5-3 www.mo xa .c o m Industrial Ethernet 5 Introduction to Industrial Network Security and Routers Industrial Network Security and Management > Layered Defense-in-Depth Cybersecurity for Automation Secure Remote Access and Critical Device Protection Recognizing the unique security challenges facing ICS networks, the American National Standards Institute (ANSI) and the International Society of Automation (ISA) have promulgated the ANSI/ISA-99 (IEC 62443) standards, which describe best practices for ICS security. Central to the IEC 62443 standard is the “zone and conduit” security model, which is implemented with a defense-in-depth strategy. In the security model suggested by the IEC 62443 standard, ICS devices are segmented into independent zones composed of interconnected devices that work closely together to achieve a specific function. While communications within a zone are less restricted, different zones are required to communicate with each other through a single point called a conduit, which is usually protected by a secure router or firewall. The conduits are robustly protected to only allow the specific data that is needed to coordinate the functions of the different zones. Any communications that are irrelevant to the function of a certain zone, such as http traffic to a Modbus TCP zone, will be blocked by the secure router. As an all-in-one firewall/NAT/VPN/router, the EDR series creates encrypted VPN tunnels between control rooms and remote sites. In addition, the built-in firewall/NAT functions prevent unauthorized Moxa’s portfolio of cybersecurity solutions includes: the EDR-G903, a high-performance secure router; the EDR-G902, a highly cost-effective secure router; and the EDR-810, an integrated router/switch solution. This complete portfolio allows you to deploy optimized cybersecurity coverage anywhere on the automation network at different locations such as: • Factory Site: Protecting the entire local site and securing remote data transmissions from the control centers. • Function Zone: Protecting data transmissions from multiple device cells and critical devices. • Device Cell: Protecting the data collected from multiple field devices, such as I/Os, meters, or IP cameras. access or broadcast storms, caused by malfunctioning devices, from damaging critical network devices, such as PLCs and DCS.