Even though cool, new cybersecurity tools like zero-trust strategies are emerging on the IT side, some system integrators report they have yet to show up on the OT side. The two main reasons for this are that many process-industry manufacturers are still adopting more basic cybersecurity measures first, and they remain reluctant to cede control of their networks to software-based functions.
“Zero-trust is still new, but it’s getting popular among IT users because it lets them more easily identify and decide who can join their networks, allow functions they do need, and block what they don’t need,” says John Peck, OT security manager at Gray Solutions LLC, a system integrator in Lexington, Ky., and a certified member of the Control System Integrators Association (CSIA). “Zero-trust isn’t on the OT side yet because many users are concerned it and other recent cybersecurity tools could cause outages and safety issues, including unplanned shutdowns of their processes and equipment.”
Get your subscription to Control's tri-weekly newsletter.
After they conduct an initial asset inventory and cyber risk assessment (cyber RA), Peck reports that Gray Solutions advises its clients to start with the well-known, multi-layered defense-in depth (DD) cybersecurity strategy advocated by Cisco’s Converged Plantwide Ethernet (CPwE), NIST’s Cybersecurity Framework and other guidelines.
“Only allowing what devices and users need to talk to begins with network segmentation, and using managed Ethernet switches as firewalls, adds Peck. “However, we’re still arguing to get clients to adopt managed switches that are more costly and require more labor versus unmanaged switches that are cheap and require less labor, but can cause users to lose all network visibility. Meanwhile managed switches can also be traced to end devices, enable segmentation, have ports that can be turned on and off, and are easier to troubleshoot. Tracing lets users know what’s on their network and where it’s connected, as well as helping them check for problems and providing alerts about errors and issues. Despite these benefits, it’s still hard to get people to invest in the long run.”
Multiple sites need common ground
For example, a global, canned beverage producer with eight plants in the U.S. and Canada recently acquired several new facilities that are all different with no standard networking, according to Paige Minier, senior digital transformation manager at Gray Solutions.
“Some of the new sites have some network segmentation separating IT and OT, and some don’t. Some have old networking hardware, 30-40 physical servers, and 10-year-old data storage devices,” says Minier. “They wanted to upgrade all these systems at once, so we helped them standardized on new switches and servers.”
Minier reports the system integrator performed an in-depth discovery at each of the eight facilities, examined their network architectures and topologies, and built a frame and rack elevation diagram. It shows spaces for cables, what devices are on which rack, and what open space is available. This let Gray Solutions and the beverage company revamp and rebuild the plants’ networks, and documents the makes and models of PLCs, HMIs and other devices they deployed.
“Four of the plants were fairly standardized on Hirschmann managed switches, which provided segmentation, but much of the hardware was also obsolete and didn’t define standard clients or active models,” explains Minier. “The other four plants had different models of Cisco’s managed switches, but many of them were obsolete, too, while lots components at the control panel-level were unmanaged. Our discovery reports showed the plants’ present states and cybersecurity hygiene scoring, and detailed all of their end-of-life networks, servers and firewalls. Some sites had no segmentation, and others had never had any software patching, so there were tons of vulnerabilities.”
Even though these findings were grim, Minier adds they gave the beverage company a roadmap to the more ideal and secure state they were seeking, which included a standardized and segmented network architecture in accordance with CPwE and the ISA/IEC 62443 cybersecurity standard. It eventually implemented PaloAlto 3200 firewalls, Cisco Catalyst 9500 switches, and Cisco 9330 access switches with intermediate distributed frames (IDF).
“This was a very collaborative project, and had to be as our client learned to manage their cybersecurity tasks. We also consolidated licensing and procurement, and followed other cybersecurity best practices,” adds Minier. “The client also didn’t want static, one-time cybersecurity scans, but instead wanted to apply patches when necessary, and detect ongoing threats to the OT side. This was their next project, and they went with Nozomi’s network monitoring software after other capital projects were done.”
