Imagine waking up in the middle of the night wondering what would happen if someone, at that moment, was in your corporate network. Visions of some teenager in a hoodie crouched over a laptop posting your intellectual property on a forum somewhere or putting your employee data up for auction somewhere in the “Dark Net”. It is an uncomfortable thought and possibly a good reminder that network security risks need to be managed.
Network Security, from the start, is a misnomer. No network is truly ever completely “secure” as long as it is being used by people. Security exists along a continuum from a completely open network to a network that is tightly limited to allow ONLY certain tasks. There is friction within many companies when the IT department tries to clamp down on a type of activity within the corporate network. The general perception is that the IT department is inhibiting the network from being useable while the IT department feels responsible for the overall performance and security of the network. This conflict is generally manageable by segmenting the network into smaller pieces based on the function of each piece. But first, before discussing network technology, let’s look at the most basic types of networks and the risks that they present.
Network 1 – The Corporate Network
This is the classic network we always think of because just about every company has one. This type of network is populated primarily by PCs, Printers, and a variety of application and storage servers. All corporate finances, legal matters, intellectual property and personnel records are stored here. An intrusion here is a risk to company data – either stored data or data in transit.
Network 2 – The Industrial Network (including Security Systems Networks)
The industrial network is a network of static devices that keep a business running. Some examples would be a SCADA network for running a sewage treatment plant, a network of security cameras and access control devices, a building automation network that manages lighting and climate control, or an industrial network that manages conveyor belts and cooling systems for a plant. The risk in an industrial network is to the devices and processes that keep the business running.
The difference between these two types of networks is quite clear and is a good place to start thinking about what risk your company needs to manage and what type of planning will be required to manage that risk. Almost all companies have a Corporate Network which contains financial data, personal records of employees, intellectual property and company communications. All of this data exists in two forms – data “at rest” in a stored format and data that is “in transit”. The first simple steps are to break this data into blocks based on their function so that only HR has access to employee records, accountants have access to financial data and so on. This, on its own, is not enough to protect the data from an internal breach – either intentional or not. Security has to always be thought of in terms of assuming that a breach will occur and providing a second or third barrier and a warning that an intrusion has occurred. Secondly, since a file can be copied in a fraction of a second, a corporate network should include encryption for the stored data and, in some cases, encryption for the data in transit. A network security professional working in this environment will provide advice on limiting access to data, encryption techniques, backup policies and a variety of tools and training for limiting risky behavior by employees.
They will also, in some cases, advise the use of specialized network monitoring tools that are used to detect an intrusion and provide a log of any unauthorized activities on the network.
The industrial network is a completely different animal. This network has traditionally been protected by an “air gap”. As long as no one can physically reach the network there is no risk. For better or worse, our culture has shifted to assuming that access to data is a form of efficiency and this attitude has quickly diminished the possibility of an “air gap” in most systems. An example of this is the director of security that wants 24/7 access to the security system from his smart phone. If you DO believe that an air gap is a possibility in your network, keep in mind that any time a foreign device is plugged into the network, be it a USB stick or a technician’s laptop, the air gap is broken. The concept of an air gap is no longer considered to be, on its own, a legitimate form of network security.
The risk posed to an industrial network is to the devices on the network and the processes that those devices manage and monitor. The risk of cameras being compromised might seem relatively benign – you could lose recording of your video or someone could have access to viewing the cameras. But there have been recent cases of large scale hacking of cameras where the compromised cameras (25,000 of them) were used to mount distributed denial of service (DDoS) attacks on completely unrelated companies (1). The implications of an intrusion into other types of industrial networks can be even more disturbing – consider an attack on the power grid, a city traffic management system or a water supply. Suffice it to say, security needs to be built into the industrial and security network.
Like the corporate network, this type of security is also achieved by segmenting the system into distinct zones based on purpose. This segmenting is then augmented by “locking” devices to a port and creating restrictions on what data can be passed between ports within each segment of the network. The goal of this is to make it extremely difficult for an intrusion to occur without inside knowledge of the system or a great deal of expertise. Since the possibility of an intrusion has such drastic implications, there are also some combinations of additional steps to detect an intrusion, block certain activities and record all unusual activity on the network.
A network security professional who works in this environment will have experience with the network protocols used by industrial networks and will be focused on limiting the traffic on the network to what is required by those systems.
In closing, think for a moment about the coming “Internet of Things” (IoT). If you have not already had your sleepless night thinking about the security of your network, then the IoT, in which all devices are networked, may be a source of concern! The solution is to understand your risk and plan a mitigation strategy. Know where your corporate data and assets are located on the security continuum.
If you’d like more information on Network Security we would be happy to hear from you. We can be reached at 905-990-4845 or firstname.lastname@example.org
Fancom Communications Engineering is the first step in assessing, planning and implementing or changing your secure network structure before intrusions happen! Contact us today to discuss.
(1) IoT botnet: 25,513 CCTV cameras used in crushing DDoS attacks
Ms. Smith; Network World; Jun 28, 2016