65722ddafe641f001e128d44 Bake Security Into Network Designs

Bake security into network designs

Dec. 11, 2023
System integrator Malisko Engineering advocates examining early and look deeper where cybersecurity is needed, and automating its functions where possible

Sooner is almost always better, especially when it comes to cybersecurity.

“More and more of today’s controls are network-based, so it makes sense to integrate cybersecurity from the start as part of good network design and security-focused culture,” says Corey Schoff, senior network and security engineer at Malisko Engineering Inc. “More clients are interested in cybersecurity, but they don't know what they can’t see, so we try to give them greater visibility about what’s secure and where they need to look deeper. For example, using Cisco’s Cyber Vision software shows cybersecurity-related network activity, bringing visibility to what would otherwise be anonymous traffic.”

Lee Kottke, network and security engineer at Malisko, adds these efforts are aided by the increasing automation of many cybersecurity functions. “For example, when they’re historizing device traffic or lateral movements, users can compare day-one baseline data to day-15 information, and determine what’s correct versus what’s anomalous, possibly unauthorized or a telltale sign of malicious activity,” explains Kottke.

Headquartered in St. Louis, Malisko’s IT technology and network security division is in Eau Claire, Wis., where it’s observed cybersecurity shift over the past 10 years. Malisko is a certified member of the Control System Integrators Association (CSIA).

Kottke reports more clients are approving cybersecurity projects to meet the requirements of insurers, who are demanding they address vulnerabilities in their systems. “With so many public industrial ransomware cases, IT departments are being tasked with evaluating their OT cybersecurity posture.” he says.

To fulfill these increasingly urgent requests, Schoff adds that users must get their IT and OT teams to collaborate, so they can present a united front on cybersecurity. “Everyone entrusted with using or programming industrial control systems (ICS) must subject to role-based access control (RBAC). Likewise, their organizations must also adopt zero-trust frameworks that only grant access to who requires it,” says Schoff. “This begins with strong passwords, multi-factor authentication, and elevated-privilege accounts with a reauthorization process.”

Finding common cybersecurity ground

Even though OT and IT have different perspectives and priorities for cybersecurity—mainly availability versus confidentiality and more frequent patching—Schoff reports they can begin to be brought together by software like Cyber Vision, which use network-level data to provide the information and insights each team needs, whether it’s about asset management or version control. “OT can get their asset and uptime data, and IT can get information about their network’s vulnerabilities and malicious traffic,” says Schoff. “However, because they’re both getting data from the same source, and working towards a common goal, there must also be a line of communication between IT and OT, especially so IT can know what’s happening at the OT level.”

As usual, building these lines of communication requires system integrators like Malisko to meet with IT and OT engineers as part of a cybersecurity risk assessment (cyber RA) to get the context and tribal knowledge of individuals and processes running on the plant floor. “IT teams see real benefit from tools like Cyber Vision, but they’re much more effective if OT managers are included in deciding what they’re doing,” explains Kottke. “They can add PLCs, valves or other devices that weren’t considered by IT before, tell what I/O group they’re in, show which components have a higher priority, and demonstrate what the consequences are if those devices go down. This gives everyone a much clearer picture for better operations and cybersecurity.”

Schoff and Kottke report that the latest and more numerous risks come from securing networks connected to cloud-computing services, as more and more factory data flow to cloud based applications. They advise using:

·       Certificate-based authentication;

·       Site-to-site virtual private networks (VPN) between cloud-computing services, and on-premise networks via tunneling VPNs; and

·       Industrial demilitarized zones (iDMZ) focused specifically on brokering OT traffic, so any communications to the enterprise can be analyzed and controlled in real time.

“The next generation in cybersecurity is really micro-segmentation at the OT level for network access control (NAC),”adds Schoff. “This involves using managed Ethernet switches, working in tandem with network access control software, to define which devices are permitted to talk to other devices on the network. For example, a particular variable frequency drive (VFD) might only be allowed to talk to a particular PLC, regardless of IP or subnet. This enables cyber security to be very granular. This can be facilitated by Cisco’s Identity Services Engine (ISE), and use its TrustSec function to authenticate against the ISE server, and predefine which devices are OK to be on the network and talk to specific other devices. This improves upon the type of secure control that we have with firewalls between subnetworks. Now we can have this type of cybersecurity within functional areas in the factory and within work cells as well.”

About the Author

Jim Montague | Executive Editor

Jim Montague is executive editor of Control. 

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.