“Operations personnel are not Cisco security engineers. That’s not their job.” Cisco’s Paul Didier explained how CPwE networks can be deployed to provide secure connectivity in both OT and IT environments.
From IoT to mobility and even control, Ethernet is now the backbone of an increasing number of plant applications. But many companies hesitate to use it, especially wireless, due to security concerns.
“It’s expensive to put this stuff in. You should be able to use it for more than one purpose,” said Paul Didier, IoT solutions architect, Cisco Systems, to attendees of “Identity and Mobility in Converged Plantwide Ethernet (CPwE) Architectures,” a session he co-presented with Eduard Polyakov, commercial project engineer, Rockwell Automation, at Rockwell Automation TechED, this week in San Diego.
“But customers are understandably concerned about security,” Didier said. Last year was “not a banner year” for cybersecurity in the industry. “We had a lot of challenges.”
The problem is complicated because, “There’s a lot of legacy operations technology (OT) things out there,” Didier continued. “Windows 95, NT—a whole bunch of systems that are there for a reason. Assets we paid for that are not going to be upgraded. We’re not going to rip and replace, so how can we keep them active and running securely?”
Most production facilities don’t know what they have on their OT networks. “On the IT side, they’re pinging devices left and right, and telling you that you have to upgrade. But on OT networks, that’s not going to happen—and the pinging can hurt things,” Didier said. Plants still have many small, isolated networks in three or four levels, some with home PCs connected. “Operations personnel are not Cisco security engineers,” Didier said. “That’s not their job.”
Cisco and Rockwell Automation have been working together to develop a CPwE architectures that solves OT problems and allows secure utilization of wired and wireless Ethernet, as well as other protocols. From a security standpoint, the priorities are:
- Visibility and analysis: Identify everything on the network, analyze traffic and detect anomalies
- Segmentation: The architecture has natural segmentation, and security enforces it
- Remote access: Use open, standard networks and allow only the right people and right equipment for a limited time
- Security services: Experts with tools and technology to assess current status, identify risks and ways to improve them on a continual basis.
Cisco offers an extensive suite of products to streamline and secure industrial network applications, from its Identity Services Engine (ISE) that controls access and its AnyConnect VPN technology, to its CTA threat analytics, Umbrella system for blocking malicious traffic, and infrastructure, threat detection and firewalls.
IT improves OT
“We converge IT and OT, breaking down the silos and bringing them together to provide the best of both worlds—better security frameworks and models for OT applications,” Didier said.
For example, Identity Services is software-based, runs on a server, is hierarchical (can be based on an enterprise version), and understands the concepts of people and devices, such as a laptop, tablet or phone. “It knows who, what, when, where and why—providing role-based access for a guest, contractor/vendor, or employee,” Didier said. It can support specific ports in a production area for contractor access, scan their laptop, look at their software, and allow access based on the results with either a temporary or permanent, password-based account.
An employee may have “rich access, but managed so you can be sure they’re entitled to do what they’re doing, and quickly change it if employment ends,” Didier said. Corporate and personal devices can be managed differently according to company policies and user status.
Users can be tracked, and reports made of when they were on and what they were doing. It can be integrated with location services to add “where.”
The partnership with Rockwell Automation makes sure these Cisco capabilities work in industrial applications with Rockwell Automation products. “CPwE is the way we collaborate,” Didier said. “We produce validated architectures that we design together, test in laboratories and document.”
The architectures are developed from customer use cases and tested for performance, availability, scalability and security. The result is a “future-ready network designed for The Connected Enterprise,” Didier said.
IT and OT both benefit from the collaboration’s recommendations and best practices, design and implementation guidance, test results and configuration settings recommendations. “The customer gets simplified design and development, at reduced risk,” Didier said. For more, he recommends the CPwE Design Guide ENET-TD008.
Wireless challenges and opportunities
Wireless and mobile connectivity offers increased productivity and lower downtime, but adds more security challenges. “Some plants just say, ‘no wireless,’ but that has its own risks, such as rogue access points,” said co-presenter Polyakov. “People will have wireless on their devices. It’s better to give them a secure way with infrastructure, and know who and what is on it.”
The principles of secure wireless include, “No universal wireless password,” Polyakov said. Use a role-based identifier like described above. “But mobile devices can usually connect to both Wi-Fi and cell networks, so also allow only locked-down, authorized devices. No mixing of personal and confidential information.”
The CPwE architecture offers wireless access points and WLAN controllers to manage multiple access points. “You can make a configuration change in the controller, then push it to all the devices,” Polyakov said. Wireless bridges are available to connect equipment, and Cisco Mobility Engine can let you see where people are on the network.
Along with the other features Didier described for wired networks, a wireless architecture can be designed to accommodate and quarantine existing or essential proprietary networks. “An autonomous WLAN can be set up for specialized applications,” said Polyakov. “You can know what radios are on your network, their frequencies and locations, and enforce limits on them.”