Cisco and Rockwell strengthen OT/ICS security with visibility for converged plantwide ethernet (CPwE)

The turtle, protected by its arduous shell, is an efficient metaphor for the safety mannequin utilized in most industrial networks. The economic DMZ (iDMZ) is the shell that protects the delicate, susceptible middle—the economic management methods (ICS) the enterprise will depend on.

However whereas the iDMZ blocks most threats, some will inevitably slip via. After they do, they’ll transfer sideways from system to system, doubtlessly inflicting downtime and knowledge leakage. Giving visitors free rein as soon as it makes it previous the iDMZ conflicts with the zero-trust safety precept to by no means belief, at all times confirm. And as firms look to “digitize” manufacturing and apply extra cloud-based companies also referred to as Business 4.0, extra units want entry to manufacturing methods.

The reply is micro-segmentation—however there’s a barrier

You possibly can restrict the unfold of malware that makes it previous the iDMZ utilizing a method referred to as micro-segmentation. The concept is to tightly limit which units can talk and what they’ll say, confining the harm from cyberattacks to the fewest variety of units. It’s an instance of zero-trust in motion: as a substitute of taking it on religion that units solely speak to one another for reputable causes, you lay down the foundations. An HVAC system shouldn’t be speaking to a robotic, for instance. Whether it is, the HVAC system could have been commandeered by a nasty actor who’s now traipsing via the community to disrupt methods or exfiltrate data.

So why isn’t each industrial group already utilizing micro-segmentation? The barrier I hear most frequently from our prospects is a scarcity of safety visibility. To micro-segment your community that you must know each system related to your community, which different units and methods it wants to speak to, and which protocols are in use. Missing this visibility can result in overly permissive insurance policies, growing the assault floor. Simply as dangerous, you may inadvertently block mandatory device-to-device visitors, disrupting manufacturing.

Achieve visibility into what’s on the community and the way they’re speaking

Excellent news: Cisco and our associate Rockwell Automation have built-in safety visibility into our Converged Plantwide Ethernet (CPwE) validated design. With Cisco Cyber Imaginative and prescient you may rapidly see what’s in your community, which methods speak to one another, and what they’re saying. One buyer advised me he realized from Cyber Imaginative and prescient that a few of his units had a hidden mobile backdoor!

Safety visibility has three large payoffs. One is consciousness of threats like that backdoor, or suspicious communications patterns just like the HVAC system speaking to the robotic. One other profit is offering the data that you must create micro-segments. Lastly, visibility can doubtlessly decrease your cyber insurance coverage premiums. Some insurers provide you with a reduction or will enhance protection limits for those who can present you realize what’s related to your community.

Visibility units the stage for micro-segmentation

When you perceive which units have a reputable want to speak, explicitly permit these communications by creating micro-segments, outlined by the ISA/IEC 62443 normal. Right here’s rationalization of how micro-segments work. Briefly, you create zones containing a gaggle of units with comparable safety necessities, a transparent bodily border, and the necessity to speak to one another. Conduits are the communication mechanisms (e.g. VLANs, routers, entry lists, and so on.) that permit or block communication between zones. On this method, a menace that will get into one zone can’t simply transfer to a different.

Each Cisco and Rockwell Automation present instruments for segmenting the community. Use Cisco Identification Providers Engine (ISE) for units that talk by way of any industrial protocol, together with HTTP, SSH, telnet, CIP, UDP, ICMP, and so on. To your CIP units, you may implement even tighter controls over visitors stream utilizing Rockwell Automation’s CIP Safety, which secures manufacturing networks on the software degree. Now we have a number of Cisco Validated Designs (CVDs) on a spread of safety matters, many collectively developed and examined with Rockwell. Examples of our collaboration with Rockwell embrace Converged Plantwide Ethernet, or CPwE, and the just lately added Safety Visibility for CPwE primarily based on Cisco Cyber Imaginative and prescient.

A lesson from nature

Combining an iDMZ with micro-segmentation is like mixing the protecting talents of a turtle and a lizard. Just like the turtle’s shell, the iDMZ helps maintain predators out. And like lizards who can drop their tails if a predator will get maintain, micro-segmentation limits harm from an assault.

Backside line: To get began with micro-segmentation—and doubtlessly decrease your cyber insurance coverage premiums—use Cyber Imaginative and prescient to see what units are in your community and what they’re saying.

To be taught extra about how Cisco and Rockwell can assist strengthen OT/ICS safety with visibility for CPwE, be a part of us for a webinar on November 14. Register right here.

Study extra

Share: