The rise of interconnected OT and IT systems is often attributed to how business models have evolved with the purpose of enhancing operational efficiency. For example, scada networks deployed along oil pipelines now collect oil output data that is essential to billing and pricing systems. This increase in data collection allows companies to predict, with higher levels of accuracy, not only levels of oil production and output, but also expected revenue. However, it should be noted that the downside of such systems is the likelihood of introducing cybersecurity threats to OT systems.
What is compounding this complex issue is that ransomware attacks are increasing in their severity, according to the general manager of IDC Taiwan. With more and more security incidents occurring in OT systems, business owners and regulators are keen to seek solutions that enhance industrial cybersecurity and allow businesses to keep functioning normally.
What is the security boundary concept?
When enhancing cybersecurity, it is important to understand how industrial systems are exchanging data and how they connect to IT-level systems. In the ideal scenario, when traffic crosses different systems there should be boundaries in place between each system to ensure the traffic has good cyber-hygiene, even if it is authenticated and authorised. However, it is challenging and often unrealistic to build boundaries between every system, as it involves significant expenditure and often has a detrimental effect on the efficiency of network communications. For these reasons it is highly recommended to divide OT systems into different digital zones and build up the boundaries to find the right balance between expenditure and acceptable levels of risk.
The defence-in-depth approach, which is recommended by the IEC 62443 cybersecurity standard committee, is widely used across industries and has a good track record of helping build up multiple layers of protection to fulfil operational requirements. In Figure 1 below, the critical assets and operations are shown as the most important. Since they perform vital roles for the business, it is wise to take additional security precautions such as adding more layers of protection, to secure them even further.
Network segmentation: how to build security boundaries
Physical layer segmentation
This is known as air gapping, where two networks are physically isolated. When the operations and security of one system needs to be independently maintained, an air gap is a potential solution. However, as mentioned earlier, it is increasingly difficult to arrange networks this way due to business and operational requirements.
Data link/network (Layer 2/Layer 3) segmentation
As industrial control systems may have been built decades ago, one of the key challenges is to leverage existing infrastructure. One approach that is frequently deployed is to segregate traffic between different network segments using a VLAN, which is one of the functions of managed Ethernet switches. An alternative is to deploy firewalls to protect industrial applications and data, especially when you need to deal with traffic on Layer 2 and Layer 3 networks.
Layer 4-7 network segmentation
Further segmentation can be applied through deep packet inspection (DPI). DPI offers granular control over network traffic and helps filter industrial protocols based on the requirements of the application. When you have multiple devices on the same network, they can all communicate with each other. However, there are certain scenarios, when, for example, Controller A should only communicate with Robotic Arm B at a specific time. DPI technology can thus help engineers to define which controllers can perform read/write commands, or even the direction of traffic.
Secure remote access
According to cybersecurity experts, remote desktop protocols are sometimes exploited to spread malware or conduct unauthorised activity. As remote connections have become more prevalent, it is unsurprising that building security boundaries between two field sites is being talked about more frequently. It is highly recommended to build VPN tunnels and ensure that access control mechanisms are properly maintained.
As business owners are no longer able to enjoy the benefits and security of completely air-gapped networks, it is imperative to enhance security boundaries through different approaches, including network segmentation and secure remote access. Moxa’s newly launched EDR-G9010 series – an all-in-one firewall/VPN/switch/router – enhances cybersecurity while allowing business owners to leverage existing network infrastructure through future-proof investment.
|Tel:||+27 11 781 0777|
|Articles:||More information and articles about RJ Connect|
© Technews Publishing (Pty) Ltd | All Rights Reserved