And yet, even as cybersecurity continues to remain a board-level concern, many manufacturers continue to address the risks with patchwork approaches. Security can’t be achieved with a point solution. It takes an end-to-end approach – starting with the network.
Yes, there are some excellent cybersecurity tools designed especially for operational technology (OT) environments. They promise to identify devices and their communication patterns, thereby surfacing cybersecurity risks. But these tools are only as effective as the network they’re monitoring. Legacy networks often make it complex to gain the needed visibility and impossible to automate the application and enforcement of security policies.
To enable secure digital transformation, manufacturers need to reboot network security. That starts with the fast-tracking transformation of legacy production networks so they fully enable and enhance cybersecurity tools.
Switching for security
For any manufacturer, the production network is the foundation of a secure and reliable production environment. The network should provide security tools with seamless access to production systems and their communications. With the proper network hardware and software, security tools can serve as security “eyes and ears” – sensing and analyzing industrial automation and control systems (IACS) devices and communications at the edge. What’s more, the security tools should be able to perform that work without placing an undue burden on the network itself.
As it does in enterprise networks, the production network can also play a critical defensive role. With access to IACS devices and communications, OT security tools can help “profile” device behaviours and communication flows. Manufacturers can use these profiles to develop security policies, which can subsequently be enforced via the network infrastructure.
Using those same profiles, the software can apply dynamic network segmentation – making it easy to protect a flat industrial network from anomalous communication flows and malicious traffic. It’s a cybersecurity journey we highlighted in greater detail in our “Securing Industrial Networks” solution brief.
Cisco’s Industrial Ethernet line of switches, especially the revamped modular IE3x00 switches, provide resilient networking and rich cybersecurity capabilities that are a foundation for digital transformation. They embed the Cisco Cyber Vision sensor to provide comprehensive visibility on industrial assets and communications and TrustSec to enforce device-level segmentation according to security policies created by the Cisco Identity Services Engine (ISE).
The IE3x00 series is an ideal platform to easily secure production systems at scale, far exceeding the capabilities of legacy production networks. It’s well suited to displacing legacy network equipment to enable a more tightly integrated end-to-end security strategy.
Of course, transforming an existing network is not a trivial undertaking. Given the 24/7/365 operational tempo of many production environments, there is a significant risk if a migration is poorly executed. Before displacing any existing network devices, manufacturers need to perform sufficient planning, testing and preparation to minimize potential downtime (planned and unplanned).
In “Part 2” of this blog series, my colleague Kevin Turek will share detailed recommendations for manufacturers making the strategic decision to reboot their production network – and dramatically improve cybersecurity. In the meantime, read our whitepaper to learn more about how a modern industrial network can help you scale your OT cybersecurity strategy.
This blog was originally written by Paul Didier for Cisco Blogs.