Because humans can’t be vigilant enough against the 24/7 deluge of cyber-probes, intrusions and attacks, some cybersecurity solutions are becoming as automated as the processes and networks they protect, including some that are transitioning from virtual local area networks (VLAN) to software-defined networking (SDN).
For instance, the prefabrication shop at system integrator Interstates in Sioux Center, Iowa, has manufacturing requirements that used to make its regular enterprise network vulnerable and made it difficult for staffers to do their jobs. Some of the shop’s machines needed building information model (BIM)-generated data files to drive manufacturing processes, while third-party vendors needed remote access to provide software support and troubleshooting. This meant giving the machines and vendors network access, even though Interstates’ operators-technicians and IT department didn’t always know when other parties were in the system or what they were doing. Vendors could gain remote access, potentially reach other resources on the enterprise network, and even view the activities of different vendors.
“Historically, we’ve used VLANs for segmentation, and deployed firewalls above the controls network. However, this only got us so far in handling what was going on within our environment because we couldn’t control communications within the VLANs,” says Dave Smit, senior systems analyst at Interstates, which is a certified member of the Control System Integrators Association (CSIA). “We could add an access control list (ACL), but they’re often messy and hard to manage. Over the last three or four years, we’ve seen lots of customers adding cybersecurity inspection software such as Nozomi, Armis or Claroty to monitor network traffic. However, these products typically only provide visibility, not the ability to control east-west traffic.”
Simpler with SDN
To further improve its cyber-awareness and protections, Interstates has also worked with Veracity Industrial Networks (veracity.io) for several years, and participated in developing its OT Network Controller software, which intuitively manages an SDN-capable switch from Dynics Inc., and uses zero-trust and deny-by-default methods to improve network visibility and security. The controller also manages switches, microsegments network traffic, creates device-based firewalls on endpoints like PLCs and HMIs, supports OT Ethernet-based protocols, and presents data in formats preferred by plant-floor personnel. It’s been running at Interstates’ prefab shop for a year and a half and is presently being added to its facility in Omaha, Neb.
“The advantage of SDN and Veracity’s OT Network Controller is that we don’t need to do another VLAN segmentation, which is usually complex and requires a lot of overhead and management. Plus, SDN lets us go back to a flatter network that needs less maintenance, but has more cybersecurity benefits than a regular VLAN. Now, we don’t just control north-south network traffic, but also east-west traffic thanks to per-device microsegmenting. With SDN and OT Network Controller, one device can talk to another, but only via a pre-authorized defined protocol, which creates a network-based firewall for every device. We can also allow devices to communicate on a very small subset of ports. For example, we can restrict Server Message Block (SMB) client-server protocol for file sharing between only approved devices. With SDN switches and networking, as soon as anything is plugged in, we know where it is and when it happened.”
Coordinating skid communications
Once the prefab shop at Interstates installed OT Network Controller, it achieved several objectives:
- Isolating separate skids, including a Scotchman cold saw, Haco press brake, ShopSabre CNC plasma table, and a ShopSabre CNC router;
- Isolating the facility’s manufacturing network from Interstates’ corporate network;
- Controlling access to and from particular aspects of the network;
- Controlling third-party access to the shop’s equipment; and
- Meeting the cybersecurity requirements of the company’s insurance carrier, which requires separating production and business networks
“Veracity OT Network Controller lets us isolate and limit communication between our skids, so vendors can only access their own skid,” says Smit. “Because we installed and configured this solution, we can support it long-term with a nuanced understanding of the initial configuration and SDN learning modes. The goal, however, is for SDN to be simple and easy to manage once set.”
In addition, Smit reports that using Varacity’s solution at the shop reduces the risk of cutting over a single station to the new network. “This is important because at least one of the skids we worked with was a high-volume machine that we didn’t want to take down for an extended period,” he explains. “When the time is right, the new switch can be wired up and ready to go with simple steps. Shop workers can put the switch in learn mode at lunchtime, and no longer worry about having the VLANs configured on all the ports or making sure they plug the right devices into the exact right port.”
Finally, end users at Interstates and its partners haven’t noticed any technical issues after switching to SDN. “In fact, it improved and simplified their work,” says Smit. “Previously, they’d take a USB key, download the files they needed, and then physically run it out to the skid, which was risky and inefficient. Veracity OT Network Controller lets them securely access the file they need on the network.”