September 2021

26 n CYBERSECURITY September 2021 www.drivesncontrols.com Building boundaries to enhance cybersecurity T he rise of interconnected OT (operational technology) and IT (information technology) systems is often attributed to how business models have evolved to enhance operational efficiency. For example, Scada networks deployed on oil pipelines now collect data that is essential to billing and pricing systems. This increase in data collection allows operators to predict with higher levels of accuracy not only oil production, but also expected revenues. However, as well as benefits, these interconnected systems also raise potential problems. One major downside is that they increase the likelihood of cybersecurity threats to OT systems. Compromising IT systems can have a hugely negative impact on OT systems. Ransomware attacks, for instance, are increasing in severity. This type of malware exploitsWindows vulnerabilities and attacks insufficiently protected systems. With cybersecurity incidents increasingly occurring in OT systems, manufacturers are keen to find ways of enhancing security while allowing their operations to keep running normally. This is where the concept of“defence- in-depth”comes into play. It allows businesses to use their existing network infrastructures to build the first line of network defence. Cyber-hygiene When enhancing cybersecurity, it is important to understand how industrial systems exchange data and how they connect to IT- level systems. In an ideal scenario, when traffic crosses between different systems, there should be boundaries in place between each system to ensure that the traffic has good “cyber-hygiene”, even if it is authenticated and authorised. However, it is challenging and often unrealistic to build boundaries between every system, as this involves significant expenditure, and often has a detrimental effect on the efficiency of network communications. It is for these reasons that we recommend dividing OT systems into separate digital cells and zones, to build up the boundaries to find the right balance between expenditure and acceptable levels of risk. The defence-in-depth approach, which is recommended in the IEC 62443 cybersecurity standard, is now used widely and has a good track record of helping to build up multiple layers of protection, while maintaining operations. For critical assets and operations, it is wise to take additional precautions, such as adding more layers of protection. Building boundaries Isolating networks physically is known as air gapping. When the operation and security of one system needs to be maintained independently, an air gap is a potential answer. However, as mentioned earlier, it is increasingly difficult to arrange networks this way due to business and operational requirements. Because industrial control systems may have been commissioned decades ago, a key challenge – but also an essential requirement for network administrators – is to use existing infrastructures while ensuring that industrial control systems remain secure. One common approach is to segregate traffic between different network segments using a VLAN (virtual LAN), which is one of the functions of managed Ethernet switches. Some switches offer Access Control Lists (ACL) at the port level, which can help improve VLAN security as data enters the switch. An alternative is to deploy firewalls to protect industrial applications and data, especially when you need to deal with traffic on Layer 2 and 3 networks. Further segmentation can be applied by using Deep Packet Inspection. DPI offers granular control over network traffic and helps you to filter industrial protocols based on the application. When you have multiple devices on the same network, theoretically, they can all communicate with each other. However, there are certain scenarios where, for example, controller A should only communicate with robot arm A at a specific time. DPI technology can the help to define which controllers can perform read/write commands or even the direction of traffic. Micro-segmentation In some situations, additional protection for critical assets is essential, and a good way to achieve this is to use an intrusion prevention system (or IPS) to“micro segment”the network. What makes micro-segmentation particularly helpful for industrial networks is that it can With the growing threat to industrial networks from cyber-attackers, manufacturers are looking for ways to ensure the security of their systems with minimal disruption to normal operations. Alvis Chen, from the networking specialist Moxa, recommends dividing industrial systems into separate cells and zones. Defence-in-depth security is based on multiple layers of mechanisms that increase the security of the entire system