Industrial networks protection with MOXA

30 July 2019 Knowledge Base

While commercial companies apply the opportunities offered by the Internet of Things (IoT), digitalization has become a necessity for industrial enterprises as well, thus, creating a demand for the Industrial Internet of Things (IIoT). Over the recent years, digital technologies are being deeply integrated into the industrial control systems. The industrial control system networks were physically isolated and nearly immune to cyberattacks. However, the complexity of cyberattacks has evolved recently and now IT and OT (CAM) specialists have to integrate the solutions that enhance the level of industrial cybersecurity. Hence, understanding industrial cybersecurity requirements will help companies to lower the risks of cyberattacks.

Read on to find out more.

There exist two viewpoints on how the enterprise network should be arranged. As a rule, the OT engineers understand the work of industrial protocols quite well, however, they lack the informational security knowledge. On the contrary, the IT specialists possess the required competence, but do not deal with OT networks as they do not know how it works.

Accessing the problem and complying with the users’ requirements, MOXA has started to develop the cybersecurity line by actively integrating additional functions and releasing new devices that conform to industrial security requirements.

Differences between OT and IT


IT


0f21a8ae085f9743c62ba3fe1355bc97.png

OT


5d633e1412fd3b29058e7b911bdff4df.png

9d757b4d64dfbaed76e6b5d7ece73fda.png

[Expertise]

— Communication with OT vendors, little knowledge of industrial security

— Communication with IT vendors, expertise in industrial security



3adcd5212fe6d8b34c724f029738fdd5.png

[Position]

— ACS is protected

— Industrial security is within the responsibility of IT department

— IT department can disrupt the work of ACS, let them stay away fr om our systems

— Windows and Linux are the basic OSs in ACS

— ACS is untouched

— PLC can’t be touched as it may get broken



2a45baf62929c1c6a87bb063274f7b04.png

[Strong/
weak points]

- Large-scale systems and networks

+ Industrial devices

+ Industrial protocols

+ Large-scale systems and networks

- Industrial devices

- Industrial protocols



All cybersecurity solutions from MOXA can be divided into 3 large groups:

Device security solutions

To enhance the level of device security, MOXA has released a bunch of functions increasing cybersecurity based on the requirements of the IEC 62443 international standard. The complete set of security functions has been implemented within many devices, including Industrial Ethernet Switchesindustrial routers, rack mount managed switches, rack mount unmanaged switches, switches of EDS-500E series, selected NPort models of serial interface servers and protocol gateways.

Intrusions and attacks prevention

To prevent intrusions and attacks, it is important to have a good access control mechanism that can identify, authenticate and authorize users. Moxa’s network devices support functions of user account management, password policy and authentication interface that conform to technical security requirements of the IEC 62443 standard.

  • Operators can use these functions to create user accounts and assign roles, grant access rights and access control rights to devices within networks.
  • Authentication by means of IEEE 802.1x, RADIUS, TACACS + protocols and support of MAB (MAC Address Bypass) for devices that do not support IEEE 802.1x.
  • Port security is provided with Static Lock function or its MAC-address Sticky upd ated version that allows auto learning the MAC address of the connected device without its manual typing. ACL (Assess Control List) provides network security by controlling access to devices.
  • Providing protection against DoS attacks is possible by disabling unencrypted and unused interfaces (for example, HTTP and Telnet) and limiting maximum amount of login users, to prevent a device from overload with superfluous requests.
ec620664ba9f72e0c524fb38e8fc22b3.png

Confidential data protection

Moxa devices support the HTTPS/SSH protocol extended features that provide secure data transmission over insecure networks. In order to protect data from being stolen or corrupted, Moxa provides such functions as SNMP password encryption and network configuration encryption, that ensure the highest level of network device protection.

NPort 6000 secure interface converters use SSL for secure data transmission in Secure TCP Server, Secure TCP Client, Secure Pair Connection and Secure Real COM modes. NPort drivers conform to the SSL standards and automatically negotiate the encryption key. To prevent hacker attacks, NPort automatically switches from DES/3DES to AES encryption for highly protected data transmission.

465ba8b537af5d2f1e1a6b53ea621bb9.png

Tracking network events

Protection against cyberattacks does not end with the devices settings only. You should constantly track the network status and check network events for potential threats. Despite the fact that it is quite difficult to detect a breach in real time, security event logs can help you find the source of the problem. Information from these data logs can be implemented to track network activity, analyze potential treats or identify devices that are improperly configured and can be later used for disconnecting user access, deleting user accounts, or device restart.

13cf2b2e20569fd75043bc46c5763d42.png

MOXA solutions

EDS-500E managed switches

f4fe29332af921c1ad67686dbda0409c.jpg

See more

Rackmount switches of IKS/ICS series

18fe89b4db65cc2e5c9ad99d5e68efbe.jpg

See more

Secure serial interface servers NPort 6000

29742d3a782725be9fe36b57f0fb984a.jpg

See more



Network security solutions

Industrial control system networks used to be completely isolated from a corporate network and the Internet network. Despite the fact that more and more devices are getting connected to industrial networks, most OT operators do not comprehend the necessity of cybersecurity. Due to the amount of cyberattacks aimed at crucially important industrial sector, it is clear that the process control networks are under the high risk of attacks.

Network segmentation for zones and areas

Secure network architecture requires ACS network to be segmented into protected and isolated zones and areas. The communication between each zone and area is secured by firewalls, which additionally reduces possibility of a network to become a cyberattack victim.

