Basic setup... A DCS, a few PLCs, two ABB robots, an IP camera and a database server all connected to an unmanaged switch.  The database server has a second NIC connected to the plant LAN making process data available to the masses.Security... Not much, database server has Windows firewall enabled, unused ports are closed and access is limited to IPs that fall within our domain.Need for greater security... Just had an incident, no damage but it was an eye-opener.  A maintenance guy ran fiber to his desk and plugged into the control network so he could do PLC work without having to walk across the plant.  He was using his "General use" desktop PC which probably spent quite a few night shift hours surfing YouTube.  I'm wondering if I need to replace the switch with a managed so that unreconized IPs would not be able to communicate on the network.  I'm also starting to question the safety of the dual NIC database machine.  Any tips on how to tighten-up this system?

 

How about simply providing the guy with a PC dedicated to the control system.
I think it's reasonable to be able to work at a desk instead of out in the middle of the plant, don't you?

Roy

 

The issue is not the guy wanting to work at his desk, the issue is that someone connected an unsecured PC to the control system network without our knowledge.

 

If he has physical access to the system, he can do pretty much anything he wants. You can put any gadgets you want in the network, but he can just go around them. This is a management problem, not a technical one.

Whether it is safety, security, or anything else, the way to get people to do things the "right" way is to make sure that the right way to do things is the easy way to do things. As Mr. Matson said, I would look into why he felt he needed to do it in the first place and see how you can accommodate his needs.

The first thing in fact that I would be looking into is why he needs to connect to the PLC all the time. If the real problem is that the PLC program is full of bugs which cause the machine to go down half a dozen times a night, then fix that and the whole problem will go away. You'll make a lot of other people happy too.

As for improving security in general, I would suggest that the biggest hole in the system is the PC with the MS Windows OS and the database. That is the most likely thing to get a virus, worm, or other malware, and it is also the device which is directly exposed on the network. If you want to protect that, then you need to put some sort of security box between it and the rest of the plant.

 

There are several steps involved in locking down a control system.

This link is old http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf but it is a good start.

Another place to look is the NIST who have a lot of booklets on locking down systems - all free.

Have a look here https://www.pcsforum.org/ too.

The ISA have ISA 99, but this is only free if you are an ISA member.

This one is another favourite of mine http://www.cpni.gov.uk/.

All these documents "age" quite quickly to you have to keep on your toes.

--

My first steps would be to think about some kind of outer defence ring in the form of a firewall and managed switch. If you need to have something accessible to the "rest of the world" or the office LAN, consider some sort of DMZ approach.

Once you get the great wall up, then you have to move to a defence in depth protocol as your ingress points for miscreants and people who should no better can be anywhere in your system.

Stop when you run out of money as the security settings and systems you can put in place will easily exceed the cost of damage, etc. that could be caused by an idiot.

Of course, make sure you have a disaster recovery plan in place AND that you have actually tested it.

Don't forget change management - for larger end users some sort of database system sitting on the control LAN might be a good idea. But such systems are too expensive for a couple of robots.

--

Set some reasonable targets every six months to a year and audit what you've done. Then aim a bit higher etc.

Don't forget a patching protocol for Linux, Windows, BSD, etc. or whatever else you've got.

Be prepared to castigate people who go around your back and plug in to the network through a back door.

--

When you are feeling brave you can always call in a penetration testing specialist, I've never done this....

--

Unless you're crazy remove any and all links to the outside world - and make sure you have an audit programme in place for all the laptops etc. with regards to anti-virus, anti-spyware, patching etc.

I would suggest an enforced appropriate use policy with teeth for mission critical laptops. They shouldn't be going home for YouTube.

--

Finally, stay tuned! The ISA is about to bring out some new security protocols that will, in all likelihood, include some kind of penetration testing. Hopefully it is affordable and practical.