Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

Cybersecurity Deployment Guide - Security Concepts

TABLE OF CONTENTS

Recommended actions to secure the network

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 18, 2025
  • 4 minute read

Network Component

Recommended Action

Notes

Type of connection

Decide how the host will connect to the network.

Network connectivity has trended in recent years away from wired "Ethernet" networks to wireless "Wi-Fi" networks for both business and industrial uses.

We recommend against using Wi-Fi for your ICS network. You do not have physical control over who or what might access the network. An intruder can intercept even a reasonably secure network and analyze network traffic and potentially discover a vulnerability.

If you decide to use Wi-Fi for your ICS network, enable all access control features on the WAP including encryption (WPA/WPA2 or later methods), a strong password and a list of authorized MAC addresses. Do not try to "hide" the Wi-Fi network by disabling broadcast of the Service Set Identifier (SSID). Doing so requires users to perform additional operations to locate the network then enter the SSID and security credentials. This extra network traffic offers opportunities for interception and analysis.

Network structure

Segment the ICS network. The network can be either physically or logically segmented from your other corporate networks. A physically segmented network is the most secure. Network hardware and all computers and devices connected to it form a single closed network with no physical connection to any other network

A logically segmented network is physically connected to your other corporate networks or to the public internet. We strongly advise against connecting to the public internet other than a trusted, secure ecosystem provided by your ICS software vendor.

See the diagram following this table for an example of a segmented network.

Methods to segment the network include:

  • Using a unidirectional gateway

  • Implementing a Demilitarized Zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks

  • Having different authentication mechanisms and credentials for users of the corporate and ICS networks.

  • The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

Network services and ports

Use firewalls to control traffic through network services and ports. Identify services and ports on your network and configure firewalls. The topology diagram following this table provides an example of using firewalls to segment the network.

The documentation for your ICS software typically includes a list of network ports commonly used by the software. Given the nature of ICS, the list typically includes services like web, email, file transfer, external databases, device drivers, and the ICS software itself for server-client communications. Configure the firewalls to open only those network ports that are in use by your ICS. Disable all unused services and close all unused ports.

Client/Server communication

Encrypt client/server channels. Use the latest Transport Layer Security (TLS) standard. You can still use the Secure Sockets Layer (SSL) standard for older applications.

TLS and SSL use a system of certificates and keys to digitally sign the messages sent between the server and client. When you configure this sort of communication, you need to use one of the following:

  • Self-signed certificates

    Issued and signed by the same application that presents it. Self-signed certificates are easy to create and manage, but are secure only if you control both the server and the client and control which certificates are installed on each.

  • Certificates signed by a Public Certificate Authority (CA):

    Slightly difficult and expensive to acquire, but more flexible than self-signed certificates because you do not need to control both the server and the client. If you configure the server to present a CA-signed certificate, the client will accept the certificate because it recognizes the Certificate Authority.

  • Domain-issued certificates or certificates signed by a Private Certificate Authority using systems like Microsoft Active Directory Certificate Service (AD CS):

    Internal certificates typically managed by your IT department. They are issued and validated by an Active Directory Certificate Authority. Domain-issued certificates are free and can be issued instantly.

    Notes: You need to renew CA-signed and Domain-issued certificates at regular intervals.

    Encrypted and unencrypted communications typically use different network ports.

The following diagram is an example of a segmented network topology:

Segmented network

Note: In no case should your ICS network and devices be directly accessible from the public internet. If there is some part of your ICS that you want to be accessible, (for example, if you want to view web-enabled HMI screens from a browser or smart phone), your ICS software should include features that securely pass the necessary traffic between your ICS network and a public-facing server. Such features can include separate public and private subnets, private IP addresses, security groups, authentication protocols, user identity managers, gateways, custom route tables, Access Control Lists (ACLs), and others.

Related Links
TitleResults for “How to create a CRG?”Also Available in