Industry 4.0 Blog #5: Wrap-up and Resources for Your Success
This is the fifth of a five-part series laying the groundwork for a successful, secure “Industry 4.0 Digital Transformation” initiative. This blog explores all the relevant resources for successfully implementing your OT security program. Expect practical, real world insight from successful initiatives that you can use in your initiative.
#1 Industry 4.0 Digital Transformation
#2 How Visibility & Security Can Coexist in Manufacturing
#4 Controlling Third Party & Remote Access into OT
#5 Wrap-up and Resources for Your Success ← this blog
Our objective is to provide you with information that you can use to communicate inside your organization where Industry 4.0 stands today, how to set the foundation for a successful OT security program, and how to get started.
References:
- ICS Cybersecurity for the C-Level
- Industrial IoT Consortium (IIC) Security Maturity Model
- ISA/IEC 62443 Standards
- NIST CSF
- NIST 800-53
- NIST SP 800-82, guide to Industrial Controls Systems (ICS) Security
Articles & Whitepapers to Supplement this Series:
-
Leveraging Industrial IoT and advanced technologies for digital transformation
-
Industry 4.0 Points Up Need for Improved Security for Manufacturers
-
IT-OT Cultural Divides Creating Major Barrier to Effective Industrial Cybersecurity
-
30% of Critical Infrastructure Organizations Will Experience a Security Breach by 2025
OT/ICS Network Security Architecture References:
- #ABB - ABB Reference Architecture
- #RockwellAutomation - Rockwell Industrial Network Architectures
- #SchneiderElectric - Practical Overview of Implementing IEC 62443 Security
- #Siemens - Industrial Network Security Whitepaper
- #AWS - Industrial IOT Architecture Patterns
- #HiveMQ - MQTT - Based Manufacturing Reference Architectures
- #Microsoft - MS Azure IOT Reference Architecture
Keys to Success
- Involve key stakeholders. Build the organizational structure and collaborative culture to make the best use of the skills and knowledge from across OT, IT, supply chain, cybersecurity, legal & HR.
- Begin identifying and classifying the OT devices in your network. It is perfectly fine, in the initial stage of design and developing your implementation plan, if you create your inventory manually. “Start Small. Learn fast. Scale quickly and Incrementally.”
- Make remote and third party access a key part of your design from the very start, even if they are not a part of the initial phases of your OT roll out.
- Empower front-line operations to create ad hoc permissions for remote access privileges so that the organization can respond quickly to situations that require immediate attention.
- Isolate IT from OT networks. Design your industrial DMZ. Define zones and conduits.
- Build your security architecture with best-in-class technology - secure overlay virtual network, strong identity verification, true granular (meaning down of a single device) least privilege access, seamless with the technology used to secure the core and edge network. Restrict all traffic from IT using zero-trust controls that make OT devices undetectable and inaccessible to any entity not fully credentials to access the devices absolutely necessary.
- Re-architect OT/ICS network security with minimal disruptions to operations for existing environments
- Define your risk-driven objectives to achieve a desired security and protection level for OT/ICS network.
- Use a phased approach for new implementations. This will help you develop deep experience, select the proper tools, and design the optimal processes that serve the business drivers.
Chart 1: Leverage your organization's understanding of the product development process to plan & execute your OT Security initiative.
Key Criteria for Technology Selection
- If a bad actor gains access to one device, your network security design should limit them from being able to access other computers on the network. It is vital to limit the ability to "see" any other devices on the network except those that it must absolutely communicate. Require your candidate vendors to explain in detail, with a network security specialist involved, exactly how they limit network lateral movement to an absolute minimum.
- When access to a device needs to be granted, access should be limited only to that device, and only for the time required. The reasoning for this is that an outside party’s device cannot be guaranteed to be free of malware or some other type of security breach. This limits access in the event that a compromised computer accesses your network.
- Because things move quickly when equipment is down, the technology should empower plant floor operators to add or change or delete access permissions for the equipment for which they have responsibility. OT operates at a different pace and in a different way than IT, so having this capability is vital at times to get equipment back in production.
Learning from Others’ Experiences will Lead You to Success
- Manufacturing understands how to execute the product development cycle process better than anyone. Leverage your experience in managing your OT security initiative as described in Chart #1 above.
- The design process should be built to empower front-line operations personnel to perform day-to-day cyber security administration.
- It is important to build your access control cyber security rules with forethought about how the security will look 18 months from now. If you don’t have the expertise in-house, bring in the expertise from outside your organization.
- Building your network security with a security overlay virtual network that creates simple, consistent visibility across your enterprise will accelerate your OT digital transformation efforts significantly.
- Even if remote and third party access are not a part of the initial phases of the OT roll out, you will serve yourself well to build your processes & technology with this front of mind.
Next Steps
If you do not have the right resources in-house or feel like you need additional support to begin, find a resource who can perform an OT/ICS network architecture review or get in touch with someone from Byos who can direct you to partners and other technology vendors mentioned in this series of blogs.
To learn more about how you can prevent malicious actors from gaining access and doing harm to your operations start here, or follow Byos on LinkedIn to receive updates as the series continues.