- By Andrew McPhee
- October 23, 2023
- Cisco Systems
- Feature
Summary
Gain visibility at scale and enforce ISA/IEC62443 zones and conduits to find and contain threats. This feature originally appeared in the AUTOMATION 2023: Cybersecurity & Connectivity ebook published in September.
Deploying firewalls to build a demilitarized zone (DMZ) between operational technology (OT) and information technology (IT) domains is the mandatory first step to secure operations. But as users digitize their operational environment and deploy Industry 4.0 technologies, they are connecting more devices, enabling more remote access and building new applications. Seamless communications between IT, cloud and industrial networks are needed and the airgap approach to industrial security is falling short of being sufficient.
Solutions designed to secure industrial networks typically monitor network traffic to gain visibility on assets, behaviors, malicious activities and threats. They also rely on deploying rugged firewalls to segment industrial networks and build zones and conduits as recommended by the ISA/IEC62443 security standards.
The process of evaluating and testing these solutions initially tends to go well—after a successful proof of concept, industrial organizations begin to deploy at scale. That is where they begin to run into issues.
Often, it is cost prohibitive for organizations to buy the number of security appliances they need to cover their entire operational environment. Or the networking team does not have the resources to deploy, maintain and manage a fleet of security appliances. The additional traffic created to gain visibility on a large scale would likely necessitate a separate network—which would also require the resources to deploy, maintain and manage it.
Fortunately, there is a better approach to gaining visibility into the OT environment and segmenting the industrial network. This article explains how users can empower their industrial networks to gain visibility at scale, as well as to contain threats by enforcing ISA/IEC62443 zones and conduits.
Understanding the need for OT visibility
Operational environments are typically made of many industrial assets (valves, actuators, drives, robots, power breakers, etc.) managed by industrial control system (ICS) devices—programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices (IEDs), distributed control systems (DCS), etc.)—that are controlled by software orchestrating a process. These OT devices have been deployed over a period of many years—sometimes even decades—back when cybersecurity was not a concern. As a result, they lack strict security policies. To further complicate matters, some devices can be deployed, managed and decommissioned by third-party contractors.
When organizations attempt to secure their industrial networks, they encounter two primary issues:
1. A lack of visibility. As OT assets can be quite old, widely dispersed and involve many contractors, operators often do not have an accurate inventory of what is on the network. Without this, they have limited ability to build a secure communications architecture.
2. A lack of control. A lack of visibility also means operators are often unaware of which devices are communicating to each other or even of communications reaching industrial devices from the outside. You cannot control what you do not know.
The first step to securing an industrial network is to obtain visibility. Users must understand what devices are on the network, what they are communicating and where those communications are going.
OT visibility: Beware of hidden costs
The technology to achieve network visibility is available today. Deep packet inspection (DPI) decodes all communication flows and extracts message contents and packet headers, providing the visibility to understand the OT security posture.
DPI allows users to gather device information such as the model, brand, part numbers, serial numbers, firmware and hardware versions, rack slot configurations and more. It also allows identification of software vulnerabilities and an understanding of what is being communicated over the network. For example, users can see if someone is attempting to upload new firmware into a device or trying to change the variables used to run the industrial process.
When collecting network packets to perform DPI, security solution providers typically configure switch port analyzer (SPAN) ports (Figure 1) on network switches and send all traffic to a central server or dedicated appliances installed here and there in the network.
In an industrial network, most traffic occurs behind a switch at the cell layer because that is where the machine controllers are deployed. Very little traffic goes up to the central network. Gaining comprehensive visibility will require users to collect traffic from every switch in the network, and not just from a few aggregation switches.
Although this can be acceptable for a small industrial site, this cannot be seriously considered in highly automated industries generating a lot of ICS traffic (such as manufacturing), or when devices are widely spread in locations with no or poor network connectivity (oil and gas pipelines, water or power distribution, roadways, etc.).
Connecting security appliances to network switches addresses the issues associated with duplicating network traffic. The appliance collects and analyzes network traffic locally and only sends data to a server for additional analysis. However, installing, managing and maintaining dedicated hardware can quickly lead to space and operational issues. And because most industrial traffic is local, gaining full visibility will raise cost and complexity to intolerable levels (Figure 2).
Empowering networks to gain scalable visibility
There is a better way to achieve full network visibility: embed DPI capabilities into existing networking hardware. An industrial-grade switch or router with native DPI capability eliminates the need to duplicate network flows and deploy additional appliances. Obtaining visibility is a matter of activating the sensor feature within the switch or router. Cost, traffic and operational overhead are minimized.
A DPI-enabled switch or router decodes traffic locally to extract meaningful information. It only sends lightweight metadata to a central server, which runs the analytics and anomaly detection. That metadata represents about 3-5% of general traffic. The traffic is so lightweight, it can be transferred over the industrial network without causing congestion or requiring extra bandwidth.
Embedding DPI in networking equipment affords both IT and OT unique benefits. IT teams can leverage the existing infrastructure to secure industrial operations without having to source, deploy and manage additional hardware. Because these network elements see all industrial traffic, embedded sensors can provide insights into every component of the industrial control systems. As a result, OT teams can obtain visibility (Figure 3) into operations that they have never had before.
