page 14: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/14.jpg)
14
DMZ - (Demilitarized Zone)
![Page 15: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/15.jpg)
15
The DMZ acts a buffer between the trusted and un-trusted zones
The DMZ prevents direct communication between the trusted and
un-trusted zones. All communications from the un-trusted zone are
terminated on an intermediate server or historian
The DMZ can offer protection against cyber attacks such as the
STUXNET worm or many of the other malicious worms and viruses
present in cyberspace
The servers in the DMZ still need to run strong, regularly updated
antivirus software
DMZ (Demilitarized Zone)
![Page 16: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/16.jpg)
16
DMZ
Citrix
Server
SCADA
Server
Typically incoming
traffic will be HTTP,
HTTPS from un-
trusted network
Communications to
trusted network will
typically be industrial
protocols i.e. Ether IP
Profinet, CC Net,
Modbus TCP
X
TrustedUn-Trusted
![Page 17: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/17.jpg)
17
VPNs - Virtual Private Networks
![Page 18: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/18.jpg)
18
IPsec VPN via un-
trusted Network
Corporate network
Internet
MPLS Network
WAN
VPNs
IPsec VPNs are key in allowing industrial networks on different sites to
communicate
VPNs are, in effect, tunnels linking the sites (leased lines)
All connections need to be authenticated before accepted
All data passing through the tunnel is encrypted
![Page 19: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/19.jpg)
19
Cyber Security Policy
No matter how powerful the firewall, you also need good policies
Large corporate or telemetry systems should look at IDS (Intrusion
Detection Software)
SCADA machines need regularly updated antivirus software
Any machines likely to be connected to the industrial LAN should also
have antivirus software
Use a strong password policy, never words that can be looked up in a
dictionary
Servers should be located on trusted networks
Pour glue in the USB ports so they can never be used!
Have a recovery policy should system become infected or compromised
![Page 20: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/20.jpg)
20
Physical Security through
- Robustness
- Redundancy
- Monitoring
- Compatibility
![Page 21: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/21.jpg)
21
Robust products = Secure products
Transient suppression
- Handles interference from high power cables,
reactive loads and transients.
Power supply
- DC-supplied units, redundant power supply
Mechanical performance
- Handles high mechanical strain, DIN-mounted
Extended temperature range
- – 40º to +70ºC
Classifications and Approvals
- EMC, Rail, Isolation, Vibration, Shock, MTBF, DNV,
ATEX
Galvanic isolation
- Galvanic isolation of the interfaces
![Page 22: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/22.jpg)
22
Secure connectivity through redundancy
FRNT
RSTP/STP
OSPF and VRRP
Redundancy
![Page 23: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/23.jpg)
23
L2 Ring Redundancy
FRNT is able to reconfigure redundant ring network
consisting of up to 200 switches within 20ms of the initial
failure, regardless of network load
Focal
Point
Member
Member
Member
Member
Member
X
Media failure
message
Media failure
message
Ports in blocking
mode
Re-learn MAC
tables message
FRNT – Fast Recovery of Network Topology
![Page 24: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/24.jpg)
24
RSTP builds loop free topologies by creating a logical tree of the
connected nodes in the network.
This means that some ports needs to be set in a blocking state depending
on how the nodes are connected together.
RSTP – Rapid Spanning Tree Protocol
X
![Page 25: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/25.jpg)
25
OSPF and VRRP
Layer 3 redundancy with OSPF and VRRP
OSPF keeps track of the active routers and calculates best path to
the connected networks
VRRP creates redundant Default Gateways for the connected nodes
on the LAN network.
Layer 2
Network
Layer 2
Network
Layer 2
Network
Layer 3
Backbone
![Page 26: Building Secure Networks for the Industrial World](https://reader031.vdocument.in/reader031/viewer/2022020705/61fb84812e268c58cd5f1caa/html5/thumbnails/26.jpg)
26
Alarm handling and remote monitoring through
SNMP
Syslog
Configurable alarms
Link alarm
FRNT link alarm
Power supply alarm
Temperature alarm
Digital In alarm
Digital I/O that can be used for intrusion detection
Connect the I/O contact to the cabinet door and receive an SNMP
trap or Syslog message to the central monitoring system if someone
opens the door.
Monitoring