Security by design refers to the integration of security and risk management into the structure of a network, achieved through the implementation of segmentation and Agile infrastructure design.
Essentially, security measures are incorporated from the outset to ensure the network is secure from the ground up. Creating a secure environment for sensitive information is essential, as such data often needs to be moved, stored and accessed, making it vulnerable to cyber-attacks. If these systems are breached, the consequences can be significant and costly.
The following is a collection of guidelines that can assist in developing a secure-by-design network and systems that are resistant to cyber-attacks while simultaneously being simple to manage and upgrade.
The aim of these principles is to guarantee that the networks and technologies which support modern enterprise and industrial systems are designed and built with a clear emphasis on security. The principles have been conceived to be applied to both digital and cyber-physical systems. They are divided into five categories that correspond to different stages at which a security breach can be mitigated:
Determine the Context: Define all the elements which compose your system, so your defensive measures will have no blind spots.
Make Compromise Difficult: An attacker can only target the parts of a system they can reach. Make your system as difficult to access as possible. This is called the attack surface.
Make Disruption Difficult: Design a system that is resilient to denial of service, attacks and usage spikes.
Make Threat Detection Easy: Design your system so you can spot suspicious activity as it happens and take necessary action.
Reduce the Impact: If eventually an attacker succeeds in gaining a foothold, they will then move to exploit your system. Make sure what they find is not easy to compromise, but if they do, you get your assets and data safeguarded and with proper backups.
The design of a secure data network is based on the following assumptions about the business and its teams:
There is a limited IT workforce and no dedicated security personnel.
The OT team is not much involved in IT and security systems/decisions.
The IT team primarily serves non-technical personnel.
The budget for security, and IT in general, is restricted or non-existent.
There is insufficient time to train numerous users on new procedures.
However, there is a strong need for making the users, operations and business data secure.
The most significant challenge faced by small and medium-sized companies in terms of security is that their networks and systems cannot be secured by a single standard solution. Due to limited personnel and budget, these businesses cannot afford to hire a security team, and they may not be aware of all the potential threats they face. This awareness gap, coupled with the fear of malicious hackers and the understanding that there is no external assistance available, makes the attractive-sounding, "black box" solutions from vendors more appealing than many would care to admit.
Nevertheless, a simple security-by-design approach would help to prevent most threats. What is crucial is to establish grounded achievable security and availability goals, in order to prevent and make risk manageable.
Key goals must include:
Protect high-value assets
Reduce the internal attack surface
Limit access to the unpatched/vulnerable devices
Few/no visible changes to end-users
The initial step for a secure-by-design network is to gain an understanding of the assets in your communications infrastructure. You can't secure what you don't see, so it is impossible to safeguard assets that have not been properly identified and characterised. As the objective is to secure the network, crucial information required will be:
Current Network Architecture and Integrations.
Servers: Applications or Server roles, OS Versions, Open Ports.
Clients: OS Versions, Number of Clients, Connection Locations.
Networking Equipment: Management IP Addresses, Software/Hardware/Firmware versions, licensing/warranty information.
OT Systems: PLCs, SCADA, MES and other Industrial Control Systems.
Connected (or to-be-Connected) Devices: Field Assets such as CNC Machinery, Robots, EAVs, Cranes, Conveyor Belts, Environmental Sensors, IP Cameras, CCTVs, Automated Access Systems, and Mobile Devices.
It is not surprising that numerous small and medium-sized companies adopt flat network architectures, as it facilitates plug-and-play operations. This means that any device connected to the network can communicate with other devices without any restrictions. While this approach benefits functionality, it poses security challenges. To address this risk, it is key to restrict open communication without disrupting network operations. With the right configuration of the network hardware and software is possible to:
Create Virtual Local Area Networks (VLANs) to segment the network.
Create Access Control Lists (ACLs) that will control what parts of the network can talk to what other parts of the network.
Reduce the attack surfaces of the network.
If a port is not designated as a trunk port, it can only transmit data for the VLAN it is assigned to. A trunk port encapsulates and tags VLAN traffic with the originating VLAN number so the plugged device knows what VLAN the packet is for. VLANs are treated as distinct networks that function on distinct hardware. Traffic from one VLAN will only ever reach another VLAN through a router.
An ACL is simply a rules-based firewall that checks outgoing or incoming packets. When a packet is being processed, the check begins with the first rule in the ACL and proceeds down the list, stopping at the first rule that matches the packet.
Effective network segmentation is likely the most cost-effective security measure in any setting. Aggressive traffic control within your network restricts an attacker's ability to move around covertly and without interaction. If attackers are unaware of traffic restrictions, they may raise red flags while attempting to understand them.
The following phased deployment will have no impact on the function of the network:
Segmentation of the network (no/minimal filtering). Segmenting the network enhances security for devices that are typically less secure, such as older or unpatched machines in the environment. Additionally, network segmentation can help prevent attackers from tampering with the network infrastructure. Managing wireless networks can be a challenging task, requiring careful planning and consideration of various factors. However, you can separate the Wi-Fi from the rest of the network as soon as possible. Both guests and employees will use the same wireless network, secured with standard measures such as WPA2-PSK, AES, and a 12-character password displayed prominently in the reception area.
