The turtle protected by its hard shell is a good metaphor for the security model used in most industrial networks. The Industrial DMZ (iDMZ) is the shell that protects the soft, vulnerable center – the Industrial Control Systems (ICS) on which the enterprise depends.
But while the iDMZ blocks most threats, some will inevitably slip through. As they do so, they can move sideways from device to device, potentially causing downtime and information leaks. Allowing traffic to flow freely once it passes through the iDMZ goes against the Zero Trust security principle: “Never trust, always verify.” And as companies look to “digitalize” manufacturing and deploy more cloud-based services, also known as Industry 4.0, more and more devices need access to production systems.
The answer is micro-segmentation – but there is a hurdle
You can prevent the spread of malware that goes beyond the iDMZ using a technique called “ Micro-segmentation. The idea is to strictly limit which devices communicate and what they can say to limit the damage from cyberattacks to the fewest number of devices possible. It’s an example of zero trust in action: Instead of assuming that devices only communicate with each other for legitimate reasons, you set the rules. For example, an HVAC system should not communicate with a robot. If this is the case, the HVAC system may have been commandeered by a malicious actor who is now prowling the network to disrupt systems or exfiltrate information.
So why doesn’t every industrial company already use micro-segmentation? The barrier I hear most often from our customers is a lack of security transparency. To micro-segment your network, you need to know every device connected to your network, what other devices and systems it needs to communicate with, and what protocols it uses. A lack of transparency can lead to overly permissive policies, increasing the attack surface. What’s just as bad is that you inadvertently block the necessary data traffic from device to device, thus interrupting production.
Get an overview of what is on the network and how they communicate
Good news: Cisco and our partner Rockwell Automation have integrated security visibility into ours Converged Plant Wide Ethernet (CPwE) validated design. With Cisco Cyber Vision You can quickly see what’s on your network, which systems are communicating with each other, and what they’re saying. A customer told me he learned from Cyber Vision that some of his devices had a hidden cellular backdoor!
Security transparency has three major benefits. One of them is awareness of threats like this backdoor or suspicious communication patterns like how the HVAC system communicates with the robot. Another benefit is providing the information you need to create micro-segments. Finally, transparency can potentially lower your cyber insurance premiums. Some insurers will give you a discount or increase coverage limits if you can demonstrate that you know what is connected to your network.
Visibility creates the conditions for micro-segmentation
Once you understand which devices have a legitimate need to communicate, explicitly allow that communication by creating micro-segments defined by ISA/IEC 62443 standard. Here is a Good explanation of how micro segments work. In short, you create zones that contain a group of devices with similar security requirements, a clear physical boundary, and the need to communicate with each other. Conduits are communication mechanisms (e.g. VLANs, routers, access lists, etc.) that allow or block communication between zones. This way, a threat that enters one zone cannot easily cross over into another.
Both Cisco and Rockwell Automation offer tools to segment the network. Use Cisco Identity Services Engine (ISE) for devices that communicate over any industrial protocol, including HTTP, SSH, Telnet, CIP, UDP, ICMP, etc. For your CIP devices, you can enforce even tighter traffic flow control with Rockwell Automation CIP security, which secures production networks at the application layer. We have multiple Cisco Validated Designs (CVDs) on various security topics, many of which were co-developed and tested with Rockwell. Examples of our collaboration with Rockwell include: Converged Plant Wide Ethernet or CPwEand the recently added one Security visibility for CPwE based on Cisco Cyber Vision.
A lesson from nature
Combining an iDMZ with micro-segmentation is like combining the protective capabilities of a turtle and a lizard. Like the turtle’s shell, the iDMZ helps keep predators away. And like lizards, which can drop their tails when a predator grabs them, micro-segmentation limits the damage from an attack.
Bottom line: To start micro-segmenting – and potentially lower your cyber insurance premiums – use Cyber vision to see what devices are on your network and what they are saying.
To learn more about how Cisco and Rockwell can help strengthen OT/ICS security with CPwE visibility, join us for a webinar on November 14th. Register here.