“Security Seven”: Ways to Defend Your Factory – Part 2
In the first blog of this series, we talked about some of the unique security challenges that manufacturers face. The more connected your environment becomes, the more difficult it is to integrate your enterprise IT with your industrial technologies.
Here are the rest of the Security 7:
- Play zone defense.
Use industry best practices, such as the ISA IEC 62443 standard, to set up zones and design schemas to segment and isolate your sub-systems. Create a demilitarized zone (DMZ) between your enterprise and manufacturing networks. On the network perimeter, firewalls and intrusion detection will help you keep threats at bay. And within the network, employing out-of-band deep packet inspection (DPI) in your routers, switches, and other network devices can help you spot viruses, spam, and other intrusions.
For example, the Emirates Aluminium Company Ltd. (EMAL) maintains a huge plant organized into several independent industrial zones and IT networks. Each zone handles a different stage of the production process. The company needed to coalesce these networks and share information to streamline production without compromising security and resilience. EMAL deployed a Cisco-based Industrial Demilitarized Zone (IDMZ) to link information from each zone with enterprise IT without compromising security. Each production area has a DMZ, with twin firewalls, providing a “neutral zone” where suspicious traffic can be identified and isolated before it can penetrate networks, servers, and systems. The solution lets EMAL safely share information across different interfaces and environments.
“DMZs are normally used to protect corporate networks from internet threats,” says Sylvain Boily, Automation Manager with BBA, a project consultant working on EMAL’s new smelter plants. “This application of DMZs within a manufacturing environment is groundbreaking.”
- Reduce Capex (and Opex) with a remote security team.
If your company is made up of distributed sites in multiple locations, you need a way to apply security remotely.
For example, a leading oil and gas company operating in more than 70 sites globally was able to reduce costs by $700,000 per site deployed over five years (per their ROI study). To protect its critical infrastructure, including refineries, wells, and other sites, the company deployed Cisco Secure Ops, utilizing field-deployed software and networking gear to remotely monitor more than 50 upstream and downstream sites. The solution provided a secure “tunnel” from the field infrastructure to a centralized management console. Its centralized control center enables engineers and IT experts at a global service desk to quickly respond to any security threats.
The Cisco Secure Ops solution also enabled other capabilities:
- Automated asset discovery and the inventory process to Level 1 of the Purdue Manufacturing Model
- Tightened security by updating systems, limiting remote access, and monitoring compliance
- Systemized downloading and distributing system patches and antivirus updates
Watch our secure ops demo from this year’s Cisco Live:
— Cisco Manufacturing (@CiscoMFG) July 13, 2016
- Thwart attackers at the edge
A critical segment of any company’s network architecture straddles the Internet edge, where the corporate network meets the public Internet. Internet edge is the gateway to cyberspace, and serves many roles for the typical enterprise network. As network users reach out to websites and use email for business-to-business communication, you need to keep your corporate resources both accessible and secure. Something as simple as moving from unmanaged switches in your network to lightly managed switches gives you the ability to better secure ports and improves network visibility, control and security.
Cisco provides a modular building-block approach to the Internet edge, enabling flexibility and customization in network design to accommodate business models of differing sizes and requirements. Cisco offers solutions and validated designs for:
- Firewall and intrusion prevention to protect the network infrastructure and data from Internet-based threats like worms, viruses, and targeted attacks,
- Remote access (RA) VPN enables secure, consistent access to network resources from anywhere,
- Email security, including spam and malware filtering services, and
- Web security to support acceptable-use control and monitoring.
There’s never been a better time to leverage a great defense for offense.
The right security policies free up your organization to be more innovative and accelerate your digital transformation. In our “Cybersecurity as a Growth Advantage” study, 74 percent of manufacturers said that cybersecurity threats have hindered innovation. When you mitigate threats, take control and actively manage security, you not only minimize risk but also position your company to be more competitive and agile.
Put your cybersecurity strategy into overdrive.
We’re helping manufacturers such as Diebold, GM, Air Liquide and more ensure effective, robust plant-floor security while paving the way for future growth. We can help you understand potential threats and help quantify their financial risk to business leaders with a comprehensive Industrial Cybersecurity Risk and Vulnerability Assessment. To learn more, visit cisco.com/go/factorysecurity or contact email@example.com.
For more factory security best practices, download our latest whitepaper: