An unusual, very personal letter from John S. Rinaldi to Plant Floor Engineers…
Discover the ONE and ONLY ONE Machine Security Architecture That Restricts Authorized Traffic to Authorized Requests, Preserves Lockdown and Uses the Ethernet Devices You Have On The Floor Today!
The threats and risks to your factory floor are enormous and increasing every day.
Management is worried. IT doesn’t know what to do.
And all you’re getting is overly complicated, horribly expensive and wholly impractical solutions from the so-called “leading” vendors.
I’VE LIVED THE LIFE OF A PLANT ENGINEER
My name is John S. Rinaldi and I started working on control systems when adding a connection meant pulling wires and terminating them at a rack mounted PLC card. My hair, my 32-inch waistline and direct PLC connections are all gone forever.
For 30 years, I’ve been working alongside control engineers across the U.S. and Canada. Along the way, I managed to write 5 books, spoke at an unknown number of trade events and authored hundreds of articles on industrial automation.
WHAT THEY AREN’T TELLING YOU ABOUT CYBERSECURITY
I’m writing this because those “leading” vendors aren’t telling you that there is a security architecture where you can be absolutely certain that your subnet or machine is fully protected.
Protected from unauthorized staff access, usually non-malicious vendors and contractors, disgruntled employees and the hackers who’ve comprised credentials on the plant network.
We’re talking about an architecture here, not a product. It’s an architecture those leading vendors would prefer you don’t know about. If you read the rest of this letter, you’ll learn three concepts absolutely critical to the cybersecurity of your factory floor:
UNFORTUNATELY, THE THREAT IS REAL
In my thirty years, I’ve never seen a time like today. And I don’t like a lot of what I see. Especially the ineffective mechanisms for securing a manufacturing control system.
Like it or not, the cybersecurity threat is real. Ask Chrysler, US Steel, that Florida water utility or the people at Colonial pipeline – the list is long and growing. The list of companies that haven’t been attacked is far shorter. A lot of manufacturers think they’re on that list but most don’t even know they’ve already been penetrated.
It’s a really hard problem for you plant floor guys to solve. You only have so much time and there’s a lot of IT jargon and lots of vendors blowing a lot of smoke and proposing a lot of complicated solutions.
I’m here to cut through all that bull****. If you’ll read on, I’ll explain.
CYBERSECURITY IS COMPLICATED – LET ME SIMPLIFY THINGS FOR YOU
I’ve looked at all the different architectures for securing control systems, devices, machines, networks and cells. I’ve classified them into four different types of architectures.
#1 Passive Network Monitoring – Monitor the traffic. Look for anomalies. Send an alert. It’s like finding this note from your neighbor: “Just wanted to let you know I think I saw somebody breaking into your garage last night while you were sleeping.”
In a word it’s INEFFECTIVE.
#2 Infrastructure Security – Build security right into the components of your network infrastructure. Add special devices to encrypt all your traffic.
It adds latency, overhead and cost. It’s UNWORKABLE.
#3 Device Security – Put a security chip or software into each and every device on your network. The Google’s, Amazon’s and Intel’s all love the idea that you’ll be paying them for every sensor and actuator in your plant. Or you can use software. ODVA and Rockwell are pushing CIP Security™.
The biggest problem with device security is lockdown and management. With device security you lose the ability to do lockdowns because you’ll have to upgrade devices to the latest software all the time. And just who is operationally going to manage all the certificates, security configurations and security updates? And don’t ask about the device replacement nightmare.
I’ll be in trouble with the ODVA and Rockwell for saying this but CIP Security is IMPRACTICAL.
#4 PERIMETER SECURITY – THE APPROACH THAT REALLY WORKS
Perimeter security is conceptually pretty simple, you put a box around the resource you want to protect (subnet, machine, cell…etc.) and you restrict traffic to that protected resource through ONE AND ONLY ONE connection to your plant network and the internet.
You restrict traffic over that connection to authorized traffic making authorized requests. You block traffic from unauthorized devices. You even block traffic from authorized sources making unauthorized requests.
