After the executive order to bolster the nations cybersecurity following the Colonial Pipeline attack, the U.S. Transportation Security Administration (TSA) has been releasing new mandates for critical infrastructure such as freight and passenger rail, pipelines, and airports, with more industries to follow.
The networks that support these critical infrastructures are mission-critical, which means that it is essential to be able to stay connected while securely administering policy in the industrial space. Being an industry leader in networking and security across both the information technology (IT) and operational technology (OT) domains, Cisco is in a unique position to deliver an end-to-end security strategy, while enhancing operational uptime and resiliency.
To strengthen the cybersecurity posture of the nation’s critical infrastructure, there are four key requirements outlined by the mandates, highlighted in bold text below.
The first requirement is to “Implement network segmentation policies and controls to ensure that the Operational Technology (OT) system can continue to safely operate if an Information Technology (IT) system has been compromised.”
Using a defense-in-depth approach, Cisco addresses this requirement in many parts of the network, adapting to the unique architecture needs of individual organizations. The solution is a common one, use the network infrastructure to segment a network. Do not wait until you reach a “security appliance” to do security. Cisco provides an end-to-end segmentation solution in which data is kept within its own virtual network from source to destination, wherever that may be.
To support the unique requirements of industrial networks, the reach of Cisco SD-WAN has been expanded through Cisco Industrial Routers, which provide the connectivity, mobility, and security required for critical infrastructure. SD-WAN segments traffic at the edge of the network and maintains separation through all relevant points in the network. Policy can be orchestrated across multiple enforcement points in the network using Cisco Catalyst SD-WAN, or—if your organization prefers—can support the evolution to a secure service edge (SSE) with Cisco Secure Access.
TSA highlights the need to “Implement access control measures to secure and prevent unauthorized access to Critical Cyber Systems.” As OT devices traverse both the LAN and the WAN with a unified identity, Cisco can enforce policy everywhere. Cisco Security Group Tags (SGTs) identify the role that a device has on the network, and the associated privileges are enforced by switches, routers, and firewalls, depending on where the data flows.
Remote users, whether internal technicians or vendor support, often need access to critical cyber systems. Cisco Secure Equipment Access (SEA) provides flexible access for remote configuration and maintenance of industrial assets in distributed locations while minimizing security risk.
Segmentation is not enough to complete a security solution. By implementing “continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect Critical Cyber System operations,” we can continually monitor and evaluate the trust of both users and devices on our networks and push policy back into the network as security posture changes.
To provide visibility and security posture to the industrial network, Cisco Cyber Vision is embedded in Cisco networking infrastructure in order to avoid the need for dedicated appliances and/or costly Switched Port Analyzer (SPAN) solutions. Cyber Vision identifies assets, their characteristics, and their communication patterns to “reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on Critical Cyber Systems in a timely manner using a risk-based methodology.” Cyber Vision automatically identifies device vulnerabilities and calculates risk scores so you can proactively build an improvement process to address risks.
Cisco’s capabilities, highlighted above, not only meet the current TSA Cybersecurity Directive requirements but also enable clients to deliver more robust cybersecurity capabilities to thwart efforts by industry threats. Most significantly, these capabilities are foundational for enabling both security and operational resiliency as well as optimizing the performance of mission-critical networks.