As industrial industries continue to grow and evolve, so has the frequency and sophistication of cyber-attacks aimed at these critical systems. Once adversaries breach a network, they can use many cyber-attack methods to access remote systems, such as cloud-based IP surveillance, or local assets, such as intelligent industrial Ethernet switches.

Imagine an attacker taking control of your industrial ethernet switch; the consequences could be severe. Through embedded features designed to assist administrators in managing and maintaining network integrity, tools such as "port mirroring" can capture and offload data traffic to a remote source for analysis. Data mining of the stolen packet captures could reveal sensitive information about the network, such as management capabilities, protocols, and interconnected devices. This information can be used as part of the attacker's reconnaissance mission, painting a picture of the attack surface of the victim's network.

Continuing our scenario, the attacker can use collected data from the compromised switch to probe other parts of the network in search of prime targets such as the IP surveillance system. IP surveillance systems are considered prime targets for attackers because of the opportunity they present.

Legacy IP surveillance systems were typically connected locally with no access to the internet. Users would use a web browser or management component to connect to a centralized application on the network. The only way to access the IP surveillance system was through a connection on the company network and a web browser from selected machines with permissions. However, modern systems now reside on cloud servers with mobile applications used for administration. Sophisticated attackers who gain access to these systems can grant themselves external permissions while deleting logging files that detail user access activity. Attackers can exploit this detailed information about the site, users, equipment, and working hours to cover up physical theft or attempted break-ins. Because of this type of access, surveillance systems make ideal targets for attackers.

In this blog, we will explore the complex realities of cyber security for industrial network infrastructure, best practice methods for securing industrial Ethernet switches and creating a defense posture against vulnerable assets such as industrial unmanaged switches.

The Reality of Cyber Security

Organizations primarily focusing on industrial operations face unprecedented cyber threats from would-be attackers, hackers, and disgruntled workers. Combatting these security threats is a challenging endeavor that takes continuous effort by skilled engineers dedicated to the task. While maintaining system integrity, these engineers are responsible for network redundancy and data transmission optimization for day-to-day communications.

While most industrial organizations adhere to securing their industrial networks through a wide range of protections, including novel technologies such as Artificial Intelligence (AI) and 3rd party software applications, some do not. Instead, these organizations look to next-generation technologies, such as high-speed gigabit ports and high-powered Power over Ethernet (PoE), to enhance their network capabilities with minimal emphasis on cyber security.

The Industrial Edge

The Industrial Edge is where Information Technology networks converge with Operational Technology networks to provide end-to-end IP solutions for organizations specializing in industrial applications. Firewall appliances, routing devices, and enterprise-class distribution ethernet switches are strategically deployed to ensure varying isolation levels between these two networks. Further isolation takes place in subnetworks known as VLANs (Virtual Local Area Networks).

From this edge, enterprise Ethernet switches are interconnected to industrialized Ethernet switches to provide connectivity to various locations, such as factory floors and traffic control centers.

Inherent Vulnerability of an Industrial Network

One of the most significant weaknesses of any network is the unmanaged Ethernet switch. These industrial switches are extremely popular because of the cost and ease of installation.

Typically, when an existing Ethernet switch has run out of Ethernet ports, unmanaged switches are used to provide additional ports for IP-enabled equipment. A simple cable connection between both switches can quickly give you an extended port count.

Another common scenario for unmanaged Ethernet switches is extending the existing network into a new location. By connecting an unmanaged ethernet switch via a LAN cable back to an existing distribution switch, the administrator can quickly create a new location for IP connectivity.

Both of these scenarios are commonplace inside industrial networks. However, both scenarios create opportunities for individuals with physical access to the unmanaged switches to wreak havoc on your network's operations. The recommended course of action for these scenarios is creating a security policy that explicitly addresses how unmanaged ethernet switches should be secured when connected to a managed switch on the network.

Securing the Unmanaged Switch Vulnerability

The following is a recommendation for a security policy on a managed switch connecting to an unmanaged switch via a switch port.
• Adding a description to the port interface on the managed switch that identifies the adjacent switch
• Statically set the number of MAC addresses that will be allowed to transmit data on the managed port
• Statically configure the MAC addresses transmitting data over the unmanaged switch
• Create a system alert that will send a notification message if a MAC address has changed
• Set port security to "disable" if a new MAC address has been detected
• Enable loop protection
• Disable Spanning Tree

Antaira's Versatile Industrial Ethernet Switches

At Antaira, we offer a diverse range of industrial Ethernet switches, both managed and unmanaged, available in various configurations. Our product line includes low port count 10/100 Fast Ethernet switches to 10Gigabit wide-temperature switches capable of supporting up to 95W of PoE power. Additionally, we provide industrial switches in traditional rack-mount styles and DIN rail mounting configurations. Our industrial switches cover a wide range, from low to high port counts, catering to the simultaneous connection of multiple devices.

All our industrial switches are designed with industrial-grade materials and support up to 10 Gigabit switch ports, ensuring a seamless and high-speed connection. Industrial PoE switches have become essential for modern IP camera systems, and many of our unmanaged switches incorporate this crucial feature. Several models are specifically designed to be powered with low-voltage input (12~55VDC) while still delivering the higher voltages required by PTZ cameras. Antaira's industrial PoE switches boast ample power budgets, enabling the installation of IP cameras at extended distances from a power source. This flexibility proves particularly valuable for outdoor and large-scale surveillance systems.

Managed vs Unmanaged Switches

The primary difference between industrial-managed switches and unmanaged switches lies in how they process data traffic. In an unmanaged switch, a small MAC address table links switch ports to connected edge devices. Any data processed on a switch port is automatically forwarded to all other ports. Due to the lack of management, any device interconnected to the unmanaged switch will receive all forwarded data streams.