THE ADVANTAGE MANUFACTURING HAS OVER IT
Perimeter security is effective because unlike the plant network, you know every single authorized request that should be passed over that connection.
In the IT world, traffic changes minute by minute and hour by hour. IT has to secure its networks by constantly looking for messages that match a threat profile. Security in the IT world is difficult and problematic.
The advantage we have in manufacturing is that we know what traffic to expect. We know that the quality application monitors 17 tags in the Logix PLC, the maintenance app pulls motor cycle data from the ABB drives and the recipe manager sends recipe data to all the PLCs once per day.
With perimeter security, you can restrict those apps to those specific requests and only those specific requests. You can eliminate all other access to our protected resource.
MAKE LOCKDOWN GREAT AGAIN!
Perimeter security offers many advantages including no message latency, no overhead to the controls network and no impact on any control network device. But the biggest advantage of all is lockdown.
Lockdown means that once you check out a cell, machine or line, you can freeze the software and never be forced to upgrade software in any plant floor device. Plus:
There’s NO impact on your operations team.
There’s NO changes to any device you are using today.
There’s NO extra management resources required.
Lockdown is the gold standard for efficiently managing a production process. Perimeter security makes that viable again.
ELIMINATE YOUR RISK FROM NAT AND REMOTE ACCESS
Perimeter security can eliminate your risk from attacks using your Network Address Translation (NAT) and Remote Access (RA) connections. It’s little known among a lot of control engineers but NAT and RA invites attackers into your control system. If you’re going to do unsecured NAT and RA, you might as well put out milk and cookies for the attackers like you do for Santa Claus.
With the proliferation of phishing scams, you have to assume that someone, somewhere in your organization has unwittingly and unknowingly provided an attacker with credentials to surf your company network (Yup – that’s paranoid but being paranoid is a good prerequisite for securing your manufacturing system).
That means that NAT and/or RA are threats. If hackers have the credentials for your plant network, it’s only a matter of time before they find an unsecured NAT address or get RA credentials and jump into your control network.
And then, there’s absolutely nothing they can’t see and nothing they can’t access. Perimeter security is the architecture you can use to mitigate this threat.
IMPLEMENTING PERIMETER SECURITY – THAT’S THE QUESTION
Forcing all the traffic in and out of a machine, device or cell, through one and only one connection guarded by a perimeter security device is the only way to protect yourself from today’s threats.
With perimeter security, you can stop not only outside attackers but the undertrained employee, the rogue employee, and the malicious vendor or contractor from accessing your critical production systems.
Over the last two years, I came to realize that RTA customers were facing these problems every day and were uninformed and sometimes misled about both the scope of the cybersecurity problem and the available solutions.
I decided that I needed to find the best perimeter security device in the industry and provide it to our customers. I studied a number of them. Some were from well-known, leading industrial vendors while others were from smaller, innovative firms.
My study made it clear that the absolute best of the bunch is the ICS-Defender from Dynics – a small cybersecurity company in Ann Arbor, Michigan.
WHY WE SELECTED THE ICS-DEFENDER
I decided to offer the ICS-Defender to my best customers for a long list of reasons and these three key ones:
Its Rich Set of Important Features – There’s virtually no security task that ICS-Defender can’t do. No other product can match the feature list of ICS-Defender. Its basic features include a stateful firewall, a simple NAT and client/server SSL VPN to support RA. On top of that, you get a Syslog interface, captive portal, DHCP server, authentication using your Active Directory server, a connection to the FactoryTalk™ AssetCentre, a full suite of debug utilities and a real time deep packet inspection engine capable of processing 10,000 packets per second.
It’s Built by Control Engineers for Control Engineers – The principal designers behind the product were long time control engineers who really understand the issues facing control engineers day in and day out.
It’s Proven Technology – U.S. Cyber Command and the Department of Energy invited over 20 cybersecurity product vendors to defend “Pemberton Mill,” a simulated production facility. They had two hours to prepare defenses, after which, a team of military white hat professional hackers attacked it from all over the world with everything they had. ICS-Defender was one of only a few companies to successfully defend the mill and was rewarded as an approved cybersecurity product.
