Three Ways to Increase Security in Industrial Communications. (Part III)

The second way we propose to increase security in industrial communications is the incorporation of specific technologies that provide security to non-secure industrial protocols. To this end, the following best practices and/or technologies exist, among others:

• Network segregation using protocol whitelisting.
• The use of standards traditionally linked to IT environments to encrypt and authenticate industrial protocols (TLS, SSL, IPsec…)
• The incorporation of devices that allow the encryption of industrial traffic through algorithms such as AES256.

Protocol whitelisting is a segmentation technique that consists of incorporating network electronics devices that segregate networks, ensuring that the protocol spoken between field devices with each other or between devices and real-time systems is one determined in which a whitelist of specific functions and objects associated with the selected protocol has been made. In other words, it is a matter of performing a deep packet inspection (DPI) of the functions, objects, specific classes associated with a certain industrial protocol, in order to ensure the integrity of the protocol. The moment a code injection occurs or it is detected that a communication is to be carried out over a protocol that is not authorized, the segmentation device will block this attempt, thus preventing alteration in the communication that is being carried out.

Regarding the use of standards traditionally linked to IT environments to encrypt and authenticate industrial protocols (TLS, SSL, IPsec…), the key point is to configure and/or include devices that easily incorporate this security layer, taking into account that industrial protocols have specific latencies and that the least degradation in system performance must be ensured. In other words, it is crucial to evaluate the delay in communication latencies. Currently existing technologies that incorporate hardware devices at the origin and destination of the communication that allow configuring virtual private networks (VPN) between field devices and real-time systems so that this communication is not carried out in the clear.

Finally, the incorporation of devices that allow the encryption of industrial traffic through algorithms such as AES256 is a practice that is closely related to the one described above. In this case, the most common scenario is that you want to send data in encrypted form between different distributed operations networks and a certain control center. To do this, a series of devices are incorporated that encrypt the information regardless of whether it is a network or a specific device, allowing N to N communications. Normally its configuration is very simple, significantly reducing the cost of ownership of the solution. Only the input and output channels are configured and it is not necessary to create virtual networks, nor therefore carry out an IP redirection.