using NAS in plant lan network

Hello

I want to use NAS  in plant llan network for storage and safe area for backups, is there any document and recommendation for Useing of NAS in deltav

Thanks in advance

6 Replies

  • Note that if your backup storage (NAS or otherwise) is on the same network as what you are backing up (whatever that might be, this is a generic comment), if a ransomware attack is successful in penetrating your system, your backups are likely to be encrypted as well.

    Jeff Potter  |  Director - Security Architecture  |  PlantWeb Technology

  • In reply to Jeff Potter:

    thanks Jeff
  • In reply to Jeff Potter:

    This poses an interesting conundrum. If you back up to NAS, you risk in-kind corruption of the backup servers. Fine, so maybe back up to removable media (e.g. portable hard drive) - Should these be encrypted to protect confidential information? What about disaster recovery then - on what machine do you decrypt / unlock the backup drive(s)?

  • Great discussion. Most NAS devices run a Linux OS, so even if your Windows based systems were to be exposed to a windows based vulnerability, your NAS would be ok, and vice versa. This is differentiation of defenses, but certainly not intentional. What about attacks based on protocols that are shared or even targeted to your system?

    Here is where network segmentation, firewalls, mazes, and intrusion detection and prevention systems come into play. Since this is not the control network, we can obfuscate the path between the control system data source (by the way a local backup in the PCN is always a good Idea), and the *remotely* networked NAS or multiple NAS, as in not in the same room , building, or even site as the PCN servers.

    Consider your backup agent being a server in a DMZ that copies the information from the control system. The Backup agent server should have 1 (redundant set if you like) connection to a non-control network shared by the workstations through a firewall. The Backup agent server can then have another (redundant set) of network connections through a firewall (different vendor than the first) to the NAS. For extra security, have two NAS that you alternate air-gapping.

    The backup agent server, NAS, and firewalls should all use different accounts and passwords. Endpoint protection and Whitelisting of applications on the computers and traffic ports on the network devices should be employed. Monitor traffic using IDPS that can shut down the connection to the NAS if things turn fishy.

    Even employing a fraction of these recommendations out of the gate creates a foundation for addition as threats increase or change.
  • In reply to Youssef.El-Bahtimy:

    thanks, for your answer.
    as you know, if use removable media (flash, or external harddisk) risk of virus and other threat is high. i decide to use NAS in plant lan to reduce the risk, and plant lan is sepreated from office lan by air gap. and RAID option is used for harddisk. and in case of backup, transfer harddisk and keep harddisk in safe place,
    please advise me , with your recommendation
    best regards
  • In reply to MOH:

    MOH,
    I would highly recommend you to evaluate our DeltaV Backup & Recovery solution which has options like detachable hard drives, NAS, etc. based off of a standard deployment type that is delivered to you as a solution fully tested with DeltaV and including templates for ease of use. Additional information can be found here: www2.emersonprocess.com/.../PDS_BackupRecovery.pdf
    Regards,
    Alexandre