A version of this blog originally appeared on Cisco
Implementing security inside the industrial network can be a daunting task. Security directives such as the Cybersecurity and Infrastructure Security Agency (CISA)’s Shields Up have caused more industrial organizations to assess their network posture and seek guidance to improve the protections of critical resources for business continuity. Upon seeking this guidance, many are left confused with terms such as Zero Trust and Microsegmentation, resulting in more questions and no route to action.
Security can, and should, be simple. Whether you follow guidance from ISA/IEC 62443—the National Institute of Standards and Technology (NIST)—or have implemented the Purdue model, the core security principle is to divide the network into multiple zones and create policy for the communication that crosses zone boundaries.
Let’s take the ISA/IEC 62443 definition of zones and conduits. A zone, according to the standard, is a collection of physically and functionally united assets that have similar security requirements. In a manufacturing facility, this could be a single production line. A conduit is described as the communication between zones. The conduit is the communication channel in which security policy should be applied.
Defining the zones and knowing which policy to assign to the conduits is what makes security perceived as difficult. However, segmentation should not be viewed as a single standalone task. Effective segmentation is comprised of two key pillars: Visibility and control.
Visibility into industrial control system (ICS) operations gives us an inventory of all assets that exist on the network, along with their communication patterns. This enables us to visualize the processes in our networks and answer the question: What are the zones on my network? Using a product such as Cisco Cyber Vision, an ICS visibility tool that is embedded into the network infrastructure, operators can identify assets that belong to a process and assign them to a group for easier visualization. Rather than focusing attention on every flow, from every asset, communication can be visualized in the conduits between the zones, providing a blueprint of the policy that must be defined.
With integrations, Cyber Vision shares its grouping information with Cisco ISE so operations managers can create and manage assets groups in their operational technology (OT) visibility tool, so information technology (IT) can easily create the proper control rules between those zones in ISE.
Until then, have a look at Cisco's ISA/IEC 62443-3-3 white paper and subscribe to the Industrial Security Newsletter.