Implementing safety inside the economic community could be a daunting process. Security directives akin to CISA’s Shields Up have precipitated extra industrial organizations to evaluate their community posture and search steerage to enhance the protections of vital assets for enterprise continuity. Upon looking for this steerage, many are left confused with phrases akin to Zero Trust and Microsegmentation, leading to extra questions and no path to motion.
Security can, and may, be easy. Whether you observe steerage from ISA/IEC 62443—the National Institute of Standards and Technology (NIST)—or have applied the Purdue mannequin, the core safety precept is to divide the community into a number of zones and create coverage for the communication that crosses zone boundaries.
Defining secured zones
Let’s take the ISA/IEC 62443 definition of zones and conduits. A zone, in response to the usual, is a set of bodily and functionally united property which have comparable safety necessities. In a producing facility, this might be a single manufacturing line. A conduit is described because the communication between zones. The conduit is the communication channel wherein safety coverage ought to be utilized.
Defining the zones and figuring out which coverage to assign to the conduits is what makes safety perceived as tough. However, segmentation shouldn’t be seen as a single standalone process. Effective segmentation is comprised of two key pillars: visibility and management.
ICS visibility informs OT segmentation
Visibility into industrial management system (ICS) operations offers us a listing of all property that exist on the community, together with their communication patterns. This permits us to visualise the processes in our networks and reply the query: what are the zones on my community? Using Cisco Cyber Vision, an ICS visibility instrument that’s embedded into the community infrastructure, operators can establish property that belong to a course of and assign them to a bunch for simpler visualization. Rather than focusing consideration on each circulation, from each asset, communication will be visualized within the conduits between the zones, offering a blueprint of the coverage that should be outlined.
As for the enforcement of those visitors patterns, that too will be embedded into the community infrastructure utilizing a know-how referred to as TrustSec. Cisco TrustSec offers you with a better technique to handle entry management insurance policies throughout switches utilizing a safety group matrix.
As visitors enters and leaves their community section, quite than imposing visitors utilizing IP info, Cisco TrustSec makes use of a Security Group Tag (SGT) embedded within the MAC layer of the community visitors to find out coverage. Using Cisco Identity Services Engine (ISE) SGTs will be assigned to your zones and the matrix can be utilized to manage the communication throughout the conduits.
Using the built-in integrations, Cyber Vision shares its grouping info with Cisco ISE so operations managers can create and handle property teams of their OT visibility instrument, so IT can simply create the right management guidelines between these zones in ISE.
In a current webinar, I went into extra particulars, diving into the ISA/IEC 62443 zones and conduits mannequin and displaying the way to use Cisco ISE and Cyber Vision to implement OT Microsegmentation. You can watch the replay by registering right here.
Until then, take a look at our ISA/IEC 62443-3-3 white paper and be sure you subscribe to our Industrial Security Newsletter.
Share: