Industrial Network Security Recommendations: Common & Advanced Strategies

Instructor: Euan Russano

Euan has a Phd degree in Engineering and offers private training and tutoring in Programming and Engineering.

In this lesson, you will learn the common practices used to secure industrial networks. You will learn the different types of threats that common industrial networks may encounter and also their vulnerabilities.

Industrial networks are widely used in today's industrial sector. With the ever-changing technology advancements, these networks have been implemented in most nationwide critical infrastructure like the electricity, power and gas industries. Since they are being used in such big scale projects, industrial networks need to be secured against threats which may lead to unprecedented losses and destruction.

Identifying Security Threats

In order to help identify and deal with threats, a methodology known as Secure Operations Technology (known as SEC-OT) is used. This methodology and its best practices represent a decade's collection of data from industrial sites which use secured industrial networks. SEC-OT defines control system security as the protection of safe and reliable physical operations by ensuring only correct and authorized control. SEC-OT has principles that help identify and counter security threats. These principles are:

  • All cyber-attacks are information, and every bit of information flowing in an industrial site is a potential threat carrier. Controlling this information flow helps to control the attacks.
  • All software is vulnerable to threats, so security measures should be hardware-enforced rather than applying these measures in the software itself.

Types of Attacks Encountered in Industrial Networks

Physical Attacks (Offline)

This type of attack is directed into the network through removable media, or when unauthorized users have direct access to hardware. This type of attack can be prevented by blocking and disabling unused removable media ports and network connections, and securing all computers by restricting unauthorized access.

In addition to video surveillance of the premises, regular background checks should be done on staff with full authorized access.

Remote Access Attacks (Online)

This type of attack occurs through network connections, serial connections, and wireless connections. SEC-OT requires hardware-based security controls to be put into place, rather than software-based security measures. Hardware and software encryption, two-factor authentication methods and firewalls are not enough to prevent remote attacks.

To secure a network from these attacks, one can use unidirectional gateways, which are hardware-enforced pieces used for industrial network connections. Such unidirectional gateways replace firewalls in industrial network environments, protecting systems and networks from attacks originating on external networks. This is a plug-and-play technology which can replace firewalls and remove vulnerabilities and maintenance issues from firewall deployments. They additionally ensure no direct connection between the internal network and an outside network like the internet.

Strategies Used to Secure Industrial Networks

Restricting Physical Access to the Network Devices

Physical access controls should be put into place to avoid serious disruption to the industrial network functionality. Physical access controls like guards and locks should be used.

Detecting Security Events and Incidents

A system should be able to detect security threats before they escalate and the attackers attain their objectives. It should have the capacity to detect failed network components and unavailable services that are important for the functioning of the industrial network.

Restricting Logical Access to the Network

Using unidirectional gateways in the network architecture, along with firewalls, helps to prevent traffic from passing directly through the corporate and industrial network.

Common Industrial Security Recommendations

Many of these security recommendations are required or recommended as they fit most of the industrial network systems. They are:

Identifying what systems need to be protected

All assets that have importance should be identified because of the following reasons: it tells security personnel how closely to monitor an individual asset, and enables system architects and others to logically segment the network into high-level security zones.

Separating the systems logically into functional groups

This allows specific services to be well controlled and tightly locked down. This is one of the easiest ways to reducing the attack surface that is exposed to potential threats.

Controlling access into and between each group

If each service group is separated, i.e., database service in one group, patch services in one group, etc., a firewall can be configured to disallow anything that is not required by a service or prevent an update server that uses HTTPS from being exposed to a threat that exploits a weakness in a SQL database.

Implementing a defense-in-depth strategy around each system or group

The philosophy of a layered or tiered defensive strategy is recommended to define the various defensive levels of security and the common security tools and techniques. An important component in such strategy is the data diode, a network device which allows data transmission in one direction.

The layered concept consists in dividing the defense into smaller parts:

Human layer - Awareness and training

Physical layer - Data diode

Network layer - Firewall and correlated

Application layer - Application monitoring

Data integrity - File integrity monitoring

Data - Data diode

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account