When I meet with manufacturers, I usually hear some version of the following: “We’re digitizing to get real-time visibility into production and improved operational equipment effectiveness. But now we’re worried about malware interrupting operations. What can we do?”
News headlines have erased any doubts about the need for industrial network cybersecurity. The trickier question is how to secure the network without interrupting production and revenue. To provide guidance, we’ve created Cisco Validated Designs for industrial network security. They lay out a step-by-step approach to gain visibility into OT assets, protect against and respond to threats, and enhance IT and OT collaboration.
Bringing IT and OT Together Is A Journey
Trying to secure the industrial network in one go is like boiling the ocean. Better to view it as a journey. At each step in the journey, you’ll make incremental changes to people, process, and technology.
Step 1 – Minimal Security: This is the current state for most manufacturers. If you’re here, you’ve segmented the industrial network from the IT network. Traffic can’t cross from the IT network to the industrial network without clearing the DMZ. You can block malware from entering the industrial network. You can block malware from leaving the industrial network to infect the enterprise network. But if the industrial network is exposed to malicious software, you don’t have a way to contain it. That means the malware might affect multiple manufacturing cells or production lines—even multiple plants.
Step 2 – Foundational Security: Here’s where most of our customers start. The words to keep in mind at this step are detect, protect, and respond:
- Identify all your industrial assets, known vulnerabilities of those assets, and communication flows. An optimal solution makes this simple and gives IT and OT teams a common vocabulary and context, because zones correspond to production lines or manufacturing cells. With this visibility provided, industrial network segmentation can be done optimally.
- Detect threats and prevent them from spreading.
- Investigate and remediate threats. When you build the security policy, the OT team specifies the right response, depending on the zone. In some cases, the business cost of taking down assets in an infected zone might exceed the risk of the infection. In other cases, the opposite might be true.
- Create containment zones for malware to prevent it from spreading across zones. This requires detection rules and flow control policies. Manage rules and policies consistently for all deployed ISAs.
Foundational security also requires changes to processes. OT security is treated like a maintenance process included in planned maintenance schedules—for example, “Check if firmware needs updates because of a vulnerability.” At this stage, there is a need to develop workflows between security operations and manufacturing operations.
Step 3 – Full-Spectrum Security: After foundation security has been successfully operationalized, the segmentation capabilities are enhanced in full-spectrum security architecture. Segmentation can be granular down to single devices and zero-trust capabilities can be deployed into the industrial network. This makes the malware containment zones down to a single device while providing fine grain control over which asset communication flows. Visibility is enhanced by adding anomaly detection with and block sensor-to-cloud communication requests to malicious websites.
Order Matters
You’ll get the most value from your investments in factory security by taking the steps I’ve outlined in order. To explain why, I’ll give you an analogy from cooking, my hobby. When I bake a cake, I decide on the base (vanilla, chocolate, etc.) before the icing. I’m not saying that icing by itself isn’t good—it’s just much better as an enhancement to the cake. Similarly, full-spectrum security (step 3) is valuable at any time. But it’s far more useful if you already have a complete OT asset inventory (step 2) and operational processes. Those elements set you up to efficiently investigate and respond to events and incidents.
