The turtle, protected by its onerous shell, is an effective metaphor for the safety mannequin utilized in most industrial networks. The industrial DMZ (iDMZ) is the shell that protects the gentle, weak middle—the economic management methods (ICS) the enterprise depends upon.
But whereas the iDMZ blocks most threats, some will inevitably slip by. When they do, they will transfer sideways from gadget to gadget, doubtlessly inflicting downtime and knowledge leakage. Giving site visitors free rein as soon as it makes it previous the iDMZ conflicts with the zero-trust safety precept to by no means belief, all the time confirm. And as firms look to “digitize” manufacturing and apply extra cloud-based companies also referred to as Industry 4.0, extra gadgets want entry to manufacturing methods.
The reply is micro-segmentation—however there’s a barrier
You can restrict the unfold of malware that makes it previous the iDMZ utilizing a way known as micro-segmentation. The concept is to tightly limit which gadgets can talk and what they will say, confining the injury from cyberattacks to the fewest variety of gadgets. It’s an instance of zero-trust in motion: as an alternative of taking it on religion that gadgets solely discuss to one another for professional causes, you lay down the foundations. An HVAC system shouldn’t be speaking to a robotic, for instance. If it’s, the HVAC system could have been commandeered by a foul actor who’s now traipsing by the community to disrupt methods or exfiltrate info.
So why isn’t each industrial group already utilizing micro-segmentation? The barrier I hear most frequently from our clients is an absence of safety visibility. To micro-segment your community you could know each gadget related to your community, which different gadgets and methods it wants to speak to, and which protocols are in use. Lacking this visibility can result in overly permissive insurance policies, rising the assault floor. Just as unhealthy, you may inadvertently block needed device-to-device site visitors, disrupting manufacturing.
Gain visibility into what’s on the community and the way they’re speaking
Good information: Cisco and our associate Rockwell Automation have built-in safety visibility into our Converged Plantwide Ethernet (CPwE) validated design. With Cisco Cyber Vision you’ll be able to shortly see what’s in your community, which methods discuss to one another, and what they’re saying. One buyer advised me he realized from Cyber Vision that a few of his gadgets had a hidden mobile backdoor!
Security visibility has three massive payoffs. One is consciousness of threats like that backdoor, or suspicious communications patterns just like the HVAC system speaking to the robotic. Another profit is offering the knowledge you could create micro-segments. Finally, visibility can doubtlessly decrease your cyber insurance coverage premiums. Some insurers offer you a reduction or will enhance protection limits if you happen to can present you already know what’s related to your community.
Visibility units the stage for micro-segmentation
Once you perceive which gadgets have a professional want to speak, explicitly enable these communications by creating micro-segments, outlined by the ISA/IEC 62443 normal. Here’s a good clarification of how micro-segments work. Briefly, you create zones containing a gaggle of gadgets with related safety necessities, a transparent bodily border, and the necessity to discuss to one another. Conduits are the communication mechanisms (e.g. VLANs, routers, entry lists, and so forth.) that enable or block communication between zones. In this fashion, a menace that will get into one zone can’t simply transfer to a different.
Both Cisco and Rockwell Automation present instruments for segmenting the community. Use Cisco Identity Services Engine (ISE) for gadgets that talk by way of any industrial protocol, together with HTTP, SSH, telnet, CIP, UDP, ICMP, and so forth. For your CIP gadgets, you’ll be able to implement even tighter controls over site visitors circulation utilizing Rockwell Automation’s CIP Security, which secures manufacturing networks on the software degree. We have a number of Cisco Validated Designs (CVDs) on a variety of safety subjects, many collectively developed and examined with Rockwell. Examples of our collaboration with Rockwell embody Converged Plantwide Ethernet, or CPwE, and the lately added Security Visibility for CPwE primarily based on Cisco Cyber Vision.
A lesson from nature
Combining an iDMZ with micro-segmentation is like mixing the protecting talents of a turtle and a lizard. Like the turtle’s shell, the iDMZ helps maintain predators out. And like lizards who can drop their tails if a predator will get maintain, micro-segmentation limits injury from an assault.
Bottom line: To get began with micro-segmentation—and doubtlessly decrease your cyber insurance coverage premiums—use Cyber Vision to see what gadgets are in your community and what they’re saying.
To be taught extra about how Cisco and Rockwell can assist strengthen OT/ICS safety with visibility for CPwE, be a part of us for a webinar on November 14. Register right here.
Learn extra
Share: