Operational Technology (OT) Network Security Challenges and Solutions

Operational Technology (OT)
Network Security Challenges
and Solutions

© Global Knowledge Training LLC. All rights reserved. Page 2
Webinar Agenda
• Operational Technology (OT) Networks Overview
• The Evolution of Operational Technology (OT) Networks in the Enterprise
• Risks associated with OT Networks
• Challenges faced with OT Networks
• Technology Solutions and Strategies for Securing OT Networks
• ACME Manufacturing Inc. - Mini Case Study

Operational Technology (OT) Networks Overview
What is an Operational Technology (OT) Network?
In order to have a meaningful discussion about OT Networks it is important to clearly
define terminology related to OT Networks.

Gartner Defineitions:
Operational Technology (OT)
Hardware and software that detects or causes a change through the direct
monitoring and/or control of physical devices, processes and events in the
enterprise.
Information Technology (IT)
This is the common term for the entire spectrum of technologies for
information processing, including software, hardware, communications
technologies and related services. In general, IT does not include embedded
technologies that do not generate data for enterprise use.
Source: https://www.gartner.com

Although OT is a generic term that is often used differently depending on the
industry / organization, other terms that fall under OT include:
• Industrial Control Systems (ICS)
• Industrial Automation (IA)
• Process Control Networks (PCN)
• Supervisory Control and Data Acquisition (SCADA)
Example: SCADA is a subset of ICS and they both fall under OT. Note that
these terms are often used loosely.

For the sake of this Webinar we will make the following distinctions between IT
and OT for simplicity:
• IT refers to systems that primarily deal with the Business and Administrative
processes in the Enterprise.
• OT refers to systems that are used to manage Industrial Operations as
opposed to Business and Administrative operations. Operational Systems
include production line management in Manufacturing, Mining Operations
Control, Oil & Gas monitoring etc.

Internet of Things (IoT) and Industrial Internet of Things (IIoT)
• The Internet of Things (IoT) is a system / device typically embedded with
sensors, software, electronics and connectivity to allow it to perform
better by exchanging information with other connected devices, the
operator or the manufacturer. Extends Internet connectivity beyond
conventional computing platforms such as personal computers etc.
• The term Industrial Internet of Things (IIoT) refers to systems connecting
business systems with automation and control.
Just as there is sometimes a fine line between IT and IoT the same is true for
OT and IIoT.

Evolution of OT Networks in the Enterprise
Traditionally OT systems were siloed and were managed by teams dedicated
to the OT infrastructure.
In recent years Industrial Systems and Appliances have been brought online
in large numbers to deliver “Smart Analytics” - using Data generated from the
machines to modify and optimize the manufacturing process.
Because of the need to capture, process and integrate with Logistics and
Business Systems for enterprise use the functionality began to merge with IT.

Evolution of OT Networks in the Enterprise
IT and OT have always had fairly separate roles within an organization.
However, with the emergence of the Industrial Internet and the integration of
complex physical machinery with networked sensors and software, the lines
between the two teams are blurring.

Risks associated with OT Networks
OT Networks typically run the Critical Infrastructure that organization
depend on to produce a Product or Services.
Any impact on OT operations could be financially
devastating for an organization.
Although the same is true for IT, the impact is
greater for OT networks.
Disruptions related to these systems could also
be devastating to the supply chain of products
and services or even cause harm to patients as in
the case of the Health Care Industry; not to
mention the fallout from the publicity it generates.

OT Networks have a different set of requirements and challenges that the IT
Governance team must address to secure the enterprise.
Because of the inherent differences in how these
systems operate and the risk factors associated
with them, industry had drawn a clear line between
what is considered the traditional IT Network (office
support systems) and the OT Network that houses
the OT/IIoT Systems.

The Information Technology (IT) Governance team within an Organization
must develop a better understanding of OT Networks and must stay abreast
of threats associated with OT Environments to assure that the Organization
is protected.
Organization must put in place Processes, Procedures and Technologies to
protect the critical OT assets of the Organization.

Challenges faced with OT Networks
• OT Networks and Devices tend to use legacy Plant Control Systems often
running outdated Operating Systems that cannot easily be swapped out or
a custom configuration that isn’t compatible.
• Because of the High Availability of Production Schedules, it is often
difficult to stop production to upgrade these systems.
• OT System are typically upgraded when they are no longer functional for
the task at hand.
• Industrial environments tend to be more systemic where one small change
can trigger a negative domino effect that could disrupt the system.

Solutions & Strategies for Securing OT Networks
Traditionally OT networks have adopted various Models, Architectures and
Systems to secure the OT Infrastructure. An example is the Purdue Model
for Control Hierarchy.

• The Purdue Model for Control
Hierarchy is a common and well-
understood Model in the
Manufacturing Industry that
provides a Blueprint to segments
Devices and Equipment into
hierarchical functions.
• Developed in the 1990s at Purdue
University Consortium for
Computer Integrated
Manufacturing.

Models, such as the Perdue Model, are implemented using Technologies
such as Firewalls, VLAN and other tools to segment the Infrastructure into
hierarchies based on levels of operations.
• Some Manufacturers develop
Equipment and Devices designed to
specifically provide Security in the
OT space.
• Other Manufacturers have Equipment
and Devices with Dual purpose; IT
and OT Security capabilities.

