Network information security concepts are about protecting the network infrastructure itself; protecting the network protocols used to build and manage network functions. These key concepts are used at all levels and areas of the solution. These steps help users protect the IACS network and IACS applications against attacks in many ways. The following elements are key areas of the information security baseline:
● Infrastructure architecture-Information security management of access to the network infrastructure;
● Switching infrastructure-Network access and Layer 2 design considerations;
● Routing infrastructure-Protecting the Layer 3 routing functions of the network from attack or misuse;
● Device resiliency and survivability-Protecting the network's resiliency and availability;
● Network telemetry-monitors and analyzes network behavior and state to identify and react to problems and attacks.
These practices can be applied to different layers, zones, and related network architectures.
II. IACS Network Device Protection
This concept describes the practices for protecting the critical IACS endpoint devices themselves, especially controllers and computers. Because these devices play an important role in IACS, their information security is given special care. These concepts include the following:
● Physical security-This layer restricts access to authorized people in zones, control panels, IACS devices, cables, control rooms, and other locations, as well as tracking visitors and partners;
● Computer hardening-This includes patch management and antivirus software, as well as the the ability to remove unused applications, protocols, services, etc.
● Application information security-this includes authentication, authorization, and auditing software, such as that used for IACS
● Controller hardening-this refers to the handling of change management and restricting access.
Third, cell/area IACS network information security
The key information security concepts applied to the cell/area include the following components:
● Port information security, password maintenance, and managed access to the cell/area network infrastructure; ● Redundancy and disabling of unneeded services;
● Network system information logging using Simple Network Management Protocol (SNMP) and Network Security. Protocol (SNMP) and network information monitoring;
● Restriction of broadcast information areas, virtual local area networks (VLANs), and types of network protocols; ● Computer and controller hardening.
IV. Information Security for Manufacturing IACS Networks
Design considerations and implementation of manufacturing areas are discussed at an early stage, with special consideration given to critical units/areas. Additionally, applying these considerations, key information security considerations for manufacturing zones include the following:
● Best practices for routing architectures covering routing protocol membership and routing information protection, as well as logging of routing state changes;
● Network and information security monitoring;
● Server information security covering endpoint information security;
● FactoryTalk application information security.
V. DMZs and IACS Firewalls
DMZs and Factory Firewalls are a fundamental measure to protect IACS networks and IACS applications. Combining the concepts of firewalls and DMZs is the key defense-in-depth approach used for IACS network information security. key features and functions of DMZ and plant firewall design and implementation guidelines include the following:
● Deploying a plant firewall manages the flow of information between the enterprise and the manufacturing zone. A plant firewall provides the following features:
- Communication modes between network zones established by a specified information security layer, such as the establishment of a quarantine zone DMZ;
- Inspection of all communication status packets between different zones, if permitted above;
- Enforcement of attempted access to a resource in one zone from another zone, such as attempted access from the corporate layer to another zone, to enforce user authentication, such as attempting to access services in the DMZ from the enterprise layer;
- Intrusion Protection Service (IPS) inspection of communication flows between zones, designed to recognize and block a wide range of potential attacks.
● Data and services in the DMZ between different zones can be securely ****enjoyed.