What’s the most critical information in your control system network? If you’re like most life sciences OT/IT professionals I meet, you’ll be able to answer that question even before I finish asking it.
Identifying critical system data – and recognizing the need to protect it – in many ways is the easy part. But designing a network infrastructure that can both help mitigate cybersecurity risk and take advantage of the latest Internet of Things (IOT) technologies can be a sticking point.
Certainly, today’s life sciences companies recognize the advantages of connecting more information across their enterprise to enhance electronic batch records and reporting – and enable advanced analytics and other digital technologies.
However, in their quest for greater connectivity, they could be making network choices that inadvertently introduce risk.
Is your network infrastructure intentional or unintentional?
Think about it. How do you enable disparate systems to share data?
Of course, the easiest way to achieve that goal is to put everything on the same network. And that’s not an uncommon occurrence.
For convenience, an organization may decide to move forward with a flat, unsegmented network – where information is freely exchanged. More commonly, an unsegmented network is an unintentional result of a legacy infrastructure that has expanded over time without benefit of VLANs, firewalls and other boundaries.
The problem with unsegmented networks
Regardless of the cause, an unsegmented network may enable easy access and communication – but it does so with a hefty price.
First, a flat, unsegmented network infrastructure exposes both non-critical and critical data equally to cybersecurity risk. Without network boundaries or access limitations, attackers can exploit the most vulnerable points of entry and move deeper into the network or anything connected to it.
Content at risk could range from manufacturing and recipe information – to clinical trial data, pricing and marketing strategies.
Additionally, an unsegmented network is typically an inefficient network. Companies may not initially be aware of network performance issues simply because they can still run their operation. But as systems are updated and new capabilities are added, network traffic increases, network collisions and slowdowns occur more frequently – and production issues often surface.
Have you or someone you know ever lost data…or system visibility? It happens.
As part of a defense-in-depth approach, network segmentation – or splitting a network into smaller networks – can help mitigate unnecessary broadcast traffic and limit what is immediately available to an attacker.
Building segmentation into your systemDid you consider network design and performance when you built your automation system? And how do you incorporate segmentation to help limit the reach of a potential breach and improve network performance?
In my experience, most life sciences companies are great at managing their production processes. But many just don’t realize how the options they’ve chosen impact the network infrastructure. As a result, they may be unaware of the content scope and traffic patterns in their existing infrastructure – and potential risks and performance limitations.
A system audit can help you gain a better understanding of what content is included in your system, how devices communicate and how information travels. As a first step, a system audit will provide you with the foundational information you need to identify potential risks and evaluate performance improvements.
Once an audit is complete, conducting a risk assessment aligned with IEC 62443 guidance is an industry best practice that can lead you down the right path to better network design and segmentation.
IEC 62443 is a series of international standards that provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). Specifically, IEC 62443-3-2 provides risk assessment guidelines.
A risk assessment will provide a picture of your current security posture and what you need to do to achieve an acceptable risk state.
No doubt, you will find that different areas in your system have different security needs. The risk assessment will help you make reasonable decisions regarding the level of risk you’re willing to take to implement new technologies – and how to segment your network logically to achieve both security and productivity goals.
Depending on your requirements, you may choose multiple segmentation methods including access control lists, firewalls, VLANS, industrial demilitarized zones (IDMZ), and other technologies.
Securing your connected facility
Keep in mind, network segmentation is just one of many practices recommended as part of a defense-in-depth approach to cybersecurity. An effective strategy includes multiple layers of protection ranging from physical security devices as simple as doors to sophisticated electronic and procedural safeguards.
And an effective strategy is an ongoing process that requires not only thoughtful design, but also active intervention – and maintenance.
Learn how Rockwell Automation can help you design and maintain your system in alignment with IEC 62443 guidelines. And check out our latest IEC 62443 certifications.
Published January 14, 2020
