Protect Your Industrial
Networks from Edge to Cloud
The widespread adoption of the IIoT is resulting in more and more devices being brought online. While industry operators are keen to reap the benefits of digitizing automation, they are also faced with the increased risks that accompany this trend. For example, the fact that the network is isolated does not always mean that it is secure. As more devices become connected, the attack surface also increases, which makes networks more vulnerable to cyberattacks and unauthorized access. This lack of awareness about security issues can have serious consequences. For example, it only takes a very small cybersecurity breach to corrupt or delete a large amount of data, which can lead to significant production losses. Moxa helps users address the challenges they may encounter and build cybersecurity solutions that bring value to all industrial automation players.
Cybersecurity Challenges for Industrial Networks
Lack of Guidelines for Deploying Hardened Network Devices
One of the most common misunderstandings is that all cybersecurity risks can be mitigated as long as firewalls are deployed; the security features in network devices also play a key role in building the defense-in-depth security architecture. In the past, OT operators did not deploy hardened networks and did not have any clear guidelines to follow, which further convoluted the implementation of cybersecurity solutions.
Lack of Cybersecurity Awareness when Designing Network Architecture
Industrial Control System (ICS) networks used to be isolated and used air-gap protection to keep secure networks separate from unsecured networks. Even though industrial networks are continuing to connect more devices, most OT operators still rarely take cybersecurity defense into consideration. Due to the number of cyberattacks targeting the critical manufacturing sector, it is clear that ICS networks are at high risk of attack.
Lack of Security Management Principles and Monitoring Tools
Human error is reported to be the leading cause of why networks are subjected to cyberattacks (37%); human error is a frequent cause because security management principles are often ignored. In order to adhere to the principles of security management, OT operators must constantly monitor the network. However, constant monitoring is considered by many in the industry to be troublesome, as it requires staff with specialized knowledge and and is time-consuming.
Defense-in-Depth Solutions for Industrial Networks
Defense-in-Depth Security Architecture
Segment networks to secure communications between components in different automation zones and cells.
Network Segmentation for Zone and Cell Protection
The defense-in-depth security architecture divides the ICS network into protected individual zones and cells. The communication in each zone or cell is secured by firewalls, which further reduces the chance that the entire ICS network will fall victim to a cyberattack. Moxa's EDR Series consists of industrial secure routers that help operators provide zone and cell protection by using a transparent firewall that protects control networks and critical devices such as PLCs and RTUs against unauthorized access. By using this solution, there is no need to reconfigure network settings, which makes deployment faster and easier. The EDR-810 Series supports Moxa’s Turbo Ring redundancy technologies, which makes the deployment of network segmentation more flexible and economical. Moreover, Moxa’s Ethernet switches can create a virtual LAN (VLAN) to decompose each of the ICS domains into smaller networks that isolate traffic from other VLANs.
Identify and scrutinize traffic between zones within the ICS network.
Traffic Control for Interaction Between Zones
Traffic passing between zones in an ICS network must be scrutinized in order to enhance security. There are several ways to implement this. One method is to have data exchanged via a DMZ, where the data server is accessible between the secure ICS network and insecure networks without a direct connection. Moxa's EDR-G903 Series can help achieve secure traffic control by utilizing user-specific firewall rules. The second method is for the EDR routers to perform deep Modbus TCP inspection by using PacketGuard to control actions and enhance traffic control. This method simplifies administration tasks and can protect against unwanted traffic from one network to another. In addition to firewalls, an Access Control List can be used to filter switches’ ingress packets by IP address or local IP, which allows network administrators to secure networks by controlling access to devices or parts of the network.
Secure remote access to the ICS Network.
Secure Remote Access to the ICS Network
There are currently two solutions available to deal with the main requirements for secure remote access to applications. For constant connections, standard VPN tunnels are recommended. Moxa's EDR Series can use IPsec, L2TP over IPsec, or OpenVPN to set up encrypted IPsec VPN tunnels or OpenVPN clients. These methods protect data from being manipulated when it is being transmitted and ensure secure remote access between industrial networks and remote applications. Alternatively, if remote access is only required to be accessible on demand to specific machines or sensitive areas, then a management platform for all remote connections is required.