IT’S NOT AN INSIGNIFICANT INVESTMENT
It does more than a router so it costs more than a router.
It does more than a switch so it costs more than a switch.
But hey, first you’ll replace your current NAT device with ICS-Defender. Then you’ll replace your Remote Access device with that ICS-Defender. You’ll probably eliminate a card or two from your Logix PLC and maybe some other equipment. And over time as you use more and more of that platform, you’ll realize that you’re saving money using it.
That’s exactly what Brian found when he started using ICS-Defender:
Like Brian, most users start with the secure NAT replacement using the simple NAT Wizard. Then they implement remote access or use it as a firewall between your local and plant IT network. Eventually, they grow (with no hardware changes) into the more advanced platforms with Intrusion Protection, Deep Packet Inspection, the FactoryTalk™ AssetCentre connection, Captive Portal and all the rest.
A recent study by Frost & Sullivan of Asian Pacific manufacturing organizations, commissioned by Microsoft, found that the average estimated loss of $10.7 million per breach of data in a manufacturing organization. Even if that’s just half that for lost production, overtime and mitigation expenses, you’d get almost a 1000x return on your investment.
Even if you’re never attacked, Defender pays for itself by replacing multiple other devices. If it prevents a single mistake by an undertrained employee, a single malicious change by a rogue employee or a non-malicious introduction of malware from a vendor, you’ll be way ahead if you consider the overtime, cleanup issues, lost production and lost customer confidence.
THE THREE ICS-DEFENDER SOFTWARE LICENSES
There are three versions of the platform that I’m making available to selected plant floor engineers on the RTA mailing list:
THE ICS-DEFENDER NAT/RA is the entry level security appliance. It’s three products in one; a Network Address Translation server, a Remote Access Secure SSL VPN client/server, and router with a stateful firewall that you can use to firewall a device, subnet, machine or manufacturing cell.
THE ICS-DEFENDER LITE/DPI includes all the features of the NAT/RA plus an additional layer of protection for your Allen-Bradley PLCs. With the Deep Packet Inspection engine, you can authorize only specific CIP commands and secure your PLC from unauthorized access and remote attackers.
THE ICS-DEFENDER PRO is the full featured version of the ICS-Defender product line. With its large assortment of additional features, it’s what every security professional needs to secure critical Allen-Bradley PLC-based infrastructure.
Click any of those links to get to the BUY NOW button but before you do:
GET A SPECIAL BONUS FROM MY FRIEND SHAWN TIERNEY
My good friend Shawn Tierney at the www.theautomationschool.com has generously made available a limited set of credits for his ControlLogix and CompactLogix training. Purchase any ICS-Defender and you’ll get one of these two award-winning training courses free from Shawn’s PLC Training School. That’s a $500 bonus!
Just remember, Shawn has only given us a limited supply of these credits and when they’re gone, they’re gone.
OF COURSE, I’M GUARANTEEING IT
When you purchase an ICS-Defender from RTA, you’ll get a 30-day, unconditional, no-questions-asked guarantee and a three-year warranty. If the unit doesn’t work for you, if you don’t like the configuration screens, the dashboard…anything and everything, return it and get a full, 100% refund.
And you can keep the training school credits.
WHAT TO DO NEXT
I’ve done all the hard work for you.
I’ve found the architecture, perimeter security, that makes the most sense to secure a subnet, a machine or work cell.
I’ve evaluated a bunch of devices and found what I believe to be the very best device to implement perimeter security.
So right now… you have a decision to make. Are you going to fail to address the threats to your plant floor equipment or are you going to purchase and evaluate a security platform that can fully secure your controls equipment and grow with you in the future?
If you’re not prepared to fully secure your manufacturing system, I wish you God’s speed and hope we’ll remain friends.
However, if you ARE ready to fully secure your manufacturing system… and you want to make sure that you have only authorized users performing authorized tasks you should:
I’m looking forward to working with you!
Stay Cyber Secure,
John S. Rinaldi
P.S: If you’re serious about preventing access to undertrained staff, rogue employees, malicious and non-malicious vendors and actual hackers… this is going to be a decision you won’t regret.