Following the pandemic, the past two years have been synonymous with a rapidly changing global environment. More than ever, businesses are encountering uncertainties, such as material shortages and supply chain disruptions, forcing business owners to enhance their operational resilience to stay competitive.
For many industries, IT/OT convergence is the path forward to enhancing resilience. To ensure a successful convergence, it’s essential to develop a reliable and secure network infrastructure.
According to the IDC Technology Spotlight, the key to a successful IT/OT convergence is combining network and cybersecurity disciplines and capabilities. However, merging IT and OT also makes industrial networks more complex with an increasing number of field devices now needing to be connected to the network. Therefore it’s critical to boost network capabilities to be able to reliably and accurately handle vast, growing amounts of data. In addition, security concerns should not be overlooked.
As the number of connected devices increases, so do the potential doorways for intruders to access the network. Implementing security principles should be the first step toward building a solid foundation for a network infrastructure. Adopting cybersecurity in the OT field can be challenging because networking and cybersecurity requirements for industrial applications are often very different.
Some Things to Consider
OT operations have zero tolerance for interruptions. Any system downtime could lead to tremendous losses. However, cybersecurity practices usually encourage operators to constantly update their systems to enhance network protection against ever-changing cyber threats. This makes OT operators hesitant to implement cybersecurity measures, since every system update means they need to shut down parts of their operations, lowering production efficiency.
To balance the need for uninterrupted operations and improving cybersecurity measures, we recommend a two-stage approach to enhance network security. Start by identifying and creating a layered defense for essential operations to protect against cyber threats, followed by building secure networks that meet your operational demands. The following sections explain this in more detail.
Adopt a Defense-in-depth Approach
The idea of defense-in-depth is to provide multi-layered protection by implementing cybersecurity measures at every level. In the event of an intrusion, you have a better chance to detect and mitigate the threat quickly, minimizing the damage it can cause.
Building a robust defense begins with a thorough security assessment of the organization. Based on the assessment report, you can implement multi-layered protection and deploy cybersecurity measures for every aspect of the industrial organization including physical security, ICS networks, and device security.
To help implement the defense-in-depth concept, refer to international security standards designed for industrial automation and control systems. The IEC 62443 standard in particular provides comprehensive guidelines for adopting defense-in-depth security into industrial operations to create a strong security foundation.
When developing a network infrastructure, especially for IT/OT converged networks, network connections in the OT field site should be both secure and reliable. In the following paragraphs, we want to highlight some areas of consideration when enhancing network security for an OT network infrastructure.
Select Secure Devices to Strengthen the Network Edge
In the past, OT system security often relied on air gapping. In some cases, security was disregarded entirely. Once field devices are connected, networking devices not only require industrial-grade reliability to avoid unexpected downtime but also need basic security functions to combat cyber threats. Security functions such as user authentication mechanisms can help control user access to the network.
Another important security feature, secure boot, helps ensure the integrity of networking devices. Creating a security checklist to verify that networking devices are protected is essential for maintaining a safe networking environment.
Alternatively, you can check if the networking devices are certified for internationally recognized security standards such as the IEC 62443 standard. For example, compliance with this standard means these devices are developed based on the IEC 62443-4-1 secure product development lifecycle guidelines and are equipped with security features to protect the networking devices and enhance overall network security.
Protect the Network With Diverse Security Capabilities
For optimal OT network protection, you need a layered defense to ensure that when one layer of protection fails, the next layer is still active. Segmenting OT networks into several zones helps improve network security and prevents threats from affecting other systems. Functions such as VLAN and firewalls boost security by dividing the network into isolated zones and by filtering for malicious or unauthorized traffic.
For more proactive measures, industrial intrusion detection/protection systems (IDS/IPS) identify and contain threats within a specific area if a network node is compromised. Adding access control is another good way to bolster network security. By leveraging authentication protocols such as IEEE 802.1X, you can verify users accessing OT networks. There are also other access control functions available to allow authorized users, defined through MAC address or other forms of identification, to access parts of the network through specific ports based on their assigned role.
Improve Network Status Visibility
The more field devices are connected, the harder it becomes to efficiently configure, monitor, and maintain the network. Providing OT users with tools to quickly configure the security settings of multiple devices reduces network management complexity. In addition, you also need a way to easily monitor and maintain the security level of each networking device for daily operations. When choosing devices for industrial networks, be on the lookout for OT user-friendly network management tools that can save time managing security settings and monitoring the security status of networking devices.
Leverage Networking and Purpose-Built OT Security
When building secure network infrastructure, choosing the right devices as the network’s building blocks is critical. Moxa’s EDS-4000/G4000 Series is a family of IEC 62443-4-2 certified Ethernet switches designed to simultaneously help ramp up an industrial network’s security and to accommodate diverse networking demands.
The design of the EDS-4000/G4000 Series follows the strict IEC 62443 security guidelines to create a versatile, security-hardened networking solution that passes the most rigid cybersecurity evaluations across different industries including critical infrastructure. In addition to enhancing cybersecurity, the EDS-4000/G4000 Series also provides powerful networking functions to help develop futureproof networks and accelerate IT/OT convergence with improved security.