Specialized OT Security Products:
OPshield is an OT Firewall (and related tools) developed by Wurldtech, a GE-
owned Company.
• Organization specializing in Operational
Technology (OT) solutions.
• The Firewall is specifically designed to
provide protection for Industrial Controls
and Critical Infrastructure Networks.

Cisco Products designed for OT Networks:
Cisco’s line of Industrial Switches designed for OT Networks.
Cisco Catalyst IE3300 Rugged Series
• Run Industrial Protocols such as Common
Industrial Protocol (CIP) – an Industrial
Protocol for Automation.
• Hardened for harsh Industrial Environments.
• Also provide traditional IT Technologies
such as VLANs, Port Security, 802.1x etc.

Cisco Products designed for OT Networks:
The Cisco Industrial Network Director (IND) is a management tools built
for managing Industrial Networks.
Designed to help Operations Teams
gain full visibility into the
Automation Network for improved
system availability and increase
Overall Equipment Effectiveness
(OEE).

Using VLANs and Firewalls for Securing OT Networks does not provide
Micro Segmentation.
A major concern for may Organizations is the impact a breach can cause to
the Manufacturing lines on the OT Network.
• A breach on a VLAN could potentially
impact the entire VLAN.
• A Breach in a Security Zone separated by a
Firewall could potentially impact the entire
Security Zone.

Single VLAN / Multiple Cells.

Multiple VLANs / Multiple Cells.

Multiple VLANs / Multiple Cells (Repurposing of Equipment)

Micro Segmentation allows VLANs and Security zones to be further
segmented to contain potential breaches.
Micro Segmentation limits the impact of the breach to a smaller
footprint should a VLAN or a Security Zone is compromised.
• Micro Segmentation solution must allow for
easy deployment of new OT Devices in the
production lines (minimal configuration).
• Micro Segmentation solution must allow for
easy repurposing of OT Devices between
production lines (minimal configuration).

Cisco TrustSec provides the capabilities to Micro Segment OT network
providing enhanced security to compliment the security provided by VLANs
and Firewalls.
• Dynamically assigning Security Group Tags (SGTs) to
the traffic of a device that connects to the network
based on it’s identity.
• Access Policies can be implemented to limit
communication between devices with different SGTs.

One VLAN with Multiple Cells with Security Group Tags (SGTs).

Cisco TrustSec is implemented and managed using the Cisco Identity
Services Engine (ISE).
• When OT devices connect to the network, Cisco ISE
authenticates the devices and assigns all traffic sent
on the network by the device an SGT.
• Cisco ISE manages and distributes TrustSec policies.
• Switch, Routers and Firewalls enforce TrustSec
policies by using the SGT embedded in the traffic.

Example of a Design based on the
Purdue Model.

ACME Inc. Manufacturing Inc. – Mini Case Study
ACME Inc. Manufacturing was concerned about OT Network Security.
• OT space is secured using VLANs and Firewalls only
• No Micro Segmentation in place on the OT Networks
• Cybersecurity attack could impact entire Factory
• Concerned about the risk of Intellectual Property theft as a result of a
Cybersecurity breach

ACME Inc. Manufacturing deployed Cisco TrustSec with the Identity Services
Engine (ISE) to Micro Segment their OT Networks using Security Group Tags
(SGTs) in addition to the use of VLAN and Firewall Segmentation.
Each Manufacturing Cell was completely isolated
using SGTs and device in a Cell limited to
communicating only within the Cell and to specific
Services in the DMZ.

A major challenge encountered by ACME Inc. Manufacturing is the process
of classifying a device to place it in a Manufacturing Cell / Production Line.
• Cisco ISE has the ability to dynamically profile
devices (based on device attributes) in the IT space.
• Classification for this OT requirement was based on a
“Functional Attribute” and not an Identity embedded
in the device.
• Example of “Functional Attribute” - “Heat Treat” vs.
“Coating”.
** A control device can be used in either a “Heat Treat” or “Coating” Process
and typically the Control Engineer makes the determination.

Cisco Industrial Network Director (IND) was considered for the classification
process in the design,
• Cisco IND includes a Self-Service Portal to
assign devices to a group; did not fulfil the
customer requirements.
• Customer is considering IND for managing
Cisco Industrial Ethernet (IE) Switches and
other Management functions related to the
Industrial Space.

Cisco ISE is extremely
flexible.
Can integrate with a variety of
systems through an Open
Standard interface (REST API
/ PxGrid).
Customer worked with a
Company that has an IOT
Application that was
customized for the
Classification process.

• Control Engineer uses a “Self
Service Portal” to assign an
OT device to a Cell –meets
customer requirements.
• Application was Leveraged for
visibility related to Asset
Management.
• Provides HA of Database.
Some features of the Custom Application:

Courses
Implementing and
Configuring Cisco Identity
Services Engine v3.0
Introduction to 802.1X
Operations for Cisco
Security Professionals

Learning More
GlobalKnowledge.com
For additional on-demand and live webinars,
white papers, courses, special offers and
more, visit us at…

Operational Technology (OT) Network Security Challenges and Solutions

Recomendados

Recomendados

Más contenido relacionado

Más de Global Knowledge Training

Más de Global Knowledge Training (20)

Último

Último (20)

Operational Technology (OT) Network Security Challenges and Solutions