Core architecture strategies for IT/OT network integration
Taking a holistic approach toward integration of IT and OT networks allows access and security requirements to be met and scaled as additional needs arise over time.
Cybersecurity insights
- Operational technology (OT) networks prioritize system availability and safety, requiring distinct protocols, cybersecurity standards and infrastructure to protect industrial operations from evolving cyber threats.
- Implementing dual firewalls, access control, micro-segmentation, and threat detection enhances OT security, protecting critical industrial processes from cyberattacks.
- Micro-segmentation isolates OT devices into functional zones, minimizing potential cyberattack impacts and ensuring real-time, low-latency communication critical for industrial operations.
The operational technology (OT) network is the backbone of a manufacturing facility, serving either as the data highway leading to efficiency and quality gains and therefore supporting a manufacturer’s competitive advantage, or as a perpetual pending target for continually evolving cyberattacks.
While there are numerous gains to be had through connection of manufacturing equipment to a facility’s broader network, this convergence must be done skillfully to ensure robust security from threat vectors that continue to increase in number, complexity and destructiveness.
Adding layers of OT security can be accomplished with nearly any budget and on any network. However, it is important to keep in mind some improvements can be obtained based on the results of a quick assessment. To maximize improvements, the network as a whole must be evaluated; The OT network must be reviewed from an information technology (IT) perspective, and vice versa.
The OT network has a different role with different security considerations
While an OT network shares many commonalities with an IT network, its differences must be considered to effectively implement robust communication pathways and strong security measures. Because the OT network connects the physical equipment used in industrial operations, a successful breach can directly affect these processes. Some relevant distinctions between the two types of networks include:
-
Distinct OT cybersecurity standards. As discussed in the NIST Guide to Operational Technology Security, OT cybersecurity standards prioritize system availability, integrity, and safety over data confidentiality. Security approaches must protect continuous industrial operations and physical infrastructure.
-
OT networks use different protocols — Industrial communications protocols (Modbus, Profibus, Ethernet/IP, Profinet, etc.) are different from those used for IT communications, and tools that analyze network traffic must be able to understand them.
-
OT cyberattacks can be difficult to detect. They may look like normal OT network traffic, but involve a simple parameter change that alters the physical process. The result may be a hazardous condition within the facility, incorrect or unsafe product manufacturing, equipment damage or failures, and even environmental damage.
-
OT equipment lifespan is a challenge. is often several decades which presents numerous challenges related to age. Equipment may have been designed at a time when cybersecurity was not prioritized. Furthermore, manufacturers generally stop supporting their systems after a certain period of time. With no new firmware updates, older systems can be left with no means to remediate critical vulnerabilities.
-
OT networks have different standards and infrastructure requirements. OT networks follow the NEC standard, focusing on safety aspects including robust wiring, conductor sizing, and grounding appropriate for higher voltages. This requires more durable cabling and specialized components designed to operate in harsh industrial environments with larger electrical loads. In contrast, IT networks typically follow ANSI-TIA standards, focusing on reliable communications and network access with infrastructure suited for lower voltages.
-
The OT network can be comprised of specialized architectures. They can serve groups of devices, including ring networks where each device connects to two others forming a circular signal path, and linear or bus networks where all devices share a single signal path.
-
Availability is a challenge. With respect to the confidentiality, integrity and availability (CIA) triad, a model designed to guide information security policies, OT networking prioritizes availability since downtime has a direct impact on production.
-
Low latency connectivity Control systems for robotics, servo systems and other feedback control loops rely on predictable, consistent, low latency network connectivity. These systems use the precision time protocol (PTP), which requires low latency to effectively synchronize clocks across the network. This clock synchronization enables precise control and coordinated actions in real-time.
Developing a layered approach to OT network security
Robust network security involves layering several defensive approaches, each serving complementary roles that fortify the facility against attacks. While a complete list is beyond the scope of this article, foundational OT network architecture best practices include:
-
Separation of IT and OT networks including an industrial demilitarized zone (iDMZ)
-
Dual firewalls to protect boundaries and enforce micro-segmentation rules
-
Access control to ensure only authenticated and authorized users can access OT devices
-
Singular point of entry to the OT network via jump host (a secure computer)
-
Micro-segmentation of the OT network into functional zones
-
Threat detection systems to continually monitor network traffic for suspicious anomalies.
It is possible to complete these efforts for a network that is already built; it is not too late to scale in security measures at varying budget levels to safeguard equipment.
Separating IT, OT networks with a DMZ
Isolation of critical infrastructure from the IT network’s general traffic is a crucial first step in network security as it limits a cyber-attack from traversing into the OT network. This practice is typically achieved with a firewall at the edge of the IT network and another at the edge of the OT network. The two firewalls control traffic entering and exiting the networks and enforce security policies limiting only necessary traffic.
This arrangement creates a buffer area between the firewalls, commonly known as the iDMZ. The iDMZ may host devices that require interaction with both networks, including data historians, data logging servers, and various gateways. In figure 1, which shows a typical industrial network layout, the iDMZ is shown at level 3.5, indicating it doesn’t belong to the IT or OT network.
