The turtle, protected by its hard shell, is a good metaphor for the security model used in most industrial networks. The industrial DMZ (iDMZ) is the shell that protects the soft, vulnerable center—the industrial control systems (ICS) the business depends on.
But while the iDMZ blocks most threats, some will inevitably slip through. When they do, they can move sideways from device to device, potentially causing downtime and information leakage. Giving traffic free rein once it makes it past the iDMZ conflicts with the zero-trust security principle to never trust, always verify. And as companies look to “digitize” manufacturing and apply more cloud-based services also known as Industry 4.0, more devices need access to production systems.
The answer is micro-segmentation—but there’s a barrier
You can limit the spread of malware that makes it past the iDMZ using a technique called micro-segmentation. The idea is to tightly restrict which devices can communicate and what they can say, confining the damage from cyberattacks to the fewest number of devices. It’s an example of zero-trust in action: instead of taking it on faith that devices only talk to each other for legitimate reasons, you lay down the rules. An HVAC system shouldn’t be talking to a robot, for example. If it is, the HVAC system may have been commandeered by a bad actor who is now traipsing through the network to disrupt systems or exfiltrate information.
So why isn’t every industrial organization already using micro-segmentation? The barrier I hear most often from our customers is a lack of security visibility. To micro-segment your network you need to know every device connected to your network, which other devices and systems it needs to talk to, and which protocols are in use. Lacking this visibility can lead to overly permissive policies, increasing the attack surface. Just as bad, you might inadvertently block necessary device-to-device traffic, disrupting production.
Gain visibility into what’s on the network and how they’re talking
Good news: Cisco and our partner Rockwell Automation have integrated security visibility into our Converged Plantwide Ethernet (CPwE) validated design. With Cisco Cyber Vision you can quickly see what’s on your network, which systems talk to each other, and what they’re saying. One customer told me he learned from Cyber Vision that some of his devices had a hidden cellular backdoor!
Security visibility has three big payoffs. One is awareness of threats like that backdoor, or suspicious communications patterns like the HVAC system talking to the robot. Another benefit is providing the information you need to create micro-segments. Finally, visibility can potentially lower your cyber insurance premiums. Some insurers give you a discount or will increase coverage limits if you can show you know what’s connected to your network.
Visibility sets the stage for micro-segmentation
Once you understand which devices have a legitimate need to communicate, explicitly allow those communications by creating micro-segments, defined by the ISA/IEC 62443 standard. Here’s a good explanation of how micro-segments work. Briefly, you create zones containing a group of devices with similar security requirements, a clear physical border, and the need to talk to each other. Conduits are the communication mechanisms (e.g. VLANs, routers, access lists, etc.) that allow or block communication between zones. In this way, a threat that gets into one zone can’t easily move to another.
Both Cisco and Rockwell Automation provide tools for segmenting the network. Use Cisco Identity Services Engine (ISE) for devices that communicate via any industrial protocol, including HTTP, SSH, telnet, CIP, UDP, ICMP, etc. For your CIP devices, you can enforce even tighter controls over traffic flow using Rockwell Automation’s CIP Security, which secures production networks at the application level. We have several Cisco Validated Designs (CVDs) on a range of security topics, many jointly developed and tested with Rockwell. Examples of our collaboration with Rockwell include Converged Plantwide Ethernet, or CPwE, and the recently added Security Visibility for CPwE based on Cisco Cyber Vision.
A lesson from nature
Combining an iDMZ with micro-segmentation is like blending the protective abilities of a turtle and a lizard. Like the turtle’s shell, the iDMZ helps keep predators out. And like lizards who can drop their tails if a predator gets hold, micro-segmentation limits damage from an attack.
Bottom line: To get started with micro-segmentation—and potentially lower your cyber insurance premiums—use Cyber Vision to see what devices are on your network and what they’re saying.
To learn more about how Cisco and Rockwell can help strengthen OT/ICS security with visibility for CPwE, watch the webinar replay of November 14, 2023 (Password: Cdnwh3FH)
- Network Security within a Converged Plantwide Ethernet Architecture Design and Implementation Guide
- Deploying CIP Security within a Converged Plantwide Ethernet Architecture Design Guide
- CPwE Identity and Mobility Services
- CPwE Industrial Demilitarized Zone
- Industrial Automation Security Design Guide 2.0