The trend toward environments where IT (Informational Technology) and OT (Operational-Technology) networks converge offers great opportunities and is a vital part of enabling Industry 4.0 with a greater degree of connectivity and data collection.
If interested, go to the related blog post ‘First steps toward ICS/OT Security written by our Cybersecurity Analyst, Danijel Grah.
At the same time, the connection involves entirely new exposures of risks and threats to OT networks which have traditionally been very isolated networks. OT networks are an extremely vulnerable environment, with many particularly vulnerable systems with old operating systems that are no longer maintained or not even at all updated with patches and updates!
The vulnerabilities of the OT systems can significantly increase the risk of industrial espionage and sabotage in organizations and critical infrastructure.
Due to the nature of the OT networks, OT security has never been a focus area, all focus has been on keeping the network up and running. In general, as few changes as possible in these networks are preferred to minimize production outages.
Network Segmentation
By dividing the network into multiple logical networks and restricting access between them, we limit the attack area which a single system can reach. An accepted reference model for making this division is the Purdue reference model (PERA). Purdue isn’t new, it was developed during the late 1980s. Purdue has since then been further developed, updated, and has influenced subsequent standards such as ANSI/ISA95/99 and IEC 62443.
Level 0-2 – Defines the physical cell. Here we find units such as PLCs, HMI, controllers, and workstations.
Level 3 – Production system – Manages the production workflow to produce the desired products.
Level 4-5 – IT network. Here we find systems such as business logistics systems, external WAN connections, Internet connection, and more.
In the Purdue model, a cell is defined as a functional area (production line) within a production facility. Many factories have multiple cells, up to hundreds.
Based on the Purdue model, we introduce three important concepts for building a secure OT network:
- A clear demarcation between IT (Level 4-5) and OT (Level 0-3) by introducing a DMZ zone called Industrial-DMZ (IDMZ). The purpose of this IDMZ zone is to break direct communication between the IT and OT zones by placing proxy services, jump servers, and any other resources directly in this zone. This prevents outbreaks in the IT environment to enter the OT zone at all. Most attacks originate in the IT zone as it is Internet-connected and generally far more uncontrolled.
- Logical segmentation between cells in the production zones of the OT network (zone 0-1).
- A capability to allow network access for external suppliers in a controlled and restricted way to the OT network and only provide them access to the system they need to reach.
Traditionally, network segmentation is performed by separating different subnets from each other through mechanisms that open and close IP addresses and ports. It’s a rather big challenge in an OT environment since such a logical division would require that all IP addresses on all endpoints are changed. Introducing segmentation is extremely complicated and the necessary changes has a very big impact on the network (also in the event of a rollback). Another important aspect is that a traditional division of OT units into different networks usually takes place with manual switch-unique configuration. In most organizations, this means that every single change requires the efforts of the network administrators who often work in another department.
The methodology advocated in this whitepaper offers an alternative solution that can offer full network segmentation of the cells without the OT endpoints needing new configurations (they can retain existing IP addressing) and where all configuration in the switches is completely dynamic where correct network access follows the connecting resource. This greatly facilitates a migration and rollback as OT staff can complete the entire migration and mapping of endpoints on their own without involving the network people.
Network segmentation with Cisco TrustSec
Cisco TrustSec is a collection of security technologies from Cisco. TrustSec provides software-defined network segmentation to protect business-critical assets. Cisco TrustSec segmentation is easier to enable in an industrial network than traditional VLAN-based segmentation because it only works on layer 2 and is IP address independent in layer 3. The clients on the network are assigned an SGT tag, and this tag is carried in the Ethernet frames themselves.
A user or client can be assigned an SGT via 802.1X (dynamic) or static (via static switch configuration, per port or per VLAN). In order to control which endpoints can communicate with others, an SGACL is centrally defined which all switches will enforce their behavior on. An SGACL is a full matrix of our defined SGT tags. This matrix determines whether traffic should be allowed between two unique SGTs (or to and from the very same SGT). This enables us to let two different cells share layer 2 addresses (VLAN) and layer 3 addresses (subnet), and we can still achieve network isolation by preventing communication between the tags we assign to the cells in the SGACL matrix. Of course, it is also possible to do the same thing even though the devices are on different networks if desired.
The Cisco Identity Services Engine (ISE) platform is the feature that provides identity-based access control, context, and visibility (for example, user, device, location, and time) for the devices and users connected to the network. Cisco ISE is also a controller and orchestrator of TrustSec-based software segmentation policies and is responsible for defining and distributing SGACL to the network devices.
Allocation of SGT tags
The most common and flexible way to assign SGT tags to devices is to enable dynamic port authentication in the switches. Normally 802.1X is used as a method for this, with the disadvantage that active support and configuration is also required on the endpoints. For endpoint devices where this is not possible (or simply too hard to achieve), Mac-Address-Bypass (MAB) is the alternative. With MAB out network switches will send a RADIUS request where the client’s Mac-address is the identity. The advantage is that the endpoint does not participate in this procedure and thus requires no configuration.
