Cyber Security: Network Switch Security--Protecting Layer 2

Stephen Santee, consultant for Invensys Critical Infrastructure & Security Practice, discusses how to configure network switch security to eliminate the possibility of compromise.

Network Switch Security—Protecting Layer 2

Network switches in a Distributed Control System (DCS) network play a vital role interconnecting digital assets that comprise a DCS network. Network switches not only interconnect devices in redundant and mesh networks, but also decide alternate communications paths and control much of the information flowing across the network. The DCS would not function properly or would be at risk if the network switch were to be compromised by an intruder.

Configuring network switch security not only helps eliminate the possibility of compromise, but proper settings can help minimize unwanted network traffic caused by a failing network device.

Network switch security should address the following:

 Access Control

1. Physical Access – Place switches in locked cabinets or controlled areas while password protecting console access.
2. Logical Access – Manage the switches on a management network rather than the DCS network.
3. Role-Based Access – Similar to access on a DCS; not all users require administrative rights to the switch.

Patch Management

1. Test Software Patches – Test patches to ensure security is not degraded due to a software upgrade
2. Deploy Software Patches – Vendors provide software patches to address flaws in their software that could lead to a compromise.

Configuration Control

1. Create a repeatable checklist to provide for configuration continuity.
2. Disable ports, use port security, and configure enhanced security features.

Monitoring

1. Set up logging on the network switch to aid in detecting malicious activity.
2. Ensure logging provides detailed information that can assist in after-the-fact investigations.

Protecting network switches from compromise will help ensure that the DCS is able to perform as expected. A secure network switch will help provide high availability and the self-healing network performance that is expected out of DCS networks. In support of continuous cyber security, the Invensys Critical Infrastructure and Security Practice (CISP) team can perform assessments and configuration hardening on network switches.