Viewing a System with NMS

Tuesday, September 22, 2015 @ 02:09 PM gHale

By Heather MacKenzie and Mark Cooksley
Do you have a visual map of your Ethernet communications infrastructure? Can you quickly tell which links are up and which are down on your network? Do you know when a rogue device is added? Do you know which devices and protocols are locked down from a security perspective?

If not, it’s time to find out about network management software (NMS). Not only can it save you time with tasks like configuring multiple devices, it is a very important cyber security tool.

How to Start Up ICS Security
IT, OT Must Adapt for IoT: Experts Share How
Duqu 2.0: Defend Against APTs
Industrial Security: A CEO’s Perspective

In many industrial facilities Ethernet networks are growing and changing quickly and it is increasingly difficult to manage and secure them. A NMS designed for automation environments will likely make your engineering team more efficient. It will also improve the security of your network. What’s not to like about that?

Easy Network Monitoring
Some of the core capabilities NMS provides:
• A visual map of the industrial Ethernet network
• The ability to configure multiple devices at once

Leading industrial NMS products are able to detect and diagram all SNMP-enabled devices. The network topology is automatically recognized and accurately visualized, including unmanaged switches and hubs. Furthermore, whenever a new device adds in, an alert can end up generated.

Knowing what you have on your network and knowing when something changes is a basic security control. However, with networks that have grown quickly or where people are used to using local workstations to manage production cells, this capability is often missing.

NMS also provides the ability to configure devices simultaneously across a network, even when they’re in operation. This not only saves time but ensures consistency. A large industrial network of greater than 1,000 nodes was able to dramatically reduce configuration time and network audit time by using NMS.

Assigning Roles
To prevent unauthorized or inappropriate access to devices and their settings, good NMS should have user roles and individual user logins. This improves overall network security.

Having the logins work with single sign-on technology, such as Active Directory or RADIUS adds to ease-of-use and is administratively efficient.

Once users are identifiable, the next step is to track what they do on the network. The resulting audit trail can be written to third party programs such as the Windows event log or the Linux syslog for overall logging cohesiveness.

Security Hardening
Industrial networks are often poor at detecting cyber incidents. Stabilizing configurations and generating alerts when configurations change or when rogue devices are added to the network improves security and availability.

NMS directly improves security if they include security lockdown features. For example, making it easy to “lockdown” settings such as disabling unused slots and restricting management access to multiple devices at a time.

A security status screen that provides a quick and clear overview of areas of “security concern” helps you be proactive about possible security issues. This includes things such as default passwords, unsecure protocols available, open and unused active ports etc.

Another area of hardening is to monitor MAC/IP address pairs. In TCP/IP communications, each device must have a unique source MAC address and source IP address. Many firewall rules are based on a source IP address.

A typical technique used to circumvent firewall rules is to use the source IP address of a permitted device to communicate with other devices (“address spoofing”). This can be detected by the NMS regularly checking MAC/IP address pairs. If a source IP address is seen together with a different source MAC address, an alarm is generated.

Mobile Access
Nowadays everyone wants the flexibility to check in on key aspects of work while moving around a facility or offsite. Thus, when evaluating NMS products, be sure to find one that includes mobile access. Being able to refer to a graphical map of the network on your smartphone or tablet is handy.

It’s also useful to be able to check the connection status of links, including speed, duplex, medium and VLANs. If you are in the pipeline industry or part of a SCADA operation you might also want to see the GPS coordinates of devices.

Keep in mind security features for mobile devices. Access should be password protected and the status of devices should be viewable but not changeable from the mobile application.

Network management software improves network availability and engineering productivity plus it enhances system security. As your network continues to expand and become more complex, review your cyber security risk assessment and think about how a NMS could improve your defenses.

Heather MacKenzie is with Tofino Security, a Belden company. Mark Cooksley is a product manager with Hirschmann Automation and Control and an expert on industrial cyber security. Click here to view Heather’s blog.