Industrial Communications Handbook August 2016

For instance RADIUS and the IEEE 802.1x (Port based net- work access control) standard work together to authorise any laptop plugged into a network switch. Until the user responds with the correct username and password, no networking data is allowed to travel between that laptop and the rest of the network. This authentication process sends authorisation in- formation back to the switch, which states what devices the laptop can communicate with on the network. This type of functionality can be taken a step further with the use of a Secure Access Management (SAM) system. This system can take over much of the AAA functionality, and pro- vide extra security, logging and access control features. Some SAM systems are able to monitor devices attached to the net- work, and send an alert if the configuration of the unit changes (as compared with a verified user created configuration) or if the firmware becomes out of date. These systems generally provide an authentication management system, which allows users to keep a single username/password combination to log onto the SAM system, which then controls the user’s access to end devices on the network. This means that users are not able to access irrelevant end devices at all, whether intentional or accidental. A misconfiguration of an end device, can quickly and easily be identified by network engineers and rectified with minimal effort, as the SAM is able to keep track of any changes made. These systems not only protect the network against possible security threats, but can increase productivity and facilitate proper time management by removing or auto- mating many of the steps required to maintain a network and the attached devices. Access control technologies start to bridge the gap between physical and logical security. With physical security the concern is people accessing devices that make up the network and ca- bles interconnecting the devices. With logical security the need is to secure the data itself. Ethernet and distributed networking offer a multitude of benefits to industrial communications sys- tems; however, as they expand they become harder to secure, especially from a physical standpoint. At some point a secure network eventually connects to a less secure—or unsecure— network, such as an uplink to a corporate office for perfor- mance monitoring or an internet connection for remote access and control. For this reason a combination of policies, physical, and logical security on a mission-critical control or production network is needed.

25

industrial communications handbook 2016