Industrial Communications Handbook August 2016

some sort of malware will find its way onto the network sooner or later. The Stuxnet virus, which shut down entire nuclear enrichment facilities in 2009/2010, was thought to have already infected a large portion of the world’s computers at the time it activated; however, it did not activate on those systems (as it was coded to look for a specific target) and was not discovered for a long time. The number of viruses on the Internet is immeasur- able. Viruses range from harmless snippets of code that may do nothing, to system-killers that could cause ex- pansive damage to a site. For this reason all computers attached to the network should be running anti-virus software. Updating the anti-virus solution is critical and must happen regularly, in some cases multiple times a day. The best way to achieve this is to get a solution that has a single server with direct internet access. The server generally resides in a DMZ (Demilitarised Zone), which is essentially a different subnetwork, separated from the rest of the network by a router and firewall. This machine updates its anti-virus definitions from an online server as they become available. The other machines on the network then update their anti-virus definitions from this machine—through a firewall which stops any other type of traffic—and thus are kept up to date yet do not require direct internet access. 4.5 Direct access devices The next step is to protect against other devices that are able to connect directly to the network. Whilst physi- cal access control and company policies are important, there are other, more automated methods that can be used to protect the network from unauthorised devices. Collectively known as AAA (Authentication, Authorisa- tion and Accounting), this technology includes proto- cols such as RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Control- ler Access Control System). AAA collectively refers to three general functionalities: • Authentication—which is checking people are who they say they are. • Authorisation—which is checking what those people are allowed to do on the network. • Accounting—which is keeping a record of who logged in, when they logged in and what they did while logged in.

With regard to wireless links, it is important to re- member the following points: • The wireless hardware is as vulnerable as the equiva- lent wired hardware and so needs to be protected by physical access control security wherever possible. • Physical access to the radio signal itself now be- comes a real threat. A user with a decent high-gain antenna and sniffer software can seriously affect the security of the site. 4.4 External devices In any discussion on policies and third party users, an important question is: how are external devices han- dled? A USB flash drive is the easiest and most common way to transfer data physically, yet this type of external storage could be carrying a dangerous virus about to in- fect your network. A third party laptop may have some kind of sniffer software installed that captures any data travelling through the laptop’s network interface, wait- ing to send this on to unsavoury individuals, whether or not the owner of the laptop is aware of it. There are a wide variety of third party devices that could possibly threaten the network, and we need to be aware of, and protect, against all possibilities. Policies are particularly significant in such circum- stances, and informing outside users (and employees) as to the correct way to handle external storage devices is important; with some viruses, plugging in the USB can be too late. External storage can be handled in different ways, such as having a computer with no connection to the rest of the network (but with an internet connection) running up-to-date antivirus software. Any files needed can be loaded onto this computer, scanned for viruses or malware, and then copied to the relevant machine on the secure network using an authorised clean storage device. Some advanced firewall manufacturers include simi- lar protection in their hardware, which protects against files incoming from the Internet, such as downloads or email attachments. These files are quarantined and a copy sent to an online cloud server, which checks the file for malware, and opens or runs the file in a protected environment to see what actions are needed. If anything out of the ordinary is discovered, a message is sent back to the firewall which deletes the file from quarantine be- fore it and its attached devices can get to the network. Even with good policies, one should assume that

22

industrial communications handbook 2016