white paper on industrial automation security in fieldbus and

26filtering is another barrier for preventing simpleattacks. URL filtering may be applied in order toprevent persons inside the safe network zonesfrom accessing known, insecure content in theInternet. Application-level firewalls or onessupporting stateful packet inspection (SPI) canbe used to further increase the level of security.Firewalls shall be configured in such a way thatonly the required functionality is open andenabled. Firewalls shall be used where needed,e.g. as required by the network security zoneswhich are setup for an organization. Firewallsfrom different vendors may be used in order toprovide some security due to diversification.Appropriate encryptions need to be used e.g. forwireless connections. As an example, manyWireless LAN (WLAN) routers support WEP,WPA and WPA2 encryptions. Of thesealternatives, WEP should not be used, WPA canbe used but WPA2 provides the best level ofsecurity. Furthermore, in order to increase thelevel of security, WPA should be used in theenterprise mode (known as WPA-Enterprise orWPA-802.1X mode).Manufacturers’ recommendations regardingwhich equipment works well together should befollowed. This is especially true if therecommendation is based on securityfunctionality.3.4.6 Network topologyIt is important to consider how the Ethernetnetwork is constructed, in terms of topology.The bridging between networks of differentsecurity, e.g. between an Industrial Ethernetnetwork and an office- or IT-network, should becarefully considered and configured.There is also a risk regarding physical security ifthere are unused ports in Ethernet equipmentwhich can be used by an intruder to gain accessto the network. Sometimes, unused ports innetworking equipment are used for portforwarding, which means that the traffic throughe.g. a switch or similar piece of equipment isforwarded to a certain, unused port. This portcan be used for logging and traffic analysispurposes by e.g. connecting a computer withsuitable capture software.Because Ethernet has become more popular indifferent automation systems, there have alsoappeared a number of gateways and bridgeswhich allows connection of Ethernet totraditional fieldbuses. These devices present anaccess point from an Ethernet network to fieldbuses, which were originally designed to beclosed networks. The features of such gatewaysand bridges, such as integrated web interfacesfor configuration or monitoring with the purposeof allowing simple configuration possibly fromremote locations, may encourage the looseningof security configurations. As an example, thebrowsing of a web interface generally requiresthe port 80, which is reserved for HTTPcommunications, to be open. However, access tothe web server in a device from outside meansthat the HTTP port is also exposed to nonintendedusers, which may target attacks on it.Although this kind of web interface iscommonly protected by a username-passwordcombination, the default value is often listed inthe device manual which is available online.Although the password may be changed, it is notuncommon that the new password has poorstrength, due to user/operator ignorance and/orinadequate instructions to choose the passwordcleverly. It is worth mentioning, that if anintruder manages to determine the password fora gateway (or some other networking device) itmay be possible for the intruder to change thepassword, security settings or other functionalityrelated to the system.