Previous Page  24 / 56 Next Page
Information
Show Menu
Previous Page 24 / 56 Next Page
Page Background

22

industrial communications handbook 2016

With regard to wireless links, it is important to re-

member the following points:

• The wireless hardware is as vulnerable as the equiva-

lent wired hardware and so needs to be protected by

physical access control security wherever possible.

• Physical access to the radio signal itself now be-

comes a real threat. A user with a decent high-gain

antenna and sniffer software can seriously affect the

security of the site.

4.4 External devices

In any discussion on policies and third party users, an

important question is: how are external devices han-

dled? A USB flash drive is the easiest and most common

way to transfer data physically, yet this type of external

storage could be carrying a dangerous virus about to in-

fect your network. A third party laptop may have some

kind of sniffer software installed that captures any data

travelling through the laptop’s network interface, wait-

ing to send this on to unsavoury individuals, whether or

not the owner of the laptop is aware of it. There are a

wide variety of third party devices that could possibly

threaten the network, and we need to be aware of, and

protect, against all possibilities.

Policies are particularly significant in such circum-

stances, and informing outside users (and employees) as

to the correct way to handle external storage devices is

important; with some viruses, plugging in the USB can

be too late. External storage can be handled in different

ways, such as having a computer with no connection to

the rest of the network (but with an internet connection)

running up-to-date antivirus software. Any files needed

can be loaded onto this computer, scanned for viruses or

malware, and then copied to the relevant machine on the

secure network using an authorised clean storage device.

Some advanced firewall manufacturers include simi-

lar protection in their hardware, which protects against

files incoming from the Internet, such as downloads or

email attachments. These files are quarantined and a

copy sent to an online cloud server, which checks the

file for malware, and opens or runs the file in a protected

environment to see what actions are needed. If anything

out of the ordinary is discovered, a message is sent back

to the firewall which deletes the file from quarantine be-

fore it and its attached devices can get to the network.

Even with good policies, one should assume that

some sort of malware will find its way onto the network

sooner or later. The Stuxnet virus, which shut down

entire nuclear enrichment facilities in 2009/2010, was

thought to have already infected a large portion of the

world’s computers at the time it activated; however, it

did not activate on those systems (as it was coded to

look for a specific target) and was not discovered for a

long time.

The number of viruses on the Internet is immeasur-

able. Viruses range from harmless snippets of code that

may do nothing, to system-killers that could cause ex-

pansive damage to a site. For this reason all computers

attached to the network should be running anti-virus

software. Updating the anti-virus solution is critical and

must happen regularly, in some cases multiple times

a day. The best way to achieve this is to get a solution

that has a single server with direct internet access. The

server generally resides in a DMZ (Demilitarised Zone),

which is essentially a different subnetwork, separated

from the rest of the network by a router and firewall.

This machine updates its anti-virus definitions from

an online server as they become available. The other

machines on the network then update their anti-virus

definitions from this machine—through a firewall which

stops any other type of traffic—and thus are kept up to

date yet do not require direct internet access.

4.5 Direct access devices

The next step is to protect against other devices that are

able to connect directly to the network. Whilst physi-

cal access control and company policies are important,

there are other, more automated methods that can be

used to protect the network from unauthorised devices.

Collectively known as AAA (Authentication, Authorisa-

tion and Accounting), this technology includes proto-

cols such as RADIUS (Remote Authentication Dial-In

User Service) and TACACS+ (Terminal Access Control-

ler Access Control System). AAA collectively refers to

three general functionalities:

• Authentication—which is checking people are who

they say they are.

• Authorisation—which is checking what those people

are allowed to do on the network.

• Accounting—which is keeping a record of who

logged in, when they logged in and what they did

while logged in.

1 19 20 21 22 23 24 25 26 27 28 29 30 56  FlippingBook