ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

All Posts

Securing Industrial Networks: It’s a Journey

When I meet with manufacturers, I usually hear some version of the following: “We’re digitizing to get real-time visibility into production and improved operational equipment effectiveness. But now we’re worried about malware interrupting operations. What can we do?”

News headlines have erased any doubts about the need for industrial network cybersecurity. The trickier question is how to secure the network without interrupting production and revenue. To provide guidance, we’ve created Cisco Validated Designs for industrial network security. They lay out a step-by-step approach to gain visibility into OT assets, protect against and respond to threats, and enhance IT and OT collaboration.

Bringing IT and OT Together Is A Journey

Trying to secure the industrial network in one go is like boiling the ocean. Better to view it as a journey. At each step in the journey, you’ll make incremental changes to people, process, and technology.

Step 1 – Minimal Security: This is the current state for most manufacturers. If you’re here, you’ve segmented the industrial network from the IT network. Traffic can’t cross from the IT network to the industrial network without clearing the DMZ. You can block malware from entering the industrial network. You can block malware from leaving the industrial network to infect the enterprise network. But if the industrial network is exposed to malicious software, you don’t have a way to contain it. That means the malware might affect multiple manufacturing cells or production lines—even multiple plants.

Step 2 – Foundational Security: Here’s where most of our customers start. The words to keep in mind at this step are detect, protect, and respond

  • Identify all your industrial assets, known vulnerabilities of those assets, and communication flows. An optimal solution makes this simple and gives IT and OT teams a common vocabulary and context, because zones correspond to production lines or manufacturing cells. With this visibility provided, industrial network segmentation can be done optimally.
  • Detect threats and prevent them from spreading.
  • Investigate and remediate threats. When you build the security policy, the OT team specifies the right response, depending on the zone. In some cases, the business cost of taking down assets in an infected zone might exceed the risk of the infection. In other cases, the opposite might be true.
  • Create containment zones for malware to prevent it from spreading across zones. This requires detection rules and flow control policies. Manage rules and policies consistently for all deployed ISAs.

Foundational security also requires changes to processes. OT security is treated like a maintenance process included in planned maintenance schedules—for example, “Check if firmware needs updates because of a vulnerability.” At this stage, there is a need to develop workflows between security operations and manufacturing operations.

Step 3 – Full-Spectrum Security: After foundation security has been successfully operationalized, the segmentation capabilities are enhanced in full-spectrum security architecture. Segmentation can be granular down to single devices and zero-trust capabilities can be deployed into the industrial network. This makes the malware containment zones down to a single device while providing fine grain control over which asset communication flows. Visibility is enhanced by adding anomaly detection with and block sensor-to-cloud communication requests to malicious websites.

Order Matters

You’ll get the most value from your investments in factory security by taking the steps I’ve outlined in order. To explain why, I’ll give you an analogy from cooking, my hobby. When I bake a cake, I decide on the base (vanilla, chocolate, etc.) before the icing. I’m not saying that icing by itself isn’t good—it’s just much better as an enhancement to the cake. Similarly, full-spectrum security (step 3) is valuable at any time. But it’s far more useful if you already have a complete OT asset inventory (step 2) and operational processes. Those elements set you up to efficiently investigate and respond to events and incidents.

This blog was originally published on Cisco.

Vikram Sharma
Vikram Sharma
Vikram has over 20 years of experience in the digital manufacturing space and securing the OT network. Vikram is a Sr. Engineering Manager in Cisco's IoT BU where he develops security solutions for Industrial networks. He is a cryptographer by trade and has been focusing on enhancing security especially trust & identity solutions and protecting against malware attacks.

Related Posts

ISA Commemorates International Women in Engineering Day

Since 1982, women have earned almost 10 million more college degrees than men. However, despite this stat...
Steven Aliano Jun 23, 2022 5:30:00 AM

Good News: In-Person Events and Travel are Back!

In my last article, I talked about the International Automation Professionals Day. Today, I will talk abo...
Carlos Mandolesi, ISA President Jun 21, 2022 5:30:00 AM

What are the Biggest Mistakes You Have Seen? Part 2

The following discussion is part of an occasional series showcasing the ISA Mentor Program, authored by G...
Greg McMillan Jun 17, 2022 5:30:00 AM