Securing the network for industrial infrastructure.

Truican, Ion ; Dan, Stefan ; Kristaly, Dominic Mircea 等

Abstract: Nowadays, building and maintaining a secure network is a challenge for network technicians, independently on which environment that network will be used. Confidentiality of data, which is transported and availability of the network for industrial infrastructure it is a must and should be assured by network devices those are used to keep the network alive, by software that is running on these devices and by technicians those are setting up the network, maintaining it into operation and exploit.

Key words: security, availability, confidentiality, network.

1. INTRODUCTION

The network is used to transport data from one entity to another, independent if end entity is a computer, a multiprocessor platform or any other form of hardware, which has proper software installed and is able to interpret, received data and use it in the scope for which it was designed. If this network is an Intranet and data flows internally, confidentiality of data is ensured by who is sending the data. If this network is connected to Internet and this is used to be nowadays, ensuring the security for our network it is a must.

To be able to transport data, a network should be available and resist to known insecure conditions, which could affect the normal operation status. For industrial network, availability of network is a must and should be counted in small numbers when downtime is taken in consideration as a risk factor. By choosing the right devices those are used to implement the network, a technician should ensure that it is still possible to access key devices (router, switch, server) regardless on what kind of attack are those devices involved (flood of messages, viruses, unrecognized or disabled commands) (Bajenescu, 2000).

The responsibility for securing the network is not only for technicians those are responsible for network infrastructure, but also for people those are using the network. An expert in building and setting up a network, which will ensure the current requirements parameters and future challenges related to speed (transfer rate--throughput) and increasing number of devices, which should populate the network to increase the productivity of industrial sector, will not be able to prevent and stop normal users to read their emails and open malicious attachments, which will spread a virus to all available computers from that network (Marghescu et al., 1999).

2. SECURING THE NETWORK TO FEAT FOR INDUSTRIAL INFRASTRUCTURE ENVIRONMENT

The need for confidentiality of data which is passing trough the network is a desire that should be respected and network must be designed and implemented in such a manner that this requirement is reached independent of what kind of information is going to be transported trough the network. By securing the network it is assured that information will be delivered to the end point from the network and message that was issued by the source will reach its destination without being affected by any trials to corrupt the data by any intruders or malicious devices.

When data is going to be interpreted by different processors those are using the information to take different decision in industrial network, by trusting the content of what was received, means some times a double check of what was delivered and what reached the end point. Such verifications could be done by using proprietary algorithms, public keys and simple checks for what is expected at the receiver from the sender or by checking the sequence of messages from a chain, before the entire payload data is delivered (Tannenbaum, 1997).

Availability of an industrial network is an important aspect and actions like maintenance of the network should not affect the normal operation of devices those are served by the information, which is transported trough the network. To ensure reliable transport of data and 99.999% availability of the network for industrial infrastructure, redundancy of devices those are keeping the network up and running is taken in consideration from the beginning of design phase, even that this will imply to increase the budget and higher the cost to implement that network.

3. PROPOSED SOLUTION TO SECURE THE NETWORK

3.1 How to make a network secure

There are three different aspects those are taken into consideration when network is deigned and implemented:

* Selected hardware to implement the network should take in consideration present requirements, but also the future need for bandwidth and increasing number of users and devices those must be able to access the network and use it;

* The software that makes the network to perform its job in proper condition, respecting the initial requirements, is coming usually with initial hardware (router, switch, hub) and is most of the time a proprietary solution. There are possible solutions for improvement regarding software side when application those are running on the servers could be developed and customized by specific needs;

* Last but not least, users those will access the network and stress its resources should be taken into consideration as an important factor when performances of the network will be measured. By simple explanations and concrete examples, the persons those are accessing the network could understand their role regarding network security. Involving them into the responsibility about who is going to respect the rules of secure network and introducing them in the culture of securing the network, they will be able to understand that in the future, the network will be able to serve their exigencies by protecting the network against insecure materials (Tesch & Abelar, 2007).

Having the industrial network infrastructure connected to the Internet will bring the network technician to face different situations. There will be users those wants to have remote access to devices those are running in the field, to be able to monitor the performances of devices and send remote commands to adjust different parameters of running systems. There should be a solution available to distinguish a user who has rights to access the network from an intruder.

Hardware devices (routers, switches, servers) those are keeping the network alive should be able to face and pass an unpleased situations like flooding of messages from malicious persons. Some resources from these devices like memory and processor should not be bring to their limit, to give the chance to network technician to be able to open a connection (telnet or console connection) to key devices and disable the link or restrict the access for requests those are coming from trustless sites (Davis, 2002).

