Securing Industrial IoT: It’s All About the Architecture
Industrial and enterprise networks are converging. The need to connect industrial control networks to the IT environment, cloud applications and remote workers is eroding the air gap created by the demilitarized zone. To keep digitizing their industrial operations, organizations must deploy new ways to secure operational technology (OT) networks.
An industrial security solution requires considering the needs of both IT and OT – providing robust security without raising operational overhead or network complexity so that it is quickly deployable at scale. When choosing the best solution for your organization, you need to understand the implications of the various security architectures available to you.
The first step to securing an IoT/OT network is obtaining visibility. Understanding what devices are on the network, what they are communicating, and where those communications are going is key to implement security best practices, build the right security policies for your industrial control networks and detect abnormal behavior, such as illegitimate commands to machines that could have disastrous effects.
Because industrial control networks can be quite old and managed by many different parties, gaining these insights can be complicated. Fortunately, achieving network visibility can now be fully automated by leveraging deep packet inspection technologies. DPI decodes all communication flows and extracts message contents and packet headers, providing the visibility necessary to understand which devices are connected and what they are communicating.
Common Security Architectures
Security providers typically use one of two architectures to collect network traffic and run DPI:
- Configure network switches to send traffic to a central server that performs DPI;
- Deploy dedicated security appliances on each network switch.
While both methods can deliver network visibility, they also create distinct challenges.
Configuring network switches to send traffic to a central server requires duplicating network flows, which would lead to extra cost and complexity. This additional network congestion can also create network latency, disrupting industrial control loops.
Deploying security appliances solves the issues created by network traffic duplication. Appliances collect and analyze network traffic at the switch, only sending to a server the information it needs to run additional analysis. Yet, effective security requires full visibility, which means installing, managing and maintaining dedicated hardware appliances for every switch on the network, quickly leading to intolerable costs and scalability challenges.
An Alternative Approach
There is a third architectural approach: deploying industrial-grade switches with native DPI capability. This method eliminates the need to duplicate network flows and deploy additional appliances. Simply activating a feature within the switch obtains the visibility and security functionality demanded and effectively minimizes the challenges of cost, traffic and operational overhead.
By embedding DPI in the network switch, both IT and OT experience unique benefits. IT can secure the OT network without requiring additional hardware or network traffic management. OT gains detailed visibility into operations, as the entire industrial network traffic is now analyzed to provide valuable analytical insights into control systems.
As you evaluate OT security solutions, be aware of their architectural implications. Embedding security capabilities into industrial network equipment is the best option to simplify deployment and make it scalable. This requires computing capabilities. Look for DPI-enabled switches designed for industrial networks.
Cisco has embraced this approach. Cyber Vision leverages a unique edge computing architecture that enables security monitoring components to run within industrial network equipment to provide holistic threat detection, visibility and operational insights for the OT environment.
Cisco Cyber Vision’s benefits aren’t restricted to organizations with Cisco networks. The sensor is also available within the Cisco IC3000 appliance that analyzes traffic at the edge by connecting to legacy network devices. This provides maximum deployment flexibility to meet your needs with your existing network while giving you time to replace older switches with DPI-enabled network equipment that’s capable of seeing everything that attaches to it.
Read the white paper An Edge Architecture Approach to Securing Industrial IoT Networks if you’d like to learn more. It further examines the three security architectures introduced in this blog and explores how embedding DPI in the network switch enables industrial organizations to deploy OT security at scale.