While companies are tapping into the opportunities that the Industrial Internet of Things (IIoT) has to offer, digitalization has become a key initiative for industries. Digitalization has allowed the industrial control system (ICS) landscape to develop quickly in recent years. Originally, ICS networks were physically isolated and almost immune to cyberattacks. However, recently, there has been a rise in the sophistication of cyber attacks, which has prompted everyone from IT to OT personnel to produce solutions that enhance industrial cybersecurity. Thus, understanding industrial cybersecurity requirements will help companies mitigate cybersecurity risks. Read on to learn more.

Debunk Industrial Cybersecurity Myths



There are some myths about industrial cybersecurity that may put your facilities and businesses at risk. Watch the video to learn how to debunk the myths and build defense-in-depth security for your industrial networks to ensure continuous operations and the safety of personnel.






Vast Differences Between IT and OT

IT IT OT OT

No. 1 Priority

Confidentiality

Availability

Focus

Data integrity is key

Control processes cannot tolerate downtime

Protection Target

Windows computers, servers

Industrial legacy devices, barcode readers

Environmental Conditions

Air-conditioned

Extreme temperatures, vibrations and shocks

Checklist for Your Industrial Cybersecurity

You can use the checklist below to make sure you do not forgot any of the defense-in-depth security measures and select solutions that fit your needs.

  • Secure Devices

    Secure Devices


  • Secure Network Infrastructure

    Secure Network Infrastructure


  • Security Management

    Security Management


Device Security Solution

To enhance our Device Security, Moxa has identified a big set of cybersecurity features based on the component requirements of IEC 62443. The set of security features have been implemented in a wide portfolio of devices, including Secure Routers, Rackmount Switches, EDS-500E series DIN Rail Switches, select models of Device Sever, and Protocol Gateways.

Prevent Intrusions and Attacks

To prevent network intrusions and attacks, it is essential to have a good access control mechanism in place that can identify, authenticate, and authorize users. Moxa’s network devices support user account management, password policy, and authentication interface management features that meet the technical security requirements of the IEC 62443 standard.

  • Operators can use these features to create user accounts and roles, grant different access privileges, and manage access to devices across networks
  • Authentication with IEEE 802.1x, RADIUS, TACACS+ and MAB(MAC Address bypass) helps devices that do not support IEEE 802.1x for easy management.
  • Port security with Static Lock helps to block hackers and careless usage. MAC address sticky can auto learn the device MAC without manual typing. ACL(Assess Control List) Provide network security by controlling access to devices.
  • Provide DoS Defense Capability by disable unencrypted and unused interfaces (e.g. HTTP, Telnet) and Limits the maximum login users to prevent device overload with superfluous requests

Protect Sensitive Data

Moxa’s devices support advanced HTTPS/SSH features, which provide a secure channel for data transfer over unsecure networks ensuring reliable processing and retrieval of data. To protect data from being stolen or corrupted, Moxa provides functions such as SNMP password encryption and network configuration encryption, which ensure the highest level of protection for your network devices.

The NPort 6000 secure servers use SSL to implement secure data transmission for Secure TCP Server, Secure TCP Client, Secure Pair Connection, and Secure Real COM modes.. The NPort’s drivers follow the SSL standard and automatically negotiate the encryption key. To prevent hacker attacks, the NPort will automatically switch from DES/3DES to AES encryption for highly secure data transmissions.


Track Network Events

Your cybersecurity journey does not end when your network security solution is up and running. You must constantly monitor your networks and audit network events for potential threats. Although it is quite difficult to detect breaches in real time, security event logs can help you identify the source of the issue. Information from these data logs can be used to track network activities, analyze potential threats, or identify devices that are incorrectly configured, which you can then use to disconnect user access, delete user accounts, or restart devices.


Security Network Solution

Industrial Control System (ICS) networks used to be isolated and used air-gap protection to keep secure networks separate from unsecured networks. Even though industrial networks are continuing to connect more devices, most OT operators still rarely take cybersecurity defense into consideration. Due to the number of cyberattacks targeting the critical manufacturing sector, it is clear that ICS networks are at high risk of attack.


network-segmentation-for-zone-and-cell-protection

Segment networks to secure communications between components in different automation zones and cells.
Click here to view the security architecure

Network Segmentation for Zone and Cell Protection

The defense-in-depth security architecture divides the ICS network into protected individual zones and cells. The communication in each zone or cell is secured by firewalls, which further reduces the chance that the entire ICS network will fall victim to a cyberattack. Moxa's EDR Series consists of industrial secure routers that help operators provide zone and cell protection by using a transparent firewall that protects control networks and critical devices such as PLCs and RTUs against unauthorized access. By using this solution, there is no need to reconfigure network settings, which makes deployment faster and easier. The EDR-810 Series supports Moxa’s Turbo Ring redundancy technologies, which makes the deployment of network segmentation more flexible and economical. Moreover, Moxa’s Ethernet switches can create a virtual LAN (VLAN) to decompose each of the ICS domains into smaller networks that isolate traffic from other VLANs.

Learn How to Choose the Right Industrial Firewall: The Top 7 Considerations


traffic-control-for-zones-interacting

Identify and scrutinize traffic between zones within the ICS network. View the security architecture here.