Industrial network secure routers of EDR series provide protection of zones and areas by means of a firewall (Transparent Firewall) that protects control networks and critical devices such as PLC and RTU from unauthorized access. Thanks to this solution, there is no need in reconfiguring the network parameters, which makes deployment faster and easier. EDR-810 series supports Turbo Ring redundancy technology that makes network segmentation more flexible and economically efficient. Moreover, Ethernet switches from Moxa can create virtual subnets (VLAN) to divide each area into smaller networks that will isolate traffic form other VLANs.

a893e51204d3819fc5d1c979eb6e9d63.png

Decomposition of a network into subnets increases the security level.

Control over traffic transmitted between zones

Traffic that passes between zones within an industrial networks must be thoroughly studied, in order to enhance security. There are several ways to do that. One of the methods is exchanging data via DMZ, wh ere a data server is installed between the secure ICS network and insecure networks without a direct connection. EDR-G903 series from Moxa can help to provide secure traffic control by applying firewall user rules. The second method implies that EDR routers perform deep check of Modbus TCP packets (PacketGuard technology), to control actions and enhance traffic control. This method simplifies administration tasks and can protect from unwanted traffic passing from one network to another. In addition to firewall, it is possible to use an access control list to filter switch ingress packets by the IP address, allowing network administrators to secure networks by controlling access to devices or the network parts.

9bf84f97ec7aab385e2e159ff6bd64dd.png

Define, what traffic can pass between the network zones.

Secure remote access to the enterprise network

Today, there are two solutions for secure remote access available. For constant connection, standard VPN tunnels are recommended. EDR series from Moxa can utilize IPsec, L2TP over IPsec or OpenVPN to configure encrypted IPsec VPN tunnels or OpenVPN clients. These methods protect data from being altered during transmission and provide secure remote access between industrial networks and remote applications. Alternatively, providing the remote access is required to be available on demand to specific computers or sensitive areas only, then a management platform for all remote connections is necessary.

08804244d223cabf87648373156223d0.png

Remote access to the enterprise network.

MOXA solutions

Secure routers with switch functions EDR-810

610cd551f670d84ad549a53d3dc71f7a.jpg

See more

Secure routers EDR-902

025930d7dfb9b3d4655e0b4cc3f3a342.jpg

See more

Secure routers EDR-903

e6d5c168b161debadedc78c035a3b2d6.jpg

See more



Comfortable secure network management

The devices have protection features, but how to make sure that they are se t up correctly?

9037b560b1951a2da51320baa9cd4293.jpg

MXview network management system represents an integrated management platform that can manage network devices and monitor network condition directly from a web browser both locally, and remotely. Moreover, Security View function helps users visualize the security status of network devices. By using Security View, network administrators can view the security level of a device and check the security parameters such as the password policy status in real time for each network device. Users can apply built-in profiles that comply with the technical security requirements of the IEC 62443 standard. Security View also provides security experts the opportunity to create profiles. Network administrators can easily obtain a complete overview of the network security level and quickly respond to any vulnerability detected in their networks.

Save time on security management with MXconfig

82fcefe60af9540708cf28b179f16dce.jpg

There are several security settings for each network device that should be checked and activated, in order to conform to the IEC 62443 technical standard requirements. Without such tools as MXview and MXconfig, network administrators have to check network devices manually one by one, in order to set the parameter, which requires much time and increases the error probability. MXconfig security wizard reduces setup time significantly, thanks to the simultaneous setting of large number of devices, and helps when configuring each device separately.

Application examples

With over 30 years of expertise in the sphere of industrial networks, Moxa utilizes its experience to help clients build secure networks by offering protection for PLCs, SCADA systems, factory networks, and remote access. Download the subject studies to learn more.


9c9c2355d5c899e9242614ba5f85067f.jpg

PLC and SCADA protection

Customer: Oil and gas service company

Task

High-capacity oil and gas pipelines often span thousands of kilometers. The pump stations along the pipeline are equipped with analyzers and PLCs. The customer found it complicated to maintain a secure and stable network connection between the stations and the remote SCADA system because the PLCs and I/O devices did not have any security features.


4ac5ea922a49a299e53dbc0c1f926dd3.jpg

Factory networks protection

Customer: Automotive parts plant

Task

The manager of an automotive parts plant planned to digitalize all production processes. The field devices work on the EtherNet/IP protocol for control unification and data acquisition. As there is a large-scale network infrastructure in this plant, it is very complicated for the plant manager to monitor all devices and visualize the network topology. Moreover, in order to arrange the digitization, all networks must be interconnected from the field site to the ERP and to the cloud. It is crucial to have proper cybersecurity measures to allow the process of digitalization to occur without affecting production efficiency.


ab18ae2cc5e40b281946ca6b19c99e83.jpg

Remote access protection

Customer: CNC machine manufacturer

Task

Maximum network failure-free time increases the plant productivity. A leading manufacturer of mechanical power presses was to provide a prompt and more efficient after-sales service, in order to ensure enhanced machine performance and effective troubleshooting. At first, the manufacturer applied Windows-based Remote Desktop Control (RDC) technology, but, in this case, security risks and additional costs occurred. Moreover, a Windows-based computer is subject to security risks by itself, and the possibility of attacks becomes even greater when the computer gets connected to the Internet.

Why MOXA

a88dece454c8619f5f55737109425e75.png

In-depth approach to security

Moxa’s product portfolio is based on the in-depth defense concept that includes secure devices, secure network infrastructure, and security management.

e57413861a8778abfe31aca4ed5f6e37.png

Continuously enhancing security

Moxa follows a proactive approach to defend our products from vulnerabilities and help our customers manage security risks better.

60ba7baade740d7d57d51fc0fba68567.png

Development of security systems for IT and OT

Moxa has entered into a partnership agreement with Trend Micro, in order to meet to the growing security demands as well as the security requirements from IT personnel.



Fast Product Request