We all know that it's important to keep our systems up to date with the latest software upgrades, and antivirus updates. However, there are many networks out there with controlled systems. Examples of controlled systems would be something that is part of a manufacturing process, or is connected to patient care. These systems cannot be changed without going through some sort of rigorous change control and software validation process. The result is that your upgrade strategy cannot keep pace with operating system updates.
In a previous role, I was responsible for a network at a manufacturing facility which produced medical devices. I once considered moving all of the manufacturing equipment to a separate VLAN which had no access to the outside world.
However, this turned out to be a nightmare to implement as the facility was part of a multinational and these systems needed to be accessible in other sites.
I ended up implementing a deep packet inspection system at the network core which looked at all network traffic going to and from the manufacturing systems. I was on the look-out for any suspicious downloading or network scanning which could have been a sign that a worm was trying to spread around the network.
At the time when the Nimda virus was making the headlines, I was watching out for any scans coming into the network on TCP port 445. That was 10 years ago, but the recent outbreak of Morto worm shows that this sort of problem has not gone away.
I have also worked on computer networks within hospitals, and this can be an even greater nightmare to manage with the number of controlled systems and levels of sensitive data. Some hospital equipment will have embedded operating systems which can only be updated by the supplier. When you combine this with staff bringing their own devices into the network, IT security needs to be top priority.
In summary I would suggest that you should consider some of the following if you have controlled systems on your network.
- Keep your controlled systems in an independent VLAN which is not accessible from the outside world. Ideally this network should not be accessible by any users who are not involved in the running of these systems.
- Lock down all CDROM drives and USB ports so that users cannot upload or download data to them.
- Keep an inventory of who owns the operating systems on your controlled systems. In some cases, the operating system may be maintained by a third party.
- Try and keep the systems updated with the latest software upgrades and antivirus updates, making sure you are adhering to change control and software validation processes.
- If you create an independent network, bring software updates to the systems manually. You should use one clean source PC to do this.
- If you cannot move the controlled systems to an independent VLAN, make sure you implement access control lists (ACLs) so that you can lock down the access. This can prevent a zombie host on your main network getting though to your controlled VLAN.
- Monitor who is accessing these systems. Ideally, you should be getting alerts if users not on the approved list are trying to gain access.
- Watch out for suspicious activity like network scans. This sort of activity can be detected by monitoring the network traffic going to and from the controlled systems.
- Factor control and monitoring into your disaster recovery plan. There is little point of being up and running if you have no idea what is happening on the rebuilt network.
Darragh
Darragh Delaney is head of technical services at NetFort Technologies. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service.