Traditionally to protect industrial operations, manufacturing organizations kept the operations network isolated from the enterprise and from the outside world. But with increasing connectivity required to achieve the promise of Industry 4.0, the airgap approach to securing operations is obsolete.

Firewalls have traditionally been the mainstay against cyberthreats. While firewalls are an essential component, they are not sufficient to provide comprehensive cybersecurity, as they only provide limited perimeter protection and cannot defend against sophisticated attacks or existing vulnerabilities in industrial assets. Neither can they protect against insider threats. They can also be cumbersome to set up and manage, especially in large networks.

The network that connects industrial assets, their control systems, and applications is in the best position to defend operations against threats. In this article we will discuss how you can empower your network to prevent, detect, and mitigate cyberthreats as shown in Figure 1.

Securing operations is not a job for OT or IT teams alone. Each team brings different skill sets to the table and must work collaboratively to achieve desired outcomes.

Network as a sensor

Industrial operations have typically been built over several years, even decades, frequently by vendors and 3rd parties, often without much regard to cyberthreat protections. Often, operations teams do not have an accurate inventory and there might be assets that were added but are no longer used or updated. In short, there could be a lot of lingering unknown vulnerabilities.

Fortunately, the technology to identify connected assets is available today. Deep Packet Inspection (DPI) decodes all communication flows and extracts message contents and packet headers, providing the visibility and detailed information on assets to understand your OT security posture. DPI can also help identify software vulnerabilities.

 

To work, DPI needs to analyze traffic in the network, and if you are using a separate server for DPI, you will need to duplicate all traffic from your industrial switches, all the way down to access switches otherwise you will miss the “East-West” traffic that is exchanged between machines. In a larger network, you will essentially need to build a parallel network to support this additional traffic, adding complexity and expense.

A better way would be to run the DPI sensor and analyze the traffic right in those access switches. You will not need to duplicate any traffic but only send the results of that analysis to a central dashboard where you can visualize your assets, traffic, and vulnerabilities to fix. With that intelligence, the dashboard application could also spot and alert you to any abnormalities, helping you to identify potential threats and act on them quickly.

Cisco has embraced this approach. Cyber Vision leverages a unique edge computing architecture that enables DPI to run within Cisco Industrial Ethernet switches giving comprehensive visibility at scale while minimizing cost, traffic, and operational overhead.

Network as an enforcer

The ISA/IEC-62443 Series of security standards requires segmenting the industrial network into zones and conduits to restrict communications between unrelated assets and restrict any malware that finds its way into a zone from spreading and disrupting entire operations.

A zone is a collection of assets that have common security requirements. For example, an automobile plant may have a production line for welding and another for painting. There is no reason that equipment in welding and paint shops would need to interact.

Under the least privilege principle, OT assets can only communicate with other assets in their zone. Conduits between zones must be defined to all inter-zone communications.

Visualizing network traffic gives you insights into normal communication patterns, that can help you create a baseline of normal network flows. This reference, that supplements the operations team knowledge of their assets, can help you define zones and conduits.

Once accurate flows necessary for proper functioning of operations have been determined, you can define policies that will enforce these flows and restrict others, thus dividing operations into zones, and creating conduits between zones.

Now this enforcement can be accomplished by placing firewalls around these zones, but in a large network with many zones, firewall placements and configurations could quickly become very complex. A better approach will be to have the industrial switches themselves enforce these policies to segment the network, thereby creating zones, and allow only defined connectivity between zones, creating conduits.

An easy and well-known segmentation method is to create VLANs, but they have limitations. They only work at Layer 2, have limited scalability, and can get very complex to administer. There is a better approach. You can use Cisco industrial switches to segment the network in a much more automated and scalable manner. You can set segmentation policies that you have defined as rules in Cisco Identity Services Engine (ISE). ISE then sends these rules to Cisco industrial switches.

Based on these rules the switches act on incoming packets, either allowing them to proceed to their destination or to discard them. The combination of Cyber Vision, ISE, and Cisco industrial switches provides an automated, scalable, cost-effective, and granular alternative to VLANs or firewall-based approaches.

Towards complete industrial security

Using your industrial network as a security sensor and enforcer are necessary steps for building a complete security framework for your operations. After establishing and enforcing trust, continuous monitoring of assets through Cyber Vision helps quickly identify and flag any abnormal behavior that could be indicative of malware presence.

Converging networking and security enhances visibility, improves threat prevention, detection and response, simplifies management, provides scalability and flexibility, and provides a crucial platform for IT-OT collaboration that they can build upon.

Vivek Bhargava, Product Marketing Manager, Cisco