Emerson Exchange 365

using NAS in plant lan network

Hello

I want to use NAS  in plant llan network for storage and safe area for backups, is there any document and recommendation for Useing of NAS in deltav

Thanks in advance

MOH

• 26 Oct 2017 1:12 PM
• Cancel

6 Replies

• Jeff Potter

  

  • 26 Oct 2017 2:05 PM

  Note that if your backup storage (NAS or otherwise) is on the same network as what you are backing up (whatever that might be, this is a generic comment), if a ransomware attack is successful in penetrating your system, your backups are likely to be encrypted as well.

  Jeff Potter  |  Director - Security Architecture  |  PlantWeb Technology
  

  • Cancel
• MOH

  

  • 26 Oct 2017 3:46 PM

  In reply to Jeff Potter:

  thanks Jeff

  • Cancel
• John Rezabek

  

  • 26 Oct 2017 3:54 PM

  In reply to Jeff Potter:

  This poses an interesting conundrum. If you back up to NAS, you risk in-kind corruption of the backup servers. Fine, so maybe back up to removable media (e.g. portable hard drive) - Should these be encrypted to protect confidential information? What about disaster recovery then - on what machine do you decrypt / unlock the backup drive(s)?

  • Cancel
• Youssef.El-Bahtimy

  

  • 26 Oct 2017 7:44 PM

  Great discussion. Most NAS devices run a Linux OS, so even if your Windows based systems were to be exposed to a windows based vulnerability, your NAS would be ok, and vice versa. This is differentiation of defenses, but certainly not intentional. What about attacks based on protocols that are shared or even targeted to your system?
  
  Here is where network segmentation, firewalls, mazes, and intrusion detection and prevention systems come into play. Since this is not the control network, we can obfuscate the path between the control system data source (by the way a local backup in the PCN is always a good Idea), and the *remotely* networked NAS or multiple NAS, as in not in the same room , building, or even site as the PCN servers.
  
  Consider your backup agent being a server in a DMZ that copies the information from the control system. The Backup agent server should have 1 (redundant set if you like) connection to a non-control network shared by the workstations through a firewall. The Backup agent server can then have another (redundant set) of network connections through a firewall (different vendor than the first) to the NAS. For extra security, have two NAS that you alternate air-gapping.
  
  The backup agent server, NAS, and firewalls should all use different accounts and passwords. Endpoint protection and Whitelisting of applications on the computers and traffic ports on the network devices should be employed. Monitor traffic using IDPS that can shut down the connection to the NAS if things turn fishy.
  
  Even employing a fraction of these recommendations out of the gate creates a foundation for addition as threats increase or change.

  • Cancel
• MOH

  

  • 27 Oct 2017 4:01 AM

  In reply to Youssef.El-Bahtimy:

  thanks, for your answer.
  as you know, if use removable media (flash, or external harddisk) risk of virus and other threat is high. i decide to use NAS in plant lan to reduce the risk, and plant lan is sepreated from office lan by air gap. and RAID option is used for harddisk. and in case of backup, transfer harddisk and keep harddisk in safe place,
  please advise me , with your recommendation
  best regards

  • Cancel
• Alexandre Peixoto

  

  • 27 Oct 2017 12:46 PM

  In reply to MOH:

  MOH,
  I would highly recommend you to evaluate our DeltaV Backup & Recovery solution which has options like detachable hard drives, NAS, etc. based off of a standard deployment type that is delivered to you as a solution fully tested with DeltaV and including templates for ease of use. Additional information can be found here: www2.emersonprocess.com/.../PDS_BackupRecovery.pdf
  Regards,
  Alexandre

  • Cancel