Separation of the enterprise network into distinct IT and OT domains allows for different access policies to be enforced using separate domain controllers, reducing the OT network’s exposure to attack vectors. Tailored security measures can be implemented to address the distinct vulnerabilities of the OT network.
For example, the OT domain controller can be configured such that users only have access to the particular devices and resources for which they are eligible based on previously established access and security protocols. Furthermore, the OT network can be configured to address industrial equipment’s distinct functional communications requirements.
As always, an edge firewall separating the internal enterprise network from the external internet will safeguard against a majority of known threats.
Have a singular entry point to the OT network
To access a device on the OT network, a user first connects to the IT network, and then connects to a jump host prior to traversing into the OT network through the iDMZ. This strategy minimizes the points of entry to one, and this path can be carefully controlled. A jump host (secure computer) connection requires any user accessing the OT network must first connect to it and only those authenticated and authorized are able to do so.
The jump host serves a complementary role to the OT domain controller for network security. Together, entry into the OT network is controlled by the jump host, while the domain controller manages allowed behaviors within it.
Micro-segmentation benefits for OT networks
The OT network benefits from micro-segmentation for both security and low latency device communication. Micro-segmentation involves dividing the OT network into smaller, isolated segments based on physical process equipment groupings. Micro-segmentation rules can be defined and enforced by the OT firewall. Rules can specify which types of traffic may pass between devices and network segments, essentially containing a security breach, should one occur, to a localized region of the network, once again reducing the attack vector’s surface.
How threat detection engines police from within
Threat detection engines are a powerful tool that can be used both short term during an IT/OT assessment, as well as longer term for network traffic monitoring.
Within a few hours of connecting to a network, the engine provides an asset report of devices currently utilizing the network and their associated vulnerabilities. With more time on the network, it analyzes traffic patterns and data using algorithms and machine learning techniques to create a model or benchmark of typical activity. This analysis allows it to detect and flag anomaly behavior in real time that may be the result of suspicious activity. Engines will often combine local with cloud-based data analysis; the former offers a faster response time and data privacy, while the latter provides access to greater processing power for more sophisticated analytics such as machine learning.
Monitoring with an SIEM system
Organizations subject to regulatory requirements mandating data monitoring, reporting, and timely response to security threats will often adopt a larger, overarching security monitoring system called a security information and event management (SIEM) system. The SIEM is designed to analyze data from many sources across the network in real time, including the threat detection engine, firewalls, routers, various logs that track operations and user activities. As a result, it is able to detect anomalies within the overall system that may be the result of a security breach. Within industrial manufacturing, some sectors that utilize a SIEM include:
-
Pharmaceutical and chemical manufacturing: GMP requires robust data integrity and security
-
Automotive industry: strong support for data integrity both within manufacturing and for addressing security issues associated with connected vehicle programs.
-
Aerospace and defense manufacturing: national security implications mean these industries must meet stringent security regulatory requirements defined by the International Traffic in Arms Regulations (ITAR).
-
Energy production sectors: the SIEM is used to meet critical infrastructure protection standards (NERC CIP).
-
Food and beverage industry: a SIEM helps these industries adhere to food safety standards and regulations as outlined in the FDA’s FSMA rules.
Within these larger organizations, the SIEM can be used in combination with a security operations center (SOC). A SOC is a staffed group that handles the organization’s overall security posture and health, keeping track of events and anomalies within the system as a whole, and then following up on any detected threats.
Out of band management solutions
Out of band management (OoBM) solutions provide a separate, parallel network for managing and maintaining OT devices and systems. This separate network path, which functions as a back door, allows authorized personnel to connect and manage OT devices and systems for maintenance and troubleshooting purposes without disrupting the network’s primary function.
This redundant connection also ensures continuous access to OT devices even in the event of a network failure. The connection is made via the “Admin” port, located on all rack mounts, switches, routers, firewalls, security appliances and servers.
OT networking involves the connection and therefore visibility of all devices while incorporating security measures that safeguard the physical equipment and manufacturing process from security threats.
As a result, strong communication pathways between devices and throughout the entire network will pave the way for higher-level data analysis tools to provide overall process optimization insights. When a holistic approach is taken, the requirements for access and security can both be met and scaled as further needs unfold over time.
Purdue Reference Model – A Guide to Understanding ICS Network Structure and Planning for Security
The entire enterprise network, including both the IT and OT sides has been modeled using a hierarchical structure called the Purdue Reference Model. This model is helpful for understanding the connections between various components of the system as they pertain to security. It partitions the industrial network into distinct functionality levels. Industrial control systems reside on levels 0-3, and IT networks reside on levels 4-5.
Kevin Romer, CCNA, and Matt Smith, CISSP, CCNA, are solutions architects for E Tech Group.
LEARNING OBJECTIVES
- Understand the roles an information technology (IT) and operational technology (OT) network play in a facility.
- Learn about different cybersecurity strategies that can keep manufacturing facilities more secure.
- Understand how threat detection engines and SIEM systems can help secure manufacturing facilities.
Original content can be found at Plant Engineering.
Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our WTWH Media editorial team and getting the recognition you and your company deserve. Click here to start this process.