In a “Part 1” of this blog series, my colleague Paul Didier explained why manufacturers are accelerating transformation of their legacy production networks. In short, a modern network can readily enable integrated end-to-end cybersecurity – making it much easier to proactively monitor, identify and mitigate threats. In this post, I step through more of the “how,” with for designing, planning, testing and deploying new switches as part of a network transformation.
When planning a transformation, start with a thorough understanding of all requirements for the applications and services the production network supports. Dive deep into all protocols and associated KPIs and metrics required by the deployed endpoints and analyzing industrial automation and control systems (IACS) devices, many of which tend to be sensitive to network latency and loss. Once the requirements are well understood, it’s possible to develop role-based templates and network device configurations. These configurations will reflect the protocols and features necessary to support deterministic behavior, application SLAs and current device connectivity.
After the device configurations are developed, the next step is testing and validating the viability of those configurations in the new switches. This can be achieved by executing a limited proof of concept in a controlled “sandbox” or by testing within a limited production environment. In either case, the key is to execute tests and expose the equipment to the rigors and network characteristics found in the operational environment while minimizing any impact to operations. Using clear pass/fail criteria for each feature, validate that all requirements are being met and that the network performs as expected. After completing all tests – and resolving any punch-list items – it’s time to displace the legacy switches.
Different situations and operations may dictate how the displacement or migration needs to be executed. This, too, requires strict planning and preparation. To properly execute the migration and ensure successful repeatability for subsequent devices, create a standard operating procedure (SOP) or methods of procedure (MOP) document. This document defines the step-by-step process and correct sequence for performing necessary tasks. As such, it helps mitigate risk and reduce impact to operations – by defining not only the proper procedures for executing the displacement, but also the backout procedures should something unexpected be encountered.
To further contain costs and impact, default to reusing existing cabling and power, which usually represent the most significant cost and time to deploy a production network. Using existing power and network cabling helps minimize the time required to swap network infrastructure hardware.
While manufacturers often possess the staff and experience in performing these tasks, resources may be spread thin. In that case, look to Cisco CX as a force multiplier, mitigating risk and helping drive success. Cisco CX is capable of performing one, some or all of the tasks discussed to help achieve the desired outcome, such as minimizing operational downtime and/or minimizing costs and keeping the project on schedule.
Fast-tracking cyber solutions
Once a legacy network is displaced with a security-capable network infrastructure, manufacturers can move more quickly on the journey to secure production environments. With a transformed legacy network, a manufacturer can accelerate deployment of cybersecurity solutions that lead to more uptime and secured assets and products.
Here are four ways to start:
- Monitor IACS devices and communication and identify risks. Leverage cybersecurity applications such as Cisco Cyber Vision to analyze data collected by the new network equipment to gain ubiquitous visibility.
- Leverage Cisco Cyber Vision to profile industrial devices, group them into production cells and define security policies between those cells.
- Monitor communications between production cells to confirm security policies are properly defined and can be enforced without compromising production.
- Deploy security policies to be enforced by the new industrial network and provide ongoing improvements with Cisco DNA-C network management offerings and improved cybersecurity operations with Cisco SecureX.
Integrate these steps with other key cybersecurity initiatives that rely on the transformed production networks. These may include policy management, secure remote access, enhanced industrial de-militarized zones, malware protection throughout the environment, and intrusion detection and prevention (IDS/IPS) at key conduits within the production zone.
The current fragmented cybersecurity approach in industrial environments is not keeping pace with the rate and sophistication of threats and attacks. To avoid downtime, revenue loss and reputational impact, manufacturers should consider transforming legacy production networks and migrating to a more capable infrastructure, such as one provided by the Cisco Industrial Ethernet platform.
The Cisco IE3x000 series together with Cisco Cyber Vision provides deep insights and visibility of IACS devices and communication patterns. This approach also enables segmentation and defense tailored to the existing IACS by leveraging increased visibility to derive tailored cybersecurity profiles. These profiles can subsequently be used to define and instantiate security policies.
With a modern network and more integrated security tools and features, manufacturers can expect to upgrade and deliver a more comprehensive and cohesive cybersecurity posture throughout the lifecycle of the IACS and production networks.
To learn more on how a modern industrial network can help you scale your OT cybersecurity strategy, read our whitepaper on the various architectural approaches available to you.