Practical Advice for the Defense-in-depth Approach and Zero Trust Architecture
As the trend of OT/IT convergence continues to grow, almost every industrial organization has started reinforcing their network security and taking cybersecurity precautions to protect their operations. One of the main reasons for this is that critical infrastructure and manufacturing facilities are more likely to be targeted by cyberattacks. These concerns are well founded as we can see by the frequent news reports about companies halting their production lines for more than one day due to a cyberattack. In addition to incurring financial losses when a company is hit by a cyberattack, if it makes the news it will often lead to reputational damage as well. It is fair to say that more and more companies are being targeted by ransomware attacks and even some of the biggest players in the industry who have already taken precautionary measures are being targeted. These attacks demonstrate the high risk of an interconnected world, and that no organizations are immune from cyberattacks.
It is hardly surprising that CISOs and CSOs are desperate to learn more about OT environments and how to effectively implement cybersecurity measures without disrupting industrial operations. This is a complicated field where there are many approaches and architectures that must be carefully considered before a decision can be made. In this article, we will explore two of the most common security architectures used nowadays and share some tips to help industrial organizations implement them in unique OT environments.
The Defense in Depth and Zero Trust Approaches
The initial focus of zero trust architecture, as stated in the NIST Special Publication 800-207, is to only grant the minimum access privileges to those who need to operate on the network. This will prevent the situation when someone has a legitimate reason to access the network, but they are unnecessarily given unrestricted access to parts of the network that they do not require access to, which increases the chances of a cybersecurity breach occurring.
We will now consider the defense-in-depth approach, which contains multiple layers of security protection to reinforce network security for industrial operations. The rationale behind this is that you will have a second chance to protect zones and conduits if the first layer of protection fails. According to the IEC 62443 cybersecurity standard, it is necessary to start this process by partitioning areas based on the levels of protection required. Each partition is called a zone and all the communication devices within it share the same security level, which means they all have the same level of protection. If you want to enhance security even further, it is possible to place a zone inside another zone with additional security measures.
By combining the two approaches that we have just considered, you can build well-defended industrial operations with layers of protection as the foundation, and then add further protection by adding the zero trust mechanism to ensure access is restricted to only those who need to access certain areas of the network. After considering these two approaches, it is clear there is no silver bullet for cybersecurity and there are multiple angles that must be considered to ensure your network is secure.
Examples of Implementing Zero Trust and Defense-in-depth Networks
● Enhance Cybersecurity Awareness
In addition to the examples we just considered about how to implement zero trust and defense-in-depth networks, it is very important to enhance cybersecurity awareness across different departments and make sure all team members have the same mindset regarding cybersecurity. Employees should be encouraged to understand the benefits of following technical security requirements as this will increase the chances that the guidelines are adhered to.
- Coordinated security responses as well as network monitoring and management
- An assumption that all devices and networks will be compromised
- Ensuring there are robust recovery and response processes
Deploy Strong Authentication for Users and Network Devices
One unfortunate scenario that is often seen on industrial networks is when user credentials are compromised. For networks that do not utilize the zero trust principle, a user’s credentials might be all a malicious actor needs to gain access to the network. However, for a network that utilizes zero trust architecture, a malicious actor requires not only device access control but also user authentication and authorization. On top of that, it is also suggested to utilize trust lists for granular control of your network.
● Device Access Control
By using trust lists, rate control, and failure logout, network devices only allow access from trusted devices that are equipped with the secure boot function and prevent excessive attempts such as brute-force attacks.
● User Authentication and Authorization
By verifying the user’s credentials when logging on to devices, network devices will log all user access attempts and provide the lowest level of privileges based on the role of the user.
● Trust Lists
If organizations hope to reinforce security, trust lists can be a good way to control network traffic. One common practice is to create a trust list for IP addresses and service ports and to leverage deep packet inspection technology to granularly control the network with features such as read or write privileges.
Utilize Network Segmentation to Achieve Defense-in-depth Security
Remote connections are an essential part of industrial control systems, which must be managed effectively. At the same time, insider threats still pose a risk to the network. Steps must be taken to ensure that the risk posed by both scenarios is minimized. Appropriate network segmentation can prevent malicious actors from accessing the entire network if they compromise remote connections, or if there is an insider threat to the system, it will stop the person gaining access to the entire network.
● Network Segmentation
Segmented networks can prevent malicious actors from moving laterally across networks. Oftentimes, organizations deploy firewalls between the IT and OT networks to create high-level network segmentation. However, once a malicious actor compromises user credentials, it is very likely that the person can access devices and the networks in the OT network, if the network is not segmented appropriately. There are several approaches that can be taken to help achieve network segmentation including deploying firewalls. One of the benefits of using a firewall is that it helps administrators establish zones in the network to only allow permitted traffic to transfer from one zone to another. Furthermore, security policies and rules, such as IP addresses and only authorizing ports that are in use, will help segment the network into smaller, easier to manage sections to ensure only necessary traffic is allowed on the network.
One of the many critical assets in industrial control systems are motion controllers. When critical assets such as these are compromised, it may bring production to a halt or even cause damage that could put people’s safety at risk. Therefore, asset owners can deploy industrial intrusion prevention systems to contain cyberattacks within certain zones and protect critical assets.
In addition, continuous monitoring for anomalous activity by users and devices on networks can help reduce the spread of the attack and allow personnel to restore the network quicker.
Navigate the Cybersecurity Jungle With Moxa’s Network Security and Cybersecurity Solutions
As a leader in industrial networking for 35 years, Moxa is committed to developing secure and reliable networking solutions that proactively identify and mitigate cyberthreats in OT environments. To realize this commitment, Moxa strictly follows secure-by-design practices to develop network devices with security features based on the IEC 62443-4-2 cybersecurity standard. The practical security features can help organizations realize zero trust networks. Moxa also utilizes distributed OT intrusion prevention system capabilities and industrial secure routers with OT deep packet inspection to perfect defense in depth of industrial networks.
For more information about Moxa’s network security and cybersecurity solutions, visit our microsite to learn more.