Previous Page  7 / 56 Next Page
Information
Show Menu
Previous Page 7 / 56 Next Page
Page Background

5

Electricity

+

Control

SEPTEMBER 2017

CONTROL SYSTEMS + AUTOMATION

Using third party infrastructure can be accom-

plished in a dedicated manner, meaning that se-

cure tunnels through the ISP’s network are dedi-

cated to a single customer. Once again, the cost

for this sort of service can be restrictive. The third

option is to use an existing network that covers

the geographic location in question, which in most

cases means using the Internet.

All options to be properly secure

Whilst using a dedicated company network is the

most secure method and using the Internet is the

least secure, all of these options must be properly

secured to ensure that data and devices are properly

protected from a variety of attacks, whether direct-

ly targeted or random, and whether they are mali-

ciously intended or simply the result of human or

machine error. For the purposes of talking about se-

curity on mission critical networks, an attack should

be considered anything that could adversely affect

the data on the network, the legitimate users of the

network, and any device connected to the network.

Network security: Physical level

The first level to look at when considering network

security is the physical level, which should already

be in place as it applies to any type of security.

We are of course talking about things like access

security and physical disaster recovery. Making

sure that unwanted users cannot access physical

network devices is obviously a priority, and can

be easily accomplished using standard security

measures such as walls, fencing, locked buildings

etc. Physical disaster recovery is quite straightfor-

ward, and includes things like automated or man-

ual firefighting systems, back-up UPSs and simi-

lar. While this is definitely a highly critical part of

network security, it is too obvious and general to

warrant more than a quick mention.

Logical security

Next we need to look at the logical security of the

network, which can be roughly broken down into

local security (attackers who can get direct phys-

ical access to the network and logically access

devices that way) and remote security (attackers

who are physically connected outside of the local

network, and are instead trying to logically breach

the network). While these are greatly intertwined

and related, it is logical to approach security from a

bottom-up approach in most cases.This means we

will address local security first.

One of the most prolific breakdowns in local

security comes from the tendency of users to not

change the default authentication details of net-

working devices and attached devices. This means

anyone can find the login details with a model

number, Google and about five minutes of search-

ing. While it is convenient to not have to record

and remember a number of passwords, it is im-

portant to remember that a certain level of conven-

ience has to be forsaken in order to have a properly

secure network.

Virtual Local Area Networks (VLANs)

This leads us to VLANs and their use on networks,

as VLANs are probably among the greatest caus-

es of confusion in any industrial or utility grade

network, and as such are often only partially im-

plemented leading to messy and inefficient net-

works. A rough breakdown of the need for and

operation of VLANs is required.

Broadcast

One of the fundamental communication types in

TCP/IP networks is a broadcast, where a device

sends a packet to every other device within its

subnet. The problem is that switches, as layer 2

devices, will flood this packet out of every port be-

sides the one on which it is received. This means

that even devices that are not in the originating

device’s subnet will still receive this broadcast

packet, even though they are not interested in

it. These devices will simply discard the packet,

however they first must receive, error check and

inspect the packet, which takes up resources. The

amount of resources consumed will be tiny, but

in very large networks these small bits of wasted

resources add up, and can serious-

ly affect critical network traffic. For

this reason a method of segregating

devices into separate broadcast do-

mains is needed.

Routers

Routers will separate broadcast do-

mains, but are not feasible for this ap-

plication for a myriad of reasons that

are irrelevant to this discussion. In-

stead we require an option to segre-

gate traffic based on a logical configuration of the

switches, which can be adjusted as required and is

not hardware based. The solution is VLANs. As the

name implies, VLANs logically (virtually) separate

the network into different LANs, even though at

a physical level these VLANs are still connected.

This means that broadcasts will not be sent to de-

vices in a separate VLAN at all, as the switch will

be configured to not send them, meaning the end

devices do not have to assign any resources to in-

specting unwanted traffic.

Will the cost and

time saved by not

implementing a

certain level of security

outweigh the potential

loss if the security is

breached?

1 2 3 4 5 6 7 8 9 10 11 12 13 56  FlippingBook