Despite recent buzz about zero-trust, which prevents devices from communicating unless explicitly allowed, this and other new measures must be underpinned by longtime, fundamental protections such as network segmentation, according to Alan Raveling, OT architect for cybersecurity and infrastructure at Interstates, headquartered in Sioux Center, Iowa, a certified member on the Control System Integrators Association (CSIA).
“Most users and applications still have a lot of basic cybersecurity work to do. For example, it’s likely they’ve already separated their OT and IT networks, but is production line A separated from production line B? It’s just as likely they need to microsegment their networks, too,” says Raveling. “This means determining and setting up known routes and pathways, and funneling communications through something that can act like a policeman, and decide which communications are allowed, which are not, or which are OK for two hours and then restricted again.”
To get their cybersecurity infrastructures in place from the beginning, Raveling adds that users must start with passwords, authentications and accountability for each user at each station. Then proceed to network segmentation and monitoring, and address coding requirements for supporting multiple devices. This directive is part of the ISA/IEC 62443-3-3 standard.
“Cybersecurity needs to be part of the requirements phase of any project. Process engineers need a security expert in the room to help draft their proposal for a machine or production line. They also need to talk with their managers about whether the risk they’re planning to take on is acceptable,” adds Raveling. “Existing patchworks of devices and applications must address cybersecurity project-by-project because many legacy devices aren’t capable of adding cybersecurity functions. So, while some plants can support security level 2 (SL2) according to ISA 62443, others aren’t ready and must find other ways to compensate.”
For example, Raveling reports that Interstates completed several microsegmentation projects in the past year, including a consumer liquids manufacturer that went from three Ethernet networks to 20 with multiple demilitarized zones (DMZ) and firewalls. “This was a considerable undertaking because we had to change the Internet protocol (IP) addresses on lots of equipment, and collaborate on how to handle internal and external communications,” says Raveling. “We had to add new switches, but it was mostly reconfiguring and reallocating existing switches. If you have the capabilities and resources available internally, this can be done without it costing too much.”
On a smaller microsegmentation project, Raveling adds that Interstates segmented one client’s network, established asset identification, drafted a comprehensive list of applications, local area networks (LAN) and other items, and provisioned their users into multiple accounts, instead of the group account they used before. “Users must get stricter about the types of accounts they use,” says Raveling. “Likewise, instead of allowing contractors to use their own laptops, organizations should require contractors to use a client organization’s laptop that’s configured for safe use, or use a secure remote access server if they’re working remotely.”