Traffic Control for Interaction Between Zones

Traffic passing between zones in an ICS network must be scrutinized in order to enhance security. There are several ways to implement this. One method is to have data exchanged via a DMZ, where the data server is accessible between the secure ICS network and insecure networks without a direct connection. Moxa's EDR-G903 Series can help achieve secure traffic control by utilizing user-specific firewall rules. The second method is for the EDR routers to perform deep Modbus TCP inspection by using PacketGuard to control actions and enhance traffic control. This method simplifies administration tasks and can protect against unwanted traffic from one network to another. In addition to firewalls, an Access Control List can be used to filter switches’ ingress packets by IP address or local IP, which allows network administrators to secure networks by controlling access to devices or parts of the network.


secure-remote-access-to-the-ics-network

Secure remote access to the ICS Network.
View the security architecture here.

Secure Remote Access to the ICS Network

There are currently two solutions available to deal with the main requirements for secure remote access to applications. For constant connections, standard VPN tunnels are recommended. Moxa's EDR Series can use IPsec, L2TP over IPsec, or OpenVPN to set up encrypted IPsec VPN tunnels or OpenVPN clients. These methods protect data from being manipulated when it is being transmitted and ensure secure remote access between industrial networks and remote applications. Alternatively, if remote access is only required to be accessible on demand to specific machines or sensitive areas, then a management platform for all remote connections is required.


Security Management Solution

As ICS networks keep expanding and more networks continue to converge, it is important to understand the benefits of the defense-in-depth approach when designing security architecture. However, having cybersecurity building blocks deployed in an ICS network is not sufficient to completely protect critical assets from unauthorized access. According to a report published by ICS-CERT, a sound security management model should include the following stages:


  • Identify and secure network connections in the ICS
  • Harden network devices
  • Manage the human factor
  • Continually monitor and assess the network's security status
  • Respond to incidents and get networks back to normal operation quickly

Those with malicious intent can still access the secure network if individuals who use the ICS network do not adhere to the security management model. In order to guarantee that the network has not been compromised, check if the ICS network is following the management principles and ensure that all users have read the guidelines to ensure a more secure ICS network.

MXconfig’s Security Wizard Saves You Time and Effort for Security-Related Parameter Setup



User-Friendly Security Management

  • Security Status at a Glance

    MXview's Security View visualizes the security parameters of your network devices and shows their status on a single page.


  • Security Setup in 3 Steps

    MXconfig helps you configure your network to meet established industrial standards in just three steps.


  • Fast Security Monitoring


    MXview and MXconfig tools help both general industrial users and security experts efficiently manage device security levels on their networks.

Case Studies

With over 30 years of experience in industrial networking, Moxa draws on this expertise to help customers build secure networks by offering protection for PLCs, SCADA systems, factory networks, and remote access. Download the case studies to learn more.

  • Protect PLCs and SCADA
  • Protect Factory Networks
  • Secure Remote Access

Customer: Oil & Gas Service Company

Challenges

High-capacity oil and gas pipelines are very volatile and often span thousands of kilometers. The pump stations along the pipeline are equipped with analyzers and PLCs. The company found it challenging to maintain a secure and stable network connection between the stations and the remote SCADA system because the PLCs and I/O devices did not have any security features.

Customer: Automotive Parts Plant

Challenges

An automotive parts plant manager planned to digitalize their production processes. The field devices run on the EtherNet/IP protocol for control unification and data acquisition. As the network infrastructure in this plant is on a large scale, it is very difficult for the plant manager to monitor all devices and visualize the network topologies. In addition, to realize digitization, all networks are interconnected from the field site all the way to the ERP and even to the cloud. It is essential to have good cybersecurity measures to allow this transformation to occur, without compromising production efficiency.

Customer: CNC Machine Builder

Challenges

Maximizing network uptime enhances machine productivity. Therefore, a leading manufacturer of mechanical power presses needed to provide a timelier and more efficient after-sales service in order to ensure improved machine performance and effective troubleshooting. At first, the machine builder adopted Windows-based Remote Desktop Control (RDC) technology, but security risks and additional costs came at a high price. Furthermore, the Windows-based computer by itself is susceptible to security risks, and the possibility of attacks increases even more when the computer connects to the Internet.

Why Moxa

To close the gap between the OT and IT worlds, Moxa offers coordinated solutions that are designed to completely protect your industrial networks.

  • Defense-in-Depth Cybersecurity

    Moxa’s product portfolio is based on the defense-in-depth concept that includes secure devices, secure network infrastructure, and security management.

  • Continuously Enhancing Security

    Moxa takes a proactive approach to protect our products from security vulnerabilities and help our customers better manage security risks.

  • Development for IT/OT Security

    Moxa has partnered with Trend Micro to respond to the growing security needs of industries as well as the security demands from IT/OT personnel.

Contact ECS

Your local NZ Moxa distributor and partner for more than 20 years.

ECS is an Official NZ Moxa Distributor and part of the Moxa Technical College, with certified, in-house specialists. As an official NZ distributor, ECS has Moxa Certified Engineers who are fully trained and accredited to assist with network design and complete installation support for your project.

Please fill out our online form.