Extending Zero Trust Security to Industrial Networks
Recent cyber attacks on industrial organizations and critical infrastructures have made it clear: operational and IT networks are intimately linked. With digitization, data needs to seamlessly flow between enterprise IT and industrial OT networks for the business to function. This tighter integration between IT, OT, and Cloud domains has increased the attack surface of both the industrial and the enterprise networks.
The traditional security perimeter that industrial organizations have built over the years by installing industrial demilitarized zone (IDMZ) is no longer sufficient. While this is still the mandatory first step to protect operations, embracing the digital industry revolution requires additional security measures, assuming that no user, application, or connected device can always stay trustworthy.
The Zero Trust Security model that many are now implementing to secure the enterprise workforce, workloads, and the workplace must be extended to industrial operations. It establishes an initial level of trust for all connecting entities based on their business role, enforces it through the network infrastructure, and continuously verifies this level of trust and compliance in every access request. It identifies not just users, but endpoints, and applications to grant them the absolute minimum access they need.
Building blocks of a zero-trust network
I recently presented a webinar explaining the specific Zero Trust requirements for IoT/OT networks:
- Endpoint visibility. Gaining detailed visibility of what’s connected is key. Both to understand what you are protecting as well as continuously verifying the identity of each device. Yet, many industrial organizations still operate without an up-to-date asset inventory.
- Endpoint compliance. Industrial assets have software vulnerabilities that must be identified to plan corrective measures with the operations team. In many cases, the sheer volume of vulnerabilities becomes overwhelming to manage. You need risk scoring to prioritize your strategy for compliance improvement.
- Network segmentation. Most industrial devices have been developed without security features. Once a device has been granted access, it should be added to an industrial zone as defined by the ISA99/IEC-62443 Isolating industrial devices with micro and macro segmentation techniques (in addition to isolating the entire industrial domain with an IDMZ) is the most effective way to ensure threats can be contained.
- Threat detection and response. Zero Trust doesn’t stop once access has been granted. Communications are continuously monitored to detect malicious traffic and abnormal behaviors. Events are reported with the appropriate context so that remediation can be done quickly without impacting industrial operations.
Cisco completes the zero-trust circle for OT networks
Being the leader in both the cybersecurity and industrial networking markets, Cisco is probably the only vendor on the market offering a comprehensive, validated architecture for extending Zero Trust Security to industrial workplaces.
Cisco Cyber Vision is designed to help industrial organizations gain visibility into their industrial network, discover all devices, identify known vulnerabilities, determine risks, and detect threats or abnormal behaviors. Because it is built into Cisco industrial network infrastructure, Cyber Vision can be deployed at scale without the need of additional appliances or out-of-band collection network.
This detailed list of industrial devices is shared in real-time with Cisco Identity Services Engine (ISE) where security policies are created. Once IT and OT have defined the industrial zones or production cells they want to secure, IT will create Security Group Tags (SGT) in ISE to specify which communications are allowed between zones. OT users now just have to place industrial devices into the corresponding group using the Cyber Vision graphical interface for the right security policy to be automatically applied to them.
Downtime is very disruptive in industrial environments, so it is vital to monitor policy behavior before enforcement. The Policy Analytics module in the Cisco DNA Center network management platform lets you visualize real time traffic flows between groups to ensure your policy will not block communications that are required for the industrial process. Once you are confident with the monitored policy, you can activate the policy enforcement through Cisco DNA Center.
This simple workflow enables effective collaboration between IT and OT to define zone segmentation and enforce Zero Trust in the IoT/OT network. IT leverages tools designed to manage and secure networks. OT remains self-sufficient by using a tool that understands the industrial process. New devices will not be allowed into the network until OT places them in the production zone they belong to via a simple drag and drop within Cyber Vision. Moving a device from a zone to another will automatically modify the security policy applied to it.
Zero Trust doesn’t stop once access has been granted. Communications from and to industrial devices must be monitored to identify malicious traffic and abnormal behaviors that could disrupt production. As Cyber Vision is embedded into the industrial network, it sees everything and continuously decodes application flows to detect threats by leveraging signatures from Cisco Talos and behavioral baselines defined by OT. All these security events are reported to Cisco SecureX for investigation and remediation.
Get started today
This comprehensive and validated architecture lets you easily extend Zero Trust Security to your industrial domain today. Learn more by watching the replay of the webinar I recently presented.
What about you? How mature is your organization’s OT Security practice? Take the test and see what you should do next! To learn more about how you can secure your IoT/OT infrastructure, visit our IoT Security page or contact us.
Author Ruben Lobo is product manager, IoT industrial networking at Cisco Systems. Read more guest blogs from Cisco here.