I like to cook. And if you enjoy it, too, you know that sharing the kitchen can bring a set of challenges. The more cooks there are in the kitchen, the more things can become contentious. But, if one person works on an appetizer, another on the main course, and a third on dessert, the result is often five stars. And if you’re like me, everything tends to become a metaphor for work. So, this scenario got me thinking about how the primary stakeholders in securing industrial IoT (or, IIoT) are like cooks in the kitchen. Each has his or her set of priorities, and when they work together, the better the chance of a great meal, err, I mean, result.

The chefs

There are usually three vested chefs, or stakeholders, in an OT security effort. Let’s start with OT itself. OT is responsible for ensuring that industrial processes keep running. These processes are meant to be static and predictable. OT’s objective is to reduce downtime with operational insights that help track activities in the industrial process. OT wants more efficiency, more predictability, and more scalability. To achieve these things, the network must be secure, and OT requires visibility to better understand what’s on the network and how devices are operating.

The second party with a vested interest in OT security is the IT department. IT is responsible for implementing and managing the security infrastructure. A traditional security solution requires security appliances deployed throughout the environment, an ever-growing SPAN collection network, or a combination of the two. With these types of solutions, the total cost of ownership (TCO) increases as the environment grows. Not only does the organization need to invest in more appliances and an out-of-band collection network to support the additional SPAN traffic, but it also incurs operational costs. IT simply doesn’t have the resources to support a sprawling security infrastructure in the OT environment in addition to the IT environment.

Meanwhile, the security operation center’s (SOC) number one priority is to protect the business against threats using the strongest suite of industrial application-aware integrated security solutions. The SOC wants visibility into the OT environment so that it can see the assets, threats, and vulnerabilities as they relate to the whole organization. This context is critical to understanding how to write security policies to best protect those assets. In an IT environment, best practice dictates quarantining a compromised asset to prevent an attack from spreading through the network. This same approach in an OT environment can cause an entire process to come to a grinding halt due to the interdependency of the systems.

The recipe

To successfully secure the OT environment, all three vested parties must work together like ingredients in a recipe. Each party possesses institutional knowledge that is required for the other to achieve their objectives: OT understands the industrial environment — the devices, the protocols, and the business processes, IT understands the IP network, and the SOC understands threats and vulnerabilities. Together, these three entities can form a powerful defense against attackers.

The OT environment must be protected to ensure high availability and reliability, but the SOC must understand the context of the devices in order to apply the right security policies. In order to do either of those things, both must have visibility into the OT environment — visibility provided by a security solution with an architecture that reduces the TCO for IT.

How Cisco can help

Cisco Cyber Vision is an integrated industrial security solution. Cyber Vision uses a two-tier architecture consisting of a central appliance and sensors embedded in the networking hardware. The sensors perform deep-packet inspection (DPI) on industrial-grade switches to understand what’s going on in the network and to forward metadata to the data center. Because the sensors are in every network switch, OT and the SOC benefit from full network visibility. Through Cisco Cyber Vision, OT and the SOC can see the brand and make of the assets on the network, how they are communicating, and what they are communicating to. In addition to a detailed OT asset inventory, Cyber Vision tracks industrial processes. The embedded sensors can provide analytical insights into every component of industrial control systems —giving OT a greater level insight than they’ve ever had before.

Because Cyber Vision’s software-based sensors run in a container on the network devices,  there’s no need to send people out to implement appliances or build a separate out-of-band network to handle the additional traffic. IT simply has to turn on the sensor functionality, which has no impact on performance, a further benefit to OT. This unique edge architecture reduces complexity and the TCO of securing the OT environment, even as it enables scalability.

For the SOC, Cisco Cyber Vision detects attempts to modify assets and provides cyber threat detection powered by Cisco Talos Intelligence Group, a leading-edge cyber threat intelligence team. Cyber Vision’s integration with security systems enables SOCs to monitor, investigate, and remediate threats across operational departments — all from a single solution. The SOC can reduce time spent on investigations with common aggregated threat intelligence and protect industrial processes with macro- and micro-segmentation built into the industrial network.

Cisco Cyber Vision helps all three parties — OT, IT, and the SOC — achieve their goal: the ability to secure and improve the availability of the OT environment with a scalable, low-TCO solution. If you’d like to learn more about Cyber Vision, watch the on-demand webinar, See It, Secure It: How to Gain Visibility Into Industrial Control Networks.


Marc Blackmer

Product Manager, Engineering

IoT Product Mgmt Networking