Implementing security inside the industrial network can be a daunting task. Security directives such as CISA’s Shields Up have caused more industrial organizations to assess their network posture and seek guidance to improve the protections of critical resources for business continuity. Upon seeking this guidance, many are left confused with terms such as Zero Trust and Microsegmentation, resulting in more questions and no route to action.

Security can, and should, be simple. Whether you follow guidance from ISA/IEC 62443—the National Institute of Standards and Technology (NIST)—or have implemented the Purdue model, the core security principle is to divide the network into multiple zones and create policy for the communication that crosses zone boundaries.

Defining secured zones

Let’s take the ISA/IEC 62443 definition of zones and conduits. A zone, according to the standard, is a collection of physically and functionally united assets that have similar security requirements. In a manufacturing facility, this could be a single production line. A conduit is described as the communication between zones. The conduit is the communication channel in which security policy should be applied.

Defining the zones and knowing which policy to assign to the conduits is what makes security perceived as difficult. However, segmentation should not be viewed as a single standalone task. Effective segmentation is comprised of two key pillars: visibility and control.

ICS visibility informs OT segmentation

Visibility into industrial control system (ICS) operations gives us an inventory of all assets that exist on the network, along with their communication patterns. This enables us to visualize the processes in our networks and answer the question: what are the zones on my network? Using Cisco Cyber Vision, an ICS visibility tool that is embedded into the network infrastructure, operators can identify assets that belong to a process and assign them to a group for easier visualization. Rather than focusing attention on every flow, from every asset, communication can be visualized in the conduits between the zones, providing a blueprint of the policy that must be defined.

As for the enforcement of these traffic patterns, that too can be embedded into the network infrastructure using a technology called TrustSec. Cisco TrustSec provides you with an easier way to manage access control policies across switches using a security group matrix.

As traffic enters and leaves their network segment, rather than enforcing traffic using IP information, Cisco TrustSec uses a Security Group Tag (SGT) embedded in the MAC layer of the network traffic to determine policy. Using Cisco Identity Services Engine (ISE) SGTs can be assigned to your zones and the matrix can be used to control the communication across the conduits.

Using the built-in integrations, Cyber Vision shares its grouping information with Cisco ISE so operations managers can create and manage assets groups in their OT visibility tool, so IT can easily create the proper control rules between those zones in ISE.

In a recent webinar, I went into more details, diving into the ISA/IEC 62443 zones and conduits model and showing how to use Cisco ISE and Cyber Vision to enforce OT Microsegmentation. You can watch the replay by registering here.

Until then, have a look at our ISA/IEC 62443-3-3 white paper and make sure you subscribe to our Industrial Security Newsletter.

Leave a Reply