It’s 10:00 p.m. Do You Know Where Your Data Is?

PB 25 Rockwell newlogo 400

January 16, 2020

What’s the most critical information in your control system network? If you’re like most life sciences OT/IT professionals I meet, you’ll be able to answer that question even before I finish asking it.

Identifying critical system data – and recognizing the need to protect it – in many ways is the easy part. But designing a network infrastructure that can both help mitigate cybersecurity risk and take advantage of the latest Internet of Things (IOT) technologies can be a sticking point.

Certainly, today’s life sciences companies recognize the advantages of connecting more information across their enterprise to enhance electronic batch records and reporting – and enable advanced analytics and other digital technologies.

However, in their quest for greater connectivity, they could be making network choices that inadvertently introduce risk.

Is your network infrastructure intentional or unintentional?

Think about it. How do you enable disparate systems to share data?

Of course, the easiest way to achieve that goal is to put everything on the same network. And that’s not an uncommon occurrence.

For convenience, an organization may decide to move forward with a flat, unsegmented network – where information is freely exchanged. More commonly, an unsegmented network is an unintentional result of a legacy infrastructure that has expanded over time without benefit of VLANs, firewalls and other boundaries.

The problem with unsegmented networks

Regardless of the cause, an unsegmented network may enable easy access and communication – but it does so with a hefty price.

First, a flat, unsegmented network infrastructure exposes both non-critical and critical data equally to cybersecurity risk. Without network boundaries or access limitations, attackers can exploit the most vulnerable points of entry and move deeper into the network or anything connected to it.

Content at risk could range from manufacturing and recipe information – to clinical trial data, pricing and marketing strategies.

Additionally, an unsegmented network is typically an inefficient network. Companies may not initially be aware of network performance issues simply because they can still run their operation. But as systems are updated and new capabilities are added, network traffic increases, network collisions and slowdowns occur more frequently – and production issues often surface.  

Have you or someone you know ever lost data…or system visibility? It happens.   

As part of a defense-in-depth approach, network segmentation – or splitting a network into smaller networks – can help mitigate unnecessary broadcast traffic and limit what is immediately available to an attacker.

Building segmentation into your system     

Did you consider network design and performance when you built your automation system? And how do you incorporate segmentation to help limit the reach of a potential breach and improve network performance?

In my experience, most life sciences companies are great at managing their production processes. But many just don’t realize how the options they’ve chosen impact the network infrastructure. As a result, they may be unaware of the content scope and traffic patterns in their existing infrastructure – and potential risks and performance limitations. 

A system audit can help you gain a better understanding of what content is included in your system, how devices communicate and how information travels. As a first step, a system audit will provide you with the foundational information you need to identify potential risks and evaluate performance improvements.

Once an audit is complete, conducting a risk assessment aligned with IEC 62443 guidance is an industry best practice that can lead you down the right path to better network design and segmentation.  

IEC 62443 is a series of international standards that provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). Specifically, IEC 62443-3-2 provides risk assessment guidelines.

A risk assessment will provide a picture of your current security posture and what you need to do to achieve an acceptable risk state.

No doubt, you will find that different areas in your system have different security needs. The risk assessment will help you make reasonable decisions regarding the level of risk you’re willing to take to implement new technologies – and how to segment your network logically to achieve both security and productivity goals.  

Depending on your requirements, you may choose multiple segmentation methods including access control lists, firewalls, VLANS, industrial demilitarized zones (IDMZ), and other technologies. 

Securing your connected facility

Keep in mind, network segmentation is just one of many practices recommended as part of a defense-in-depth approach to cybersecurity. An effective strategy includes multiple layers of protection ranging from physical security devices as simple as doors to sophisticated electronic and procedural safeguards.

And an effective strategy is an ongoing process that requires not only thoughtful design, but also active intervention – and maintenance.

Source

Related Articles


Changing Scene


Sponsored Content
The Easy Way to the Industrial IoT

The way to the Industrial IoT does not have to be complicated. Whether access to valuable data is required or new, data-driven services are to be generated, Weidmuller enables its customers to go from data to value the easy way. Weidmuller’s comprehensive and cutting-edge IIoT portfolio applies to greenfield and brownfield applications. Weidmuller offers components and solutions from data acquisition, data pre-processing, data communication and data analysis.

Visit Weidmuller’s Industrial IoT Portfolio.


ADVANCED Motion Controls Takes Servo Drives to New Heights (and Depths) with FlexPro Extended Environment Product Line

Advanced Motion Controls is proud to announce the addition of six new CANopen servo drives with Extended Environment capabilities to their FlexPro line. These new drives join AMC’s existing EtherCAT Extended Environment FlexPro drives, making the FlexPro line the go-to solution for motion control applications in harsh environments.

Many motion control applications take place in conditions that are less than ideal, such as extreme temperatures, high and low pressures, shocks and vibrations, and contamination. Electronics, including servo drives, can malfunction or sustain permanent damage in these conditions.

Read More


Service Wire Co. Announces New Titles for Key Executives

Bruce Kesler and Mark Gatewood have been given new titles and responsibilities for Service Wire Co.

Bruce Kesler has assumed the role of Senior Director – Business Development. Bruce will be responsible for Service Wire’s largest strategic accounts and our growing Strategic Accounts Team.

Mark Gatewood has been promoted to the role of Vice President – Sales & Marketing. In this role, Gatewood will lead the efforts of Service Wire Company’s entire sales and marketing organization in all market verticals.

Read More


Tri-Mach Announces the Purchase of an Additional 45,000 sq ft. Facility

Tri-Mach Elmira Facility

Recently, Tri-Mach Inc. was thrilled to announce the addition of a new 45,000 sq ft. facility. Located at 285 Union St., Elmira, ON, this facility expands Tri-Mach’s capabilities, allowing them to better serve the growing needs of their customers.

Positioning for growth, this additional facility will allow Tri-Mach to continue taking on large-scale projects, enhance product performance testing, and provide equipment storage for their customers. The building will also be the new home to their Skilled Trades Centre of Excellence.

Read More


JMP Parent Company, CONVERGIX Acquires AGR Automation, Expanding Global Reach

Convergix Automation Solutions has completed the acquisition of AGR Automation (“AGR”), a UK-based provider of custom, high-performance automation design and systems integration primarily to the life sciences industry.

Following Convergix’s acquisitions of JMP Solutions in August 2021 and Classic Design in February 2022, AGR marks the third investment in Crestview’s strategy to build Convergix into a diversified automation solutions provider targeting the global $500+ billion market, with a particular focus on the $70 billion global systems integration and connectivity segments. Financial terms of the transaction were not disclosed.

Read More


Latest Articles

  • Implementing Functional Safety Requirements

    Implementing Functional Safety Requirements

    The Safety Functional Requirements Specification (SFRS; sometimes referred to as SRS or Safety Requirements Specification) is the plan for the safety controls on a machine and is the second step of the safety lifecycle. The SFRS document serves as a framework for the safety control system design, is informed by prior work done in the… Read More…

  • From Endress+Hauser, 24/7 Digital, Plant-Wide Health Monitoring for Rockwell Systems Optimizes Workflows and Processes

    From Endress+Hauser, 24/7 Digital, Plant-Wide Health Monitoring for Rockwell Systems Optimizes Workflows and Processes

    Endress+Hauser’s Asset Health Monitoring Solution–Rockwell Edition, now available for installation, provides operators with a centralized, digital overview of plant-wide device health to avoid unscheduled shutdowns and accelerate troubleshooting. It not only presents early visibility of problematic devices but distinguishes itself by adding likely causes and remedies to such a report so problems can be fixed… Read More…