With the increasing number of cybersecurity breaches in OT systems, it's only natural that business owners and managers are now focusing more on finding solutions that improve industrial cybersecurity and allow businesses to continue operating normally.
That's why in this article, we'll look at how companies can leverage their existing network infrastructure and investments to build the first line of defense in their network.
Later in the article, we will discuss the benefits of industrial systems protecting and preventing hostile intrusions into OT systems.
Business models are increasingly focused on improving operational efficiency. For example, SCADA networks installed along oil pipelines now collect oil output data, which is crucial for billing and pricing systems. This increasing data collection allows oil companies to more accurately predict both oil production and expected revenues.
But these interconnections of systems don't only bring benefits. One disadvantage is that the likelihood of cybersecurity threats in OT systems increases significantly. That's why newspaper headlines and articles often describe how compromising IT systems can have a huge negative impact on OT systems. What further exacerbates the problem is that the severity of ransomware attacks is increasing.
Safety limits
What is the safety limit concept?
To improve cybersecurity, it's important to understand how your industrial systems exchange data with different systems and how they interact with IT-level systems.
When data crosses different systems, boundaries should be in place between each system to ensure that traffic is not only authenticated and authorized, but also has good ”cyber hygiene”. And building boundaries between each system can be both costly and challenging, and can compromise the efficiency of network communication. Therefore, it is recommended to divide OT systems into different digital cells and zones and find the right balance between cost and acceptable levels of risk in building the boundaries.
Diagram: Building security boundaries to protect production lines from affecting each other in the event of a cybersecurity breach.
The cybersecurity approach recommended in IEC 62443 is widely used across industries and has shown good results in helping to build multiple layers of protection that can simultaneously meet operational requirements. In the image below, the critical assets and operations are considered the most important. As they perform vital roles in the business, it is wise to further secure them by adding multiple layers of protection. To learn more about different layers of cybersecurity, you can Download the infographic.
Diagram: The cybersecurity approach is based on multiple layers of security mechanisms that increase security throughout the system.
How to build security boundaries
Network segmentation
- Physical layer segmentation
It's called air gapping when two networks are physically isolated. When the operation and security of a system needs to be independent, an air gap is a potential solution. However, as mentioned earlier, it is becoming increasingly difficult to arrange networks in this way due to business and operational requirements.
- Data link/network (Layer 2/Layer 3) segmentation
Industrial control systems may have been built a long time ago. Therefore, one of the key challenges and requirements for network administrators is to utilize the existing infrastructure while ensuring that industrial control systems remain secure. One approach often used is to segregate traffic between different network segments using a VLAN (Virtual LAN), which is one of the features of managed Ethernet switches. Some Ethernet switches have port-level access control lists (ACLs), which can improve VLAN security when data enters the switch. An alternative is to implement firewalls to protect industrial applications and data - especially when you need it to handle traffic on Layer 2 and Layer 3 networks.
- Layer 4-7 network segmentation
Further segmentation can be applied through Deep Packet Inspection (DPI). DPI offers granular authentication of network traffic and helps you filter industrial protocols based on the requirements of the application. When you have multiple devices on the same network, they - theoretically - all have the ability to communicate with each other. However, there are certain scenarios where DPI technology can help engineers define which controllers should perform read/write commands or traffic direction. For example, if controller A should only communicate with robot arm A at a certain time.
Microsegmentation
When additional protection of critical assets is needed, it's a good idea to micro-segment the network. Micro-segmentation is particularly useful for industrial networks as it can separate the network into smaller subnets. This approach is beneficial because the IPS's virtual patching feature can reduce the risk of known vulnerabilities. For example, some systems run on Windows XP, which Microsoft no longer security updates. See in this video, how the IPS virtual patch works.
Secure remote access
According to cybersecurity experts, remote access is sometimes exploited to spread malware or perform unauthorized activity. As remote access has become more prevalent due to demands for increased operational efficiency and the need to troubleshoot quickly, it's natural that there is an increasing focus on building security boundaries between locations (field sites). Rather than using software to build the remote connections, which can easily lead to vulnerabilities in the long run, it is highly recommended to build VPN tunnels and ensure that access control mechanisms are properly maintained.
Typical scenarios
- Manufacturing
Interconnected factory networks need proper network segmentation to strengthen industrial network security. Furthermore, network redundancy is also required to ensure the availability of the industrial control system.
- Secure substation monitoring
A power grid covering a large area needs IEC 61850 certified VPN solutions to monitor the intelligent electronic devices (IEDs) at each remote substation.
As business owners can no longer simply enjoy the benefits and security of completely wireless networks, it is necessary for business owners and engineers to improve security boundaries through various methods such as; network segmentation, micro-segmentation and secure remote access.
Each of these methods fulfills different network requirements and helps improve cybersecurity, not only by providing perimeter protection but also by closing backdoors for unwanted visits.
Moxa's new EDR-G9010 series is an all-in-one firewall/NAT/VPN/switch/router that improves cybersecurity while allowing business owners to expand existing network infrastructure with some future-proof investments. You can read more about these secure routers on the product page.
Free translation of Moxa's article to Danish.