When I meet with manufacturers, I usually hear some version of the following: “We’re digitizing to get real-time visibility into production and improved operational equipment effectiveness. But now we’re worried about malware interrupting operations. What can we do?”
News headlines have erased any doubts about the need for industrial network cybersecurity. The trickier question is how to secure the network without interrupting production and revenue. To provide guidance, we’ve created Cisco Validated Designs for industrial network security. They lay out a step-by-step approach to gain visibility into OT assets, protect against and respond to threats, and enhance IT and OT collaboration.
Bringing IT and OT together is a journey
Trying to secure the industrial network in one go is like boiling the ocean. Better to view it as a journey. At each step in the journey, you’ll make incremental changes to people, process, and technology.
Step 1 – Minimal security. This is the current state for most manufacturers. If you’re here, you’ve segmented the industrial network from the IT network. Traffic can’t cross from the IT network to the industrial network without clearing the DMZ. You can block malware from entering the industrial network. You can block malware from leaving the industrial network to infect the enterprise network. But if the industrial network is exposed to malicious software, you don’t have a way to contain it. That means the malware might affect multiple manufacturing cells or production lines — even multiple plants.
Step 2 – Foundational security. Here’s where most of our customers start. The watchwords at this step are detect, protect, and respond:
- Identify all your industrial assets, known vulnerabilities of those assets and communication flows. Cisco Cyber Vision makes this simple, and gives IT and OT teams a common vocabulary and context because zones correspond to production lines or manufacturing cells. With this visibility provided by Cisco Cyber Vision, industrial network segmentation can be done optimally.
- Detect threats and prevent them from spreading by deploying a Cisco ISA 3000 Industrial Security Appliance.
- Investigate and remediate threats with Cisco SecureX. When you build the security policy, the OT team specifies the right response, depending on the zone. In some cases, the business cost of taking down assets in an infected zone might exceed the risk of the infection. In other cases, the opposite might be true.
- Create containment zones for malware to prevent it from spreading across zones. This requires detection rules and flow control policies. Manage rules and policies consistently with Firepower Management Center for all deployed ISAs.
Foundational security also requires changes to processes. OT security is treated like a maintenance process included in planned maintenance schedules — for example, “Check if firmware needs updates because of a vulnerability.” At this stage there is a need to develop workflows between security operations and manufacturing operations.
Step 3 – Full-spectrum security. After foundation security has been successfully operationalized, the segmentation capabilities are enhanced in full-spectrum security architecture. Segmentation can be granular down to single devices and zero-trust capabilities can be deployed into the industrial network. This makes the malware containment zones down to a single device while providing fine grain control over which asset communication flows. Visibility is enhanced by adding anomaly detection with Cisco Stealthwatch, and block sensor-to-cloud communication requests to malicious websites with Cisco Umbrella.
Order matters
You’ll get the most value from your investments in factory security by taking the steps I’ve outlined in order. To explain why, I’ll give you an analogy from cooking, my hobby. When I bake a cake, I decide on the base (vanilla, chocolate, etc.) before the icing. I’m not saying that icing by itself isn’t good—it’s just much better as an enhancement to the cake. Similarly, Stealthwatch (step 3) is valuable at any time. But it’s far more useful if you already have a complete OT asset inventory (step 2) and operational processes. Those elements set you up to efficiently investigate and respond to events and incidents raised by Stealthwatch.
Learn more
Want to learn more? Hear from Cisco and industry experts from Bosch and Estée Lauder during the keynote address at Hannover Messe 2021. Click here to register for free. And to keep up with the latest Internet of Things trends and insights to help you succeed with your IoT deployments, subscribe to our newsletter.
Great suggestions! What percentage of companies do you think are at each step? My guess is many are still surprisingly at step 0 (VLANs and no DMZ) with the majority being at step 1. A few are at step 2 and a small percentage at 3.
It is hard to be exact – but over all, we know that less than a handful of companies are at step 3 or attempting step 3.
Most are at step 1 or close to step 1 – implying that they have a concept of separating the corporate and industrial network, but may not have put an effective DMZ in place. Perhaps this is as you call it, step 0.
The malware and ransomware attacks are prompting , and an increasing number to upgrade to step 2.
Great article, simple, easy to understand and succinct.
How easy is it to configure Cisco Cyber vision and what are the priorities and constraints at an operational level?
What are the details of the ISA3000 for implementation, what overheads does this appliance add on the network and other control modules, again, what are the constraints?
What protocols do Firepower Management Centre need to become useful?
Hi Unal, the details of the design are at https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Industrial_Automation/IA_Horizontal/IA_Security/IA_Security_DG.html
Here we have covered the configuration and details.