As organizations are increasingly connecting industrial control networks to the IT environment, cloud applications, and remote workers, the airgap created by the demilitarized zone (DMZ) erodes, and new ways to secure operational technology (OT) networks must be deployed.
A security solution must take into account the needs of both IT and OT – providing robust security without increasing operational overhead or network complexity. To choose the best solution for your organization, you need to understand the implications of the various security architectures available to you. In this post, we outline a guide to selecting the right architecture to secure industrial IoT.
The first step to securing an industrial IoT network is to obtain visibility. You need to understand what devices are on the network, what they are communicating, and where those communications are going. However, traditional industrial control networks weren’t built to provide these insights.
Fortunately, the technology to achieve network visibility is available today. Deep packet inspection (DPI) decodes all communication flows and extracts message contents and packet headers, providing the visibility to understand what devices you need to secure and what they are communicating. Not only does this let you build the right security policies, it also gives you the ability to detect abnormal behaviors such as illegitimate commands to machines that could have disastrous effects.
Selecting your architecture
When collecting network packets to perform DPI, security solution providers typically employ one of two architectures:
- Configure network switches to send traffic to a central server that performs DPI
- Deploy dedicated security appliances on each network switch
While both approaches can deliver network visibility, they also create new challenges. Configuring network switches to send traffic to a central server requires duplicating network flows, which can be complex and costly. The additional network congestion can also create network latency — often an unacceptable compromise.
Deploying a security appliance addresses the issues associated with duplicating network traffic. The appliance collects and analyzes network traffic at the switch and only sends metadata to a server for additional analysis. However, full visibility requires the installation, management, and maintenance of dedicated hardware for each and every switch on the network. This can quickly lead to cost and scalability challenges. And to be effective, security requires full visibility. Even leaving one switch “in the dark” introduces risk.
An alternative approach
There is a better way to achieve full network visibility and a third architectural approach: deploy industrial-grade switches with native DPI capability. This eliminates the need to duplicate network flows and deploy additional appliances. Obtaining visibility and security functionality is simply a matter of activating a feature within the switch. Cost, traffic, and operational overhead are all minimized.
Embedding DPI in the network switch affords both IT and OT unique benefits. IT can leverage its existing skillset to secure the OT network without having to manage additional hardware or network traffic. OT can obtain visibility into operations that it’s never had before as the entire industrial network traffic can now be analyzed, providing valuable analytical insights into control systems.
As you evaluate OT security solutions, be aware of their architectural implications. To simplify deployment and make it scalable, the best option is to embed security capabilities into the switch. This requires network equipment that has industrial compute capabilities – look for DPI-enabled switches that are designed for industrial IoT.
This is the approach we adopted with Cisco Cyber Vision. It leverages a unique edge computing architecture that enables security monitoring components to run within our industrial network equipment, thus providing visibility, operational insights, and holistic threat detection for the OT environment.
The benefits of Cisco Cyber Vision aren’t limited to organizations with Cisco networks – the sensor is also available within the Cisco IC3000 appliance that analyses traffic at the edge by connecting to your legacy network devices. This provides maximum deployment flexibility to meet your needs with your existing network, while giving you time to replace older switches with DPI-enabled network equipment that’s capable of seeing everything that attaches to it.
If you’d like to learn more, check out the white paper, “An Edge Architecture Approach to Securing Industrial IoT Networks,” in which we further explore the three security architectures introduced here and how embedding DPI in the network switch meets the needs of both IT and OT.