Cisco Blogs
Share

Intent-based security in manufacturing


April 19, 2018 - 0 Comments

Industrie 4.0, offers great promise for manufacturers to optimize business operations. The key to any successful I4.0 project lies in the factory data.  Industrial customers need seamless, secure access to this data to make better business decisions in their plants, which can only happen with a reliable plant to enterprise network and unique software solutions to make the job of managing large industrial networks, and large industrial data sets easier.  And all this data movement needs to be done securely.  The recent Cisco 2018 Annual Cybersecurity Report  showed that manufacturers are a prime target for malicious cyber attack with 31% of security professionals saying their organizations have already experienced cyber-attacks on OT infrastructure.

There’s no silver security bullet for manufacturers, no one product or solution you can buy to make your factory secure.  Security should be viewed as a methodical, multi-pronged, war preparation effort to protect critical IP, and production integrity from the enterprise all the way to the factory floor.  Protecting critical manufacturing assets and intellectual property requires a holistic defense-in-depth security approach that uses multiple layers of defense (physical, procedural and electronic) to address different types of threats and implement proven, integrated security solutions that cover the carpeted space all the way to the concrete space.  Manufacturers face a few major obstacles when implementing effective security in industrial environments:

  • Traditional security platforms lack visibility to identity of industrial assets like Controllers, IO, drives etc. which makes it challenging to define security policy for these devices based on just network attributes like IP and MAC address.
  • Fear of impacting production due to OT personnel having to depend on a centralized IT team to modify security policies to accommodate control system add, moves, and changes needed for day to day operations
  • Implementing effective security for the most common use cases in manufacturing like remote access, simplified network segmentation, and traffic inspection within production cells to look for anomalies

To overcome these challenges, manufacturers need integration between OT tools used for process network monitoring and IT security platforms.  Cisco’s Industrial Network Director or IND is a unique network management tool that does exactly that.  It pulls together IT tools like Identity Services Engine, and Stealthwatch within an operations friendly interface, IND.   This integration provides industry leading IT security systems with visibility to industrial assets, while still keeping control in the hands of OT personnel.  Operations teams need the ability to express operational intent and automatically have the IT security solutions select the appropriate IT defined security policies without requiring network or advanced security skills.  Additionally, operations teams need tools they can easily use and understand to manage their networks.  Those tools are not traditional IT tools.  Check out this video to see how IND works:

Operations-friendly tools can give manufacturers the confidence they need to ensure that factory networks are running at the performance levels needed for complex automation operations, and can give the visibility that traditional IT based security solutions can do their job.  For example, if operational tools can identify that a certain device on the network is an HMI, and that HMI should only be talking to another specific device like a controller, then IT based security tools can monitor for anomalous behavior (like talking to other manufacturing lines, or machines), and then identify potential attack vectors.  Operational visibility makes that possible.

Lastly, putting some level of security control for the most common use cases in manufacturing in the hands of operations will dramatically improve their security posture.  For example, if operations can easily allow a machine builder to access only a certain machine for troubleshooting, and do it while meeting IT policies – everyone benefits.  As another example, only the operations team knows which machines or plant areas should talk to other machines and plant areas, so putting easy to implement network segmentation tools (through IND) in the hands of operations can also improve a manufacturers security posture.  Network segmentation is an effective way to quickly improve security on plant floors

To summarize, implement a holistic defense-in-depth security approach for your factory, and look to address some of most common use cases for operations, as well as implement some basic practices like network segmentation to prepare for the upcoming cyber-war.  Make no mistake, that war will come.  So prepare!  Look for security solutions that are operations friendly, but still tied to enterprise grade security solutions to address those common use cases in manufacturing.  Only then can manufacturers reach a security position where they can be comfortable and confident that their intellectual property and production integrity is reasonably secure.



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.