The need for network security only increases with time. As the Internet of Things becomes mainstream, new challenges are added to what was already a complex subject. It is necessary to understand potential issues for security on both the physical and application sides. A security plan must address not only unauthorized access to a network, but also actions that could degrade performance or disable a network entirely, such as a maliciously inducted broadcast storm.
Phase 1 – Assess security and performance needs and deploy equipment
he first step is to identify and rank possible issues and risks. This includes not only analyzing the physical infrastructure, but also the processes and company policies through which humans interact with that infrastructure. Assessment should also consider the asset value of information assets. Typically, high value assets are located in the core side of a network, while assets of medium and low value are in the collection and access layers, respectively. Risks such as unused backbone connections and unattended equipment rooms are examples of risks to assets with high value
- Door sensors and locks
- Cable loop protection
- Port Authentication (802.1x Radius)
- Device Management – TACACS+
- MAC whitelist
- BPDU Guard
- Factory firewall between IT and OT
Phase 2 – Detection; identify and record attacks
Network logging and monitoring systems should allow the company to monitor unauthorized data transfers and unauthorized attempts to access the network. The detection system should include detailed alerts and scheduled reports.
- Switch login Fail/Success
- 802.1x Fail/Success
- TACACS Fail/Success
- Cable loops
- Broadcast storms
- Port abnormally down
Phase 3 – Recovery; Detect damage and bring the system to a safe state
The most important goal of recovery in instances of breaches or attacks is the protection of information assets. Measures taken should be effective in stopping the attack while delivering minimal interruption to IT/OT operations.
Common system actions implemented in response to intrusions and attacks include:
- Setting a wait period of X minutes after successive login fails of Y times.
- Disabling the network for a few minutes when a cable loop is detected.
- Disabling the network for a few minutes when a port storm is detected.
- Set Broadcast/Multicast/Unknown unicast thresholds to block ports when the threshold is reached.
Phase 4 – Remediation; Repair the site and strengthen protection through updates
Firmware updates and patches are critical elements of network security. Both firmware updates and patches are designed to quickly address potential security concerns. It is important to keep an inventory of the devices on your network, including OS types and versions, IP addresses and physical locations. Network utilities such as eVue can simplify the firmware upgrade process on networks with a large number of devices. It can automatically check the firmware version on detected switches, and upgrades can be made through cloud services.