33

industrial communications handbook 2016

cause IDSes look for symptoms rather than just causes,

they can help identify problems that have not previously

been encountered.

5.8 Monitoring

Now for the final point that is always critical and not only

from a security standpoint: monitoring of a network and

attached devices. Networks are becoming highly com-

plex entities and they need to be properly maintained.

The first step to properly maintaining a network and its

attached security features is by having a full view of the

network. Large security breaches are often preceded by

smaller breaches as attackers test different components

of the system. If the smaller breaches are identified early,

they can be addressed—and the larger breach deferred

or prevented completely. The IDS mentioned in 5.7 is

one type of monitoring system; however, a host more

are available and should be considered. On a simpler

level users could implement a syslog collector—a cen-

tral server that collects the system and event logs from

devices on the network and consolidates them. Some of

these systems can help flag concerning events, allowing

an engineer to quickly identify possible problems.

There exists a protocol in Ethernet devices called

SNMP (Simple Network Management Protocol), which

is an open standard and should be supported by all

Ethernet hardware, especially industrial grade hard-

ware. The SNMP standard works off dictionaries of

OIDs (Object Identifiers) known as MIBs (Management

Information Bases). These OIDs are simply numeri-

cal codes which translate to a certain query, i.e., the

OID 1.3.6.1.2.1.2.2.1.8 is for the query Interface Opera-

tional Status, or

ifOperStatus().

Further codes

appended to this identify which interface is being que-

ried. This OID is then sent to a switch, for instance, that

responds with an OID stating whether the interface is

up or down. A central NMS (Network Management Sys-

tem) receives all the responses from different queries

to devices around the network. These are consolidated

and presented to a network engineer, normally in a

quick to understand visual format. The engineer is able

to assess the status of the entire network, and identify

problematic areas and devices instantly. While these

systems are more important from an operational stand-

point, they are another example of a monitoring system

that should always be implemented.

Since the OIDs and MIBs are part of an Open Stan-

dard, they are unfortunately sometimes carelessly put

together by manufacturers, meaning that a LARGE data-

base of such identifiers is necessary. Manufacturers do

not always publish these (for various reasons) and, as a

result, swapping out a network component for a differ-

ent one with exactly the same functionality, but from a

different manufacturer, may degrade the SNMP reports.

On a wider front this is true for most mission-critical

networks, which start off well planned and document-

ed, but later start to suffer from small changes here and

there that are not documented (people forget to docu-

ment the changes, or think they are so insignificant that

they need not to be documented). After a period of time,

this lack of updating of documents and maintenance of

the network means that what remains is an unsecure

mess of a network that has

vulnerabilities

and

flaws

throughout.

Remember that one single security breach is all it

takes …

It is clear that security on a modern communications

network is extremely important and cannot be under-

estimated. Industrial Ethernet brings a host of benefits

and improvements; however, if not secured properly it

is more hindrance than help. In the best case scenario,

unauthorised individuals will be in the network and able

to view confidential data; in the worst case, individuals

could cause damage to company buildings and them-

selves. Securing a network properly leads to increased

peace of mind whilst utilising the benefits that Ethernet

networks provide.