As the OT/IT convergence trend continues to grow, almost every industrial organisation has started reinforcing its network security and taking cybersecurity precautions to protect its operations. One of the main reasons for this is that critical infrastructure and manufacturing facilities are more likely to be targeted by cyberattacks. These concerns are well founded as we can see by the frequent news reports about companies halting their production lines for more than one day due to a cyberattack. In addition to incurring financial losses when a company is hit by a cyberattack, if it makes the news it will often also lead to reputational damage. It is fair to say that increasingly more companies are being targeted by ransomware attacks, and even some of the biggest players in the industry that have already taken precautionary measures are being targeted. These attacks demonstrate the high risk of an interconnected world, and that no organisation is immune from cyberattacks.
CISOs and CSOs are desperate to learn more about OT environments and how to implement cybersecurity measures effectively, without disrupting industrial operations. This is a complicated field where there are many approaches and architectures that must be carefully considered before a decision can be made. We will explore two of the most common security architectures used nowadays, and share some tips to help industrial organisations implement them in unique OT environments.
The initial focus of zero trust architecture, as stated in the NIST Special Publication 800-207, is to only grant minimum access privileges to those who need to operate on the network. This will prevent a situation when someone has a legitimate reason to access the network, but is unnecessarily given unrestricted access to other parts of the network, which increases the chances of a cybersecurity breach occurring.
The defence-in-depth approach contains multiple layers of security protection to reinforce network security for industrial operations. The rationale behind this is that you will have a second chance to protect zones and conduits if the first layer of protection fails. According to the IEC 62443 cybersecurity standard, it is necessary to start this process by partitioning areas based on the levels of protection required. Each partition is called a zone and all the communication devices within it share the same security level, which means they all have the same level of protection. If you want to enhance security even further, it is possible to place a zone inside another zone with additional security measures.
By combining these two approaches, you can build well-defended industrial operations with layers of protection as the foundation, and then add further protection by adding the zero trust mechanism to ensure access is restricted to only those who need to access certain areas of the network. After considering these two approaches, it is clear there is no silver bullet for cybersecurity, and there are multiple angles that must be considered to ensure your network is secure.
In addition to the examples we just considered about how to implement zero trust and defence-in-depth networks, it is very important to enhance cybersecurity awareness across different departments and make sure all team members have the same mindset regarding cybersecurity. Employees should be encouraged to understand the benefits of following technical security requirements, as this will increase the chances that the guidelines are adhered to. This requires coordinated security responses, and network monitoring and management;an assumption that all devices and networks will be compromised; and ensuring there are robust recovery and response processes.
One unfortunate scenario that is often seen in industrial networks is when user credentials are compromised. For networks that do not utilise the zero trust principle, a user’s credentials might be all a malicious actor needs to gain access to the network. However, for a network that utilises zero trust architecture, a malicious actor requires not only device access control but also user authentication and authorisation. On top of that, it is also suggested that trust lists for granular control of your network be utilised. By using trust lists, rate control and failure logout, network devices only allow access from trusted devices that are equipped with the secure boot function and prevent excessive attempts such as brute-force attacks.
By verifying the user’s credentials when logging on to devices, network devices will log all user access attempts and provide the lowest level of privileges based on the role of the user. If organisations hope to reinforce security, trust lists can be a good way to control network traffic. One common practice is to create a trust list for IP addresses and service ports, and to leverage deep packet inspection technology to granularly control the network with features such as read or write privileges.
| Tel: | +27 11 781 0777 |
| Email: | [email protected] |
| www: | www.rjconnect.co.za |
| Articles: | More information and articles about RJ Connect |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version