Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

Practical Approaches to Securely Integrating Business and Production

Jim Gilsinn

Presenter

• Jim Gilsinn– Senior Investigator, Kenexis– ISA99, Co-Chair– ISA99-WG2, Co-Chair– CEH, CISSP– ISA/IEC 62443 Expert– 25 Years Eng. Experience– MSEE

Overview

• Why Integrate Business & Production?• Things to Consider• Potential Solutions• Questions

Why Integrate Business & Production?

• Production to Business– Production Data– Historical Data– Regulatory Requirements– Network/Security Monitoring

• Business to Production– Remote Maintenance– Patch Management– File Exchange– Configuration Data

Complete isolation is rarely an option

THINGS TO CONSIDER

Things to Consider

• Isolated Zones• Network Segmentation• Wireless Integration• Remote Connections• Public Infrastructure Integration• File/Data Transfer• Monitoring

Isolated Zones

• Are there zones that require network isolation?• Safety-related systems are a good example• Set it & forget it!• May require re-calibration over time• Can be connected via signal wiring

Network Segmentation

• Firewall vs. Data Diode– Is bidirectional communication required?– Human interaction vs. automated bi-directional communication– “Air-gap” requirement– Mixed firewall & data diode

• Multi-legged vs. Dual Firewall– Establish DMZ– Product diversity– IT/OT

Wireless Integration

• Will wireless be used?• What communication protocols?• What frequency bands?• Point-to-point vs. omnidirectional?• Star vs. mesh topology?• Bandwidth requirements?• Tolerance for drop-outs?• Where to integrate into architecture?

Remote Connections

• Personnel, vendors, contractors, MSSP?• On-site vs. off-site access?• Continuous vs. scheduled vs. sporadic connectivity?• Method of connectivity?• Single-factor vs. multi-factor authentication?• Connection points within architecture?• Types of communication allowed?

Public Infrastructure Integration

• More of an issue with SCADA• Wired vs. terrestrial wireless vs. satellite• Dedicated vs. leased-line connections• Service level agreements for ISP• Contingencies for backup/secondary communications

File/Data Transfer

• Restricting data flows through zone boundaries• Direct communications vs. servers in DMZ• File transfer server vs. removable media• File transfer through remote management connections

Monitoring

• Malware checking• Ingress/egress filtering• Continuous monitoring vs. human interaction• Push vs. pull of monitoring data• Legacy equipment• HIDS/NIDS• Non-networked equipment

People Will Get Things Done

• One way or another, people will get their job done• Security can’t be seen as an impediment to that• Provide methods that work easily, but are more secure

POTENTIAL SOLUTIONS

Engineering User

File Transfer

Administrator User – Patch Management

Remote Maintenance

Historian Replication

Domain Controllers

Web Access – License Activation Server

SUMMARY

Summary

• There are benefits to connecting business and production networks• There are a variety of things that need to be considered when

connecting business and production networks• There are practical solutions for security

Questions

Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

Thank You for Attending!

Enjoy the rest of the conference.