When evaluating OT security solutions, be aware of their architectural implications. Embedding security capabilities into industrial network equipment is the best option to simplify deployment and make it scalable. This requires computing capabilities. Look for DPIenabled switches and routers designed for industrial networks.
Cisco has embraced this approach. Cyber Vision leverages a unique edge computing architecture that enables security monitoring components to run within industrial network equipment but can also run using SPAN collection networks to analyze traffic coming from switches and routers that do not support this embedded DPI capability.
Visibility helps to define zones and conduits
The ISA/IEC-62443 security standards require segmenting the industrial network into zones and conduits. The objective is to restrict communications between assets to prevent attacks from spreading and disrupting the entire production infrastructure.
A zone is a collection of assets that have common security requirements. For example, an automobile plant may have a production line for welding and another for painting. There is no reason equipment in welding would need to interact with that in the paint shop. Placing each in its own zone limits any damage if equipment in one zone gets infected.
Conduits support communication between zones. Under the least privilege principle, OT assets can only communicate with those in their zone. Security policies must be defined for assets to be allowed to communicate outside of their zones, and only through the communication conduit.
Implementing such an architecture will greatly improve security, as well as the overall network performance compared to a flat network where all devices share the same bandwidth. It requires, however, to have an accurate inventory of all connected assets and a perfect understanding of their roles and communication needs in the industrial process.
Visibility is foundational to building zones and conduits. It allows operations engineers to get a clear view of how their industrial network operates, better plan for safety and production continuity and work together with IT teams to document critical business processes with their associated devices.
Next, IT and OT can work together to group assets into zones (Figure 4), decide how those zones should communicate with each other, and define their criticality to the organization to better understand risks, prioritize threat detection and manage alarms.
IT personnel often lack an understanding of the OT environment and how it works. OT visibility solutions such as Cisco Cyber Vision enables operations teams to document their industrial process in a way that helps build a collaborative workflow with IT, giving the context it needs to build security policies that will drive segmentation.
Make the network enforce segmentation policies
Now that the industrial network is well documented, IT can focus on segmenting the network to implement the zones and conduits defined with OT. To achieve this, many would recommend deploying firewalls controlling access to each zone. Although such an architecture has been widely used to segment IT networks, it will quickly prove to be impractical in OT/ICS environments.
Firewalls are perfect to build an industrial demilitarized zone (IDMZ) or secure remote site connectivity in an SD-WAN infrastructure. But using firewalls for zone segmentation in industrial plants leads to similar deployment issues to those IT is facing with visibility appliances. Not only can it be really expensive, but it also requires reconfiguring the industrial network: rewiring it and changing IP addresses of hundreds of OT assets. Operations will have to be halted to implement the changes and might not go back to normal as easily as expected. Chances are, the line of business will not be willing to take the risks and incur such revenue losses.
Maintaining these firewalls rules can become a challenge as OT often has to deploy new assets, move others, reconfigure zones and more. Industrial networks are not as static as one would think. Operations generally do not have the skills required to configure firewall rules and cannot always depend on IT for every move, add and change.
Fortunately, it is possible to logically segment industrial networks to enforce security policies without deploying and maintaining firewalls (Figure 5). Solutions such as Cisco Identity Services Engine (ISE), for example, work with network switches, routers and wireless access points to restrict communications as per the zones and conduits that have been defined. It leverages groups defined in Cyber Vision to allow/ deny communications for each asset. When a change is required, just move the asset to another group in Cyber Vision for ISE to automatically apply the corresponding security policy.
This software-based network segmentation, also called virtual segmentation or micro-segmentation, enables a dynamic and automated approach to policy enforcement that simplifies industrial security projects. It is easier to deploy, scale and maintain than using zone-based firewalls. It also empowers the operations team to take an active role in defining and managing zones and conduits, helping IT and OT to work together in building and securing the industrial network.
The network as sensor and enforcer
Industrial operations require advanced cybersecurity capabilities. The traditional approach consisting of deploying dedicated appliances for OT visibility, threat detection and policy enforcement is proving to be too complex to deploy and too costly to scale. Modern industrial networking can benefit from the latest advances in IT networking, especially when these innovations are implemented with OT constraints in mind.
When working on an industrial cybersecurity project or thinking of expanding or refreshing the industrial network, look for industrial switches and routers that embed these visibility and enforcement capabilities. Avoiding to source, install and manage additional appliances will have a positive impact on sustainability objectives. It will also allow scalability of industrial security projects while giving operations more flexibility to modify the industrial network without putting its security at risk or requiring extensive IT support when it can be difficult to hire skilled IT/OT networking professionals.
This feature originally appeared in the AUTOMATION 2023: Cybersecurity & Connectivity ebook published in September.
About The Author
Andrew McPhee is a solutions manager for Industrial Security at Cisco, responsible for security architectures across industrial verticals. Since joining Cisco in 2015, McPhee has held roles in the company as both engineer and architect. His roles span the Automotive Business Unit, the Security Business Group, and most recently the IoT BU. He has released Cisco Validated Designs for projects such as SASE, Zero Trust and Breach Defense Technologies.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..
Subscribe