Software is prone to bugs and there are all the time persons those wants to exploit it. When we talk about a secure network all the software those are running on this network should be up to date regarding the last patch releases and network technician should be aware about monitoring the group discussions for possible "open gates" related to software from his devices.

3.2 Concrete proposals

By choosing the hardware that is used to implement the network some factors should be taken in consideration regarding the specific environment conditions from industrial infrastructure:

* The dust is an important topic, due to the fact that different industrial machines are processing different materials to obtain concrete objects;

* There are different machines that are operating in industrial environment and cables rolled there should be protected in a proper way to avoid tearing of those and bring some segments of the network down and out of operation;

* People those are working in industrial environment should be instructed what are the network cables used for and how this should be protected, independent of level of knowledge those have about the way of operation of a network and devices those are used to make this thing possible.

It is important to have hardware devices those are able to sustain certain requirements regarding the performances of network operation, but also to have still some resources available in case of unpredicted situation, when it is necessary not to have a device which is blocked due to the fact that is not able to process any more information and messages those arrives, e.g. by flooding of messages at one moment from a network attack. Devices those make a network to operate needs also to be administrated and there are specific protocols those are used to make communication possible between different network devices. For instance SNMP (Simple Network Management Protocol) is used to make updates regarding network status and announce other devices, when one gets out of operation for some reasons. Such messages should not be accepted by a router from any address, only from a known and trusted list of devices.

Restricting the access for some devices and clear list of IP (Internet Protocol) addresses could prevent unpleased situation when network would be flooded with unnecessary messages those are only "keeping the line busy". Access lists and routing tables are good instruments that should be used when administrating routers and switches by giving or restricting the access for different users, devices or IP addresses. Information from servers could be organized in such a way that only clear defined list of users (those have right to read/write on that location) can access restricted information.

The simplest way of protecting the information that is transported within the network is by giving password to users those have a valid account and have the rights to access the resources stored and served by network infrastructure. Is not enough to have a password to make a network secure, but this is the first step that should be done. It should be recognized that is unpleased for some people those are working in a factory to make up their mind and remember all the time a password to be able to access some devices. It is hard to convince them that this password should contain a minimal number of characters, should be update it from time to time at certain intervals and must not be write it down to that piece of paper that is seating all day log at his desk. This is the inconvenient truth; the agility and persuasive skills of network administrator or technician is demonstrated by convincing the people what is good and what is bad related to networking when you talk about security and confidentiality of data.

3.3 Open point for improvement

Building a self-defending network is the next step of development when we talk about the security of already implemented and operational network. The network should have the ability to identify from where the malicious messages are coming and block those addresses to avoid blocking of own resources and flood of commands.

It is possible to speed up the process of delivering the messages to end entity by implementing some of decision criteria directly in the hardware and skip possible delays inserted by analyses of headers implemented by software.

Users those are not respecting the access rules and are trying to read information that is not address to them or they didn't got the read access for some directories, could be informed about their actions as a first step to make them responsible about their actions and put it on malicious persons lists recognized automatically by the network as ones those are trying to see what they did not received the rights for yet.

If data that is travel trough the network is strictly confidential, these packages of information can be encrypted by using available key for encryption or developing software that is modifying the TCP/IP (Transport Connection Protocol/Internet Protocol) header in such a way that only partners those know the encryption algorithm are able to decode it. Another way could be to modify the data field from the TCP/IP packet by adding additional bits to existing once, just to be able to recognize at the receiver that this packet is coming from trusted destination.

4. CONCLUSION

To have a secure network which feats to requirements of an industrial infrastructure should take in consideration not only the rules those make the network secure, but also to have proper hardware devices, updated software which is running on those devices and people those understand and comply the rules those are ensuring the confidentiality of data and makes availability of network possible by protecting against insecure content.

5. REFERENCES

Bajenescu, T. (2000). Sisteme personale de comunicatii (Communications personal systems), Ed. Teora, Bucuresti.

Davis, P.T. (2002). Securing and Controlling Cisco Routers, CRC Press LLC.

Marghescu, I.; Cotanis, N. & Nicolaescu, S. (1999). Mobile Communications, Ed. Tehnica, Bucuresti.

Tannenbaum, A.S. (1997). Computer Networks, Computer Press Agora, Bucharest.

Tesch, D. & Abelar, G. (2007). Security Threat Mitigation and Response Understanding Cisco Security MARS, Cisco Press, Indianapolis, Indiana 46240 USA.