To assign an SGT to our industrial clients, we rely on the MAB feature. Cisco ISE will handle the RADIUS request for this MAB request, and Cisco ISE returns cell-unique SGT to the endpoints. How will ISE know which cell an individual Mac-address belongs to? Cisco Industrial Network Director (IND) is an example of a tool that can be used as an inventory tool since it can be connected to Cisco ISE via the pxGrid interface. Cisco pxGrid is an open interface that enables integration and information exchange with Cisco ISE.
Cisco IND is a tool for the OT staff that can discover OT endpoints by using active probing using the industry protocols that PLC and other industry devices use for their operation. Cisco IND is also a tool for OT staff to easily manage network equipment for factory environments.
In Cisco IND, the OT staff can then assign cell membership per endpoint in its inventory – information that is transferred to Cisco ISE. After receiving this information, Cisco ISE can assign the device to the correct cell by assigning the device the correct SGT.
To simplify the work of defining the cells in the OT network Cisco Cyber Vision is a very helpful tool. Cisco Cyber Vision is a complete security platform for OT environments that provides full visibility of the traffic flows within the OT network by using standalone sensors or special sensors built into certain models of switches for factory environments. This report of the traffic flows takes place completely passively and will thus not interfere with the endpoints. Cisco Cyber Vision automatically classifies which kind of OT devices the detected devices are. In order of getting a clear visual image of the intended segmentation, the administrator can logically group cells based on the traffic flows. Any traffic deviations (such as detected traffic flows between two defined cells) can generate alarms, and all kinds of traffic deviations from a recorded baseline flow are easy to monitor. Cisco Cyber Vision also combines this information with known vulnerabilities in the OT equipment.
Migration and error protection
The goal of the segmentation work is to try to minimize every conceivable impact that the implementation of segmentation can have. That’s why it’s also important to ensure it’s possible to do a rollback in the event of a simple detection of problems.
The entire migration and a possible rollback will be done by moving the network cable connecting industrial endpoints from today’s switchport to a new switchport with 802.1X / MAB enabled. The entire old network is considered in our defined SGACL matrix as SGT ‘0’, and it will allow communication with all defined cells (all SGTs that are not ‘0’).
Active migration is done by moving port-by-port and connecting the endpoints to the new switches. Preferable to the same port number as in the old switches for easy rollback.
If experiencing problems, a rollback can easily be performed by moving the cable back to the old switches, and the endpoint then belongs to SGT ‘0’ again and can communicate with everything again. The advantage of this approach is that the staff on the floor can carry out migration and rollback without having to access the central systems (Cisco IND and Cisco ISE).
Once all the endpoints have been moved to the new switches, the old switches can simply be removed, and the migration is completed.
Remote access to OT environments
The Purdue model introduces the IDMZ zone, and part of this zone is a shared terminal server. To assign an SGT, a Cisco AnyConnect client software can also be used. After successful login via Remote Desktop to the terminal server client, AnyConnect will perform a standard 802.1X user authentication on the wired network and will authenticate itself with the credentials the connected remote-user provided.
An alternative method can be used, in which a local firewall, Cisco Firepower, is placed in the IDMZ zone, and external VPN access is terminated here.
In either case, Cisco ISE will verify with the logged-in user’s information. Cisco ISE assigns an SGT, based on a rule set depending on who the authenticating user is. A simple principle is to assign the third-party user the same SGT as the cell we need to access. Then the switches will ensure that this traffic flow is made possible based on our defined SGACL matrix.
In a more complex scenario, a cell can consist of endpoints from several different suppliers, and we want to limit the access for a supplier to only specific endpoints – while the cell itself is still allowed full internal communication. This can be accomplished by having a defined cell receive more than one SGT.
In this fictitious example, we define a complex cell (ID 1) consisting of endpoints from three different suppliers, A, B, C, and a simple cell (ID 2) with endpoints only from supplier A.
Communication between the three different suppliers’ units within Cell-1 is wide open while Cell-1 is separate from Cell-2. Supplier A is given access to the endpoints he is responsible for in both Cell 1 and Cell 2. In this scenario, all devices that make up both Cell 1 and Cell 2 are allowed on the same VLAN and are assigned the same IP subnet. Note that this design scales to a large number of cells as there are no IP-address based firewall rules necessary to achieve this behavior.
Summary
More and more companies have already connected their IT and OT networks and are exposed to the risks this entails for their operations. Suffering from production stoppages due to the lack of network segmentation is an expensive affair that, unfortunately, many have already become aware of during the major malware outbreaks of recent years. Minimizing the risks by introducing a clear demarcation between IT & OT is an absolute minimum. Taking it one step further and segmenting within the OT network should be on everyone’s agenda. This should be implemented in a way that facilitates actual migration and with a focus on how to ease the daily operation of the solution. Cisco TrustSec is a very suitable technology for this purpose as the existing network (which is very often a flat network) can largely be left untouched.