In contrast, managed Ethernet switches offer additional layers of security through features like validation, participation, and configurable notification settings that are unavailable on unmanaged switches. Traffic filters, for example, serve as powerful tools to validate communication transmitting through the switch. Validation can range from checking specific MAC addresses to monitoring allowed VLAN access. Managed switches also allow fine-tuned participation, limiting the switch processes to specific tasks, such as forwarding traffic, network redundancy membership, multicast management, or supplying PoE to the edge.

Another significant distinction between managed and unmanaged switches is found in the configurable notification settings. One example of this feature on a managed ethernet switch is the ability to generate alerts when an ethernet cable is disconnected from a switch port.

Industrial Ethernet Switch Security Tips

While most companies have security software or a physical appliance that monitors threat activity through detection services, these cybersecurity technologies might not be enough in today's IoT landscape to protect critical operational equipment from well-excited cyber attacks.

At Antaira, we suggest a comprehensive IoT security plan that creates an additional layer of security at the port's edge. The following are best practices and recommendations to minimize your threat landscape and create that additional security layer.

1. Disable Unused Ports to Reduce the Attack Surface: To prevent industrial Ethernet switches from being hijacked, all unused ports not connected to devices should be disabled. In addition, allocate these ports to a VLAN that is not being utilized for data transmission.

2. Authentication of Switch Ports: Port authentication on managed switches is the best defense against malicious use of a data connection to enter the network. Cameras or any connected device should never be able to exchange data with a switch port until the linked device has provided authentication credentials. MAC address filtering links a statically configured MAC address to a particular switch port, in effect, white-listing authorized MAC addresses to the switch. The industrial switch will prevent a device from connecting to the network if it detects a MAC address not on the list of permitted addresses.

3. Switch Alarm Notifications: The industrial switch you buy should issue an alarm whenever the condition of a port -- whether plugged in or out -- changes according to standard network management and detection protocols. Alarms are received and displayed by the companies' network management systems, promptly responding and informing staff of any effort to interfere with connections.

4. No Dynamic Trunking: An interface can automatically configure itself to function as a trunk with its connected neighbor through dynamic trunk negotiation. Cybercriminals take advantage of this feature by building a trunk containing their own unauthorized device. You should specify the roles that are allocated to your ports to avoid becoming victims of this exploitation and keep them only as access ports, if possible.

5. Software Updates and Patches: To address a specific vulnerability, firmware upgrades, and software, for your industrial switches may be made available frequently or infrequently. Register your industrial switches on the manufacturer's website to receive notifications of all these updates, which need to be downloaded and installed immediately.

6. Passwords and VLANs: Today, almost all cameras sold come with a default username and password. Upon installation, these need to be changed to a much more rigorous password to avoid easy entry by hackers. For additional security on administrator accounts, multi-factor authentication is an excellent move. As with camera password defaults, VLAN 1 is preconfigured on Ethernet switches as the default VLAN. Every hacker is aware of this. While you can’t delete VLAN 1, you can choose not to use it and instead create a new VLAN out of the box. In short, don’t use VLAN 1 for anything. It is also smart to change the management VLAN to prevent unauthorized parties from obtaining a management connection.

7. Control Physical Access to Switches: Sometimes, the most basic advice is the most useful. Lock up your power and industrial switches in a room or closet designated for security, away from employees, customers, or vendors who may be tempted to meddle with them.

8. Be careful with network drops: It is possible for a hacker to take advantage of a network drop in a public lobby or empty conference room. You can prevent unauthorized devices or cloud services from accessing a switch by statically assigning the MAC address of authorized devices to specific switch ports.

Additional Steps

Even the most advanced industrial switch will not stop malicious security attacks. Security is a layered process that is essentially never finished and is always evolving. Besides the above switch-centric security steps, here is a list of other key best practices for securing and protecting your video surveillance network.

1. If connected, isolate the surveillance network from the corporate IP network as both a cybersecurity tactic and to prevent it from consuming valuable bandwidth that may prevent employees from accessing resources. Isolation doesn’t mean creating a new parallel infrastructure, only a subnet that is still consolidated on the main data network. By using strategic isolation, a hacker is prevented from moving from the subnet to the main network. It also makes certain that data transmission through the security subnet is routinely subject to the same cybersecurity inspection, monitoring, and updating as data transmission through the rest of the company's information systems.

2. Establish procedures for changing passwords frequently on secure and require that the root admin password be changed whenever an employee with password access leaves the company or changes roles.

3. Encrypt and password-protect all sensitive video data.

4. Have an administrator test critical infrastructure in your surveillance network for weaknesses by assuming the role of an attacker to launch various types of attacks. Results can then be audited and, if necessary, policies adjusted for improved threat detection and risk mitigation efforts. Many of these tests can be conducted manually, while others are best conducted by an outside cybersecurity firm.

Any Ethernet switch attached to an industrial network is a target for cybercriminals. Ensuring the cybersecurity of a network switch will potentially protect your entire IP surveillance system from access by unauthorized persons with malicious intent. For that reason, only purchase industrial Ethernet switches from reliable, trustworthy manufacturers, and make sure they are installed by a qualified, experienced professional. Low-priced, industrial network switches can only provide a limited amount of security and are highly vulnerable to ransomware attacks anyway. Quality Ethernet switches for your surveillance system are worth the additional upfront costs.

Contact Antaira Today

Your IT team are network technology experts yet may not be familiar with the latest IP video surveillance solutions. Likewise, your security staff knows how to safeguard your people and property but may lack expertise in networking technology. Antaira is the answer. Our tech team can speak both languages, and is focused on bridging the gap between IT and security to help you build a highly reliable, industrial-strength and truly cybersecure IP video surveillance system. Call us at (714) 671-9000 or send us an email at info@antaira.com.