Do You Need an Isolated Network for Building Automation Systems
Based on my experience there are so many other security concerns that are being ignored that going and splitting your trunk onto a physically isolated network is a secondary thought. Quite honestly, the concern around if you need an isolated network for building automation systems should be something you think about only if you are in a regulated or DoD environment.
When everyone in your department is using the same password, your BAS front-end is still running on an old Commodore 2 with 5 1/4 inch floppies, and your "sequences and programs" are embedded in controllers that were invented shortly before manned space flight you are one step away from a business continuity disaster. With that in mind you may want to fix that before you create a whole new network for your BAS...
Ok, that was more than a little grandiose and a BAS system on a Commodore 64 doesn't even have a RJ-45 jack, but you get my point. The message is in the message (that at least sounds wise). I remember a project I worked on in which the customer had me split their MS/TP trunk across two separate controllers (one for the common area and one for the manufacturing area).
Their fear was that someone would come into their building, crawl into the plenum and pickup sound-waves that were resonating across their communications trunk (you can't make this stuff up!). Quite frankly, I think the building owner may have watched the movie Spy Kids one to many times (If you don't have young kids then you will not have experienced the joy of suffering through the spy kids series). I've worked on high security DOD facilities and I have yet to experience actually splitting trunks (not IP networks) due to security issues.
You have a newer system, you are following all the guidelines I have put forth in my multiple BAS security articles (see here). Now and only now are we ready to discuss isolated networks. We need to decide three things.
- Physically or logically Isolated
- Isolated via hardware or software
- Monitored Isolation or Set and forget.
Physically or logically Isolated
Do you want to have two networks? Some people do. You have a network for your business and then you have a leased line (DSL, Cable, T1, ect) and that line is linked to your BAS system. This is actually less secure than having your systems linked because now your IT group cannot deploy IDS (intrusion Detection Systems) or network management (LDAP/SMTP Trapping ect).
It's logical to do it logically!
When you use the logical systems, my favorite methods are proxy's, VLANS (virtual LANS) and ACL (Access Control Lists), you can get the same if not better results as physical isolation. This analogy helps connect the dots.
Your cousin Joey from New Jersey is a big burly guy and he screens each person that tries to come into your club. Except in this case Joey is an ACL and he's watching packets that try to come into a specific VLAN.
Compare this to the stand alone network methodology. This is where you have a separate club that's not part of the franchise. Anyone can come in and while they can't access the main club they can wreak havoc on your little stand alone club.
In laments terms, use logical (think software, code, OSI Layer 2 and above stuff) to separate your networks don't do it physically!
Isolated via hardware or software
That brings up to our next topic! You guessed it (or you just read the line above) do we want to isolate via hardware or software? What does this mean? Physical hardware can be used to isolate traffic, now be prepared this is a blurry topic because even the physical devices use software to isolate traffic.
Typical physical devices are firewalls, proxy servers, IDS's, Access Switches and routers. These devices physically segment networks and enforce security policy. You should be using these devices to their highest potential because in most cases YOU'VE ALREADY PAID FOR THEM!
Software on the other hand is hit or miss. Things like ACL's, VLAN's, and IDS's can be considered software. Technically, they run inside a piece of hardware (think Switches and Routers) but they use the software inside the device. I call these hybrids, you need to hardware to have the software.
In my continued journey towards confusing my readership I'm now going to talk about software. Software resides in hardware but is not a part of that hardware by default. For example, if I buy a switch or router I traditionally get software that can deploy ACL's and VLAN's. On the flip side if I buy a copy of Windows Server 2012 it has some network management tools but there are others on the market that are equally if not more effective.
The balance is to utilize your hardware to its maximum potential and augment with software when needed.
Monitored Isolation or Set and forget.
I grew up in the 80's and I am forever haunted by the Ronco Easy Bake Rotisserie Oven. I for the life of me cannot get the famous phrase (now work with me you know it too....) You just set it and ..... Forget it!. Well, I think the infomercial was a plan to hack our subconscious and make us want to just set our security up and forget about it. I've yet to prove this and have no scientific backing, but it makes me feel better for the many times I was forced to watch that commercial before we had DVR and Tivo.
However, this philosophy has seemed to penetrate our trade and all to often we go into a building add a network engine or field device and wait until IT realizes that they have some new device on their network. IT then freaks out we go through a multi week dog and pony show, yes my device supports SMTP, yes it supports LDAP, ok I promise to use your IP address ect and then it's forgotten. Unless someone starts turning off the AC no one is going to notice that a device has been hacked.
Think about it, does your IT staff know what excessive CPU or memory utilization looks like for your network device? Do they know what ports it should be using or who is going to use it and when? Chances are (based on my experience with multiple vertical markets) that they don't have a clue!
This is not because your IT staff is dumb, uninformed, lazy, or any other adjective you may choose to use. This is because they don't deal with these devices!
Avoid the Set and Forget, work with your IT group! Let them know what ports should be open. Port 23?, 25?, 80? ????? YOU SHOULD KNOW THESE! Know your ports, know your traffic types, know your CPU rates/thresholds.
This information is vital. If you see multiple port 80 channels open and your CPU Utilization spikes on Sunday night are your technicians logging on to set up schedules for next week or is someone trying to brute force your BAS? Either one could be true, but if you aren't actively monitoring you would never know!
Conclusion
There's a lot of good stuff here. Sometimes I surprise myself and actually write stuff I would want to read. However, no amount of knowledge can trump experience. So share your experience. Let me know what you think and what you have seen so far in your world.