Monitoring and analysing traffic to high-value or vulnerable assets. By segmenting the network into VLANs, you have effectively created distinct networks. This setup creates a convenient traffic bottleneck at the router, which we can use to monitor network activity. If the switch supports port mirroring, which copies traffic from one interface to another for analysis, then you have optimal data flows. Alternatively, you can opt for a switch that can mirror traffic specific to a VLAN. However, if these do not have any mirroring capabilities, it will be needed to place a monitoring device between our switch and router to capture and analyze traffic.
Implementing ACLs/firewalls to restrict unnecessary traffic. Designing and Deploying the ACLs or aliases substitutes in for a set of rules or addresses/protocols. You can use them as short-hand, so it isn't needed to write out a bunch of the same addresses in different places. Additionally, ML-powered, cloud-based network security leverages inline deep learning to stop unknown zero-day attacks. NGFWs make network security intelligent and proactive, so it's always a good idea to find a vendor to implement them.
Harden the network.
There is a long list of things that can be done in the interest of generally hardening the network infrastructure. We are going to focus on the things that align with what we have already done.
Most of our hardening is a matter of reducing the attack surface of the network components. Luckily, we've built a huge component of that into our CLIENTS ACL in the previous section. This protects the network infrastructure from some software vulnerabilities that they may have that would allow an attacker to change the configuration of your infrastructure.
Business Resilience Creation
Security is much more than just malware prevention. Designing a comprehensive resilient network with industrial-grade systems (long-range connectivity, routers, repeaters, and network configurations and typologies built for industrial purposes) and proper backup and recovery solutions will grant the security of your data and assets in any case, anytime. Learn more about business resilience in the next video:
Guidelines for Manufacturers
The manufacturing industry is the second most targeted industry when you look at the number of reported cyber attacks. Cybercriminals target small and medium-sized manufacturers because many of these companies do not have adequate preventative measures in place.
These simple, low-cost steps (5 Functions of the Cybersecurity Framework) are based on the official NIST guidance from the Cybersecurity Framework and have been tailored to meet the needs of any industrial company so they can identify, assess and manage cybersecurity risks.
The “Manufacturing Profile” of the CSF is a guide that can help manufacturers reduce cybersecurity risk while adhering to sector goals and industry best practices. It presents a voluntary, risk-based framework for managing cybersecurity activities and mitigating cyber threats to manufacturing systems. While it is intended to supplement existing cybersecurity standards and industry guidelines, it does not serve as a replacement for them.
This guide outlines common cybersecurity practices for small and medium-sized manufacturers. The activities are grouped according to the 5 Functions of the Cybersecurity Framework.
The majority of manufacturers are obligated to comply with various standards, regulations, laws, or requirements pertaining to cybersecurity and privacy. These mandates may originate from federal, state, local, or tribal governments, industry mandates, or be voluntary. The following is a non-exhaustive list of some of the most prevalent cybersecurity and privacy laws and requirements:
Defense Federal Acquisition Regulation Supplement (DFARS): manufacturers in the defense supply chain may see one or more DFARS cybersecurity requirements in their contracts.
The International Traffic in Arms Regulations ("ITAR," 22 CFR 120-130): Governs the export and temporary import of defense articles and services.
Payment Card Industry Data Security Standard (PCI DSS): A security standard used to ensure the safe and secure transfer of credit card data.
Sarbanes-Oxley (Pub L. 107-204): Requires any publicly traded company to have formal data security policies and to communicate and enforce those policies.
State privacy laws: Many states have enacted privacy laws covering how businesses can collect and use information about consumers.
The Children's Online Privacy Protection Act (15 USC §6501 et seq.): Governs the collection of information about minors.
The Federal Trade Commission Act (15 USC § 41 et seq.): Gives the FTC broad authority to protect consumers against organizations that fail to follow basic cybersecurity and privacy best practices.
The General Data Protection Regulation (GDPR): Governs the collection, use, transmission, and security of data collected from residents of the European Union.
ISA/IEC 62443
This series of standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards provide a comprehensive approach to cybersecurity, encompassing both operations and information technology as well as process safety and cybersecurity, and establish the best practices for security and performance assessment.
The ISA/IEC standards are designed to establish cybersecurity benchmarks for all industries that employ IACS, such as building automation, medical devices, electric power generation and distribution, transportation, and process industries including oil and gas and chemicals.
Furthermore, these standards establish requirements for key stakeholder groups involved in control system cybersecurity, such as asset owners, automation product suppliers, integrators, and service suppliers who support the operation of control systems and their components.
People, processes, and technology all play critical roles in securing automation and control systems. The ISA/IEC 62443 series addresses the security of industrial automation and control systems (IACS) throughout their lifecycle (which applies to all automation and control systems, not only industrial).
The ISA/IEC 62443 standards provide guidance that includes:
Defining common terms, concepts, and models that can be used by all stakeholders responsible for control systems cybersecurity
Helping asset owners determine the level of security required to meet their unique business and risk needs
Establishing a common set of requirements and a cybersecurity lifecycle methodology for product developers, including a mechanism to certify products and vendor development processes
Defining the risk assessment processes that are critical to protecting control systems
Polestar's background in computer networking is second to none in helping small, medium and corporate sized manufacturers and industrial companies to implement segmentation and security-by-design as a cost-effective method for better security controls and asset protection.