By Dan Behrens
Technology advancements such as predictive maintenance, process optimization, and employee safety continue to drive the need for greater connectivity in industrial environments. Meanwhile, intellectual property theft and unplanned downtime continue to be caused by cyber-attacks, both targeted and not.
Many industrial networks have limited or no segmentation as availability has been the primary concern and many devices were not developed or deployed with security in mind. Lastly, organizational structures are typically a centralized Information Technology (IT) department that has overall responsibility for security, and local operational technology (OT) department responsible for the industrial equipment.
When defining and deploying security policies, visibility, context, and intent are critical to ensuring an active security posture that protects assets and enables continued availability. For security policies to ultimately be effective, they must have a minimal impact on operations’ ability to continue to function. Operations must be enabled to identify and resolve issues. People’s interaction with the systems and tools provided will make or break any deployment.
For context, the relative information of the device and its connectivity includes device attributes such as vendor, firmware, and protocol. It also includes information relative to how it’s connecting (wired, wireless or VPN), location, time of day, etc.
In industrial environments, these device attributes can be difficult to obtain. Many industrial devices have static IP address assignment and are not typically directly interacted with by a user, so there are no DHCP requests and no functions like web requests to leverage for identification. Furthermore, attempts to do port probes or scans of industrial devices can often lead to communication interruptions or equipment faults. Because of these limitations, industrial device identification for security policies has been a difficult task.
The intent is the purpose of the devices network access. With a printer, its purpose is print jobs, but shouldn’t be communicating out to IP phones, for example. In the industrial space, there have been two hurdles to leveraging intent for security policies. First, device type alone is not enough to know the devices’ intent. The same kind of programmable logic controller in an automotive weld operation behaves very differently from one in a wastewater treatment facility. Second, the organization who knows how the PLC is programmed and how it should be operating is not the one developing and deploying security policies and have no defined method for communicating that information efficiently.
It is possible to create a centralized location to define security policies and enable a dynamic application of those policies to devices based on context and intent. When organizations begin to deploy security at scale, static controls defined on each network device are difficult to manage and update. To gain native industrial protocol support there needs to be a purpose-built network management platform, with a focus on operational users.
While enabling visibility and management of network devices, information is provided relative to the industrial end devices themselves. That means it is possible to communicate to end devices via their supported protocols, such as Ethernet/IP, PROFINET, BACnet/IP and Modbus TCP. Leveraging identity objects of these industrial protocols, it is possible to collect the identity of industrial endpoints and display relative information such as where they connect to the network. This view enables the quick recognition and resolution of network issues. Many organizations are not aware of what devices are connected or where they are located, so gaining this level of visibility is paramount.
There are capabilities out there today to bridge the gap between IT and OT, enabling IT to develop security policies and OT, who knows the devices intent, to apply them to the appropriate devices.
Dan Behrens is technical marketing engineer for Internet of Things/Connectivity at Cisco.