Network Management of ICS Environment
- control system network, network management, network security architecture
Networking Architecture and Configuration
Covering the whole ICS environment that required networked interconnection such as DCS (internally and externally), SIS (including its interconnection with DCS/SCADA), PLC, EMS, etc. The proper design and architecture will make easier for the operations and maintenance phase in order to maintain robustness and secure framework.
The segregation between each system entities should be engineered to get the best approach for each case. Such as the use of L2 Switch to connect the DCS server environment with their field controller, or the use of another Router for interconnection with the other L3 systems (such as DMC and EMS).
The concern regarding Business and Control System network interconnection also be a part of this segment. It is really important to ensure that the secure communication and filtering aspect are governed on this point. The protocol and port that being used for e.g. production Historian data communication should be specifically managed. The MAC address and IP address of source and destination and routing protocol (static routing for production data communication is recommended) should be assigned, locked and managed as well. If there is someone from Business environment tends to have access to Control System environment, it should routed to the Terminal Server at L3 layer first, with some strict regulations such as IP address and MAC address filtering, protocol and port locked communication, user authentication and application specific allowable access should be defined. One gateway for the Business and Control System network interconnection is recommended in order to have focus management and avoid to many channel link between these two environments (less to manage and less vulnerabilities as well).
The networking devices management cover all system environment should be performed at least by using periodic review of device configuration and user list access. Prior to have this periodic review, the asset inventory of these networking devices should be exist and valid. Review with the Business organization regarding the communication entities can be made as well, in order to have synchronize perspective and agreement on the channel communication and its content.
For more reference regarding Switch, Router, IDPS and Firewall secure configuration, please see below links:
NIST SP 800-41, “Guidelines on Firewall and Firewall Policy”
NIST SP 800-94, “Guide to Intrusion Detection and Prevention System”
“Router Security Configuration Guide” developed by Router Security Guidance Activity of the Systems and Network Attack Center – National Security Agency (SNAC-NSA)
“Cisco IOS Switch Security Configuration Guide” developed by Switch Security Guidance Activity of the Systems and Network Attack Center – National Security Agency (SNAC-NSA)
Network security and system enhancement
Some of the recommended best practice that can be done to enhance the secure ICT and ICS environment are:
Perimeter controlled access, Locked and controlled cabinet access, Secure unused port properly (physical protection), Access restriction, Custodian responsibility to manage and controlled the access (with the periodic review and approval by Owner), Logical controlled access, disable unused ports logically, Change default password, encrypt network device admin password, Secure line communication (telnet, aux, etc.) or disable it, Disable IP HTTP server for router and switch, Periodic review of Access Control List and existing accounts (for ICS environment, Business and Control System networks interconnection, included in the review are existing system/user account, protocol and port of communication, IP and MAC addresses, routing protocol), disable internet access (in any ICS environment), Uninstall the unintended applications except related to system functions and supports, Clean up music/video/any other files that have no relation with ICT/ICS function, Use dedicated removable media for ICT/ICS purpose (flash drive, portable hard disk, etc.), Scan the removable media before and after connected to ICT/ICS environment, Do not continue process if virus/malware is found during the scan, follow standard for the secure action
Network assessment can be one of the best approach in order to get more understanding on the SWOT status of this environment. It can be combined in one integrated part with Risk Assessment. Any gaps should be closed out (especially the critical one), and stewarded with acknowledgement from Management. Good coordination will be one of the successful factor for doing network management.