At Cisco and Rockwell Automation, our goal is not just to use Converged Plantwide Ethernet (CPwE) to connect factory equipment, IT solutions, cloud solutions, and staff.
It’s to help organizations accomplish more via that connection—while keeping their organization safe.
With CPwE Opportunities Come CPwE Risks
As you add industrial devices to the Ethernet network, you provide cyber threats—from common cybercriminals to nation states and terrorists—with entry points to access and take control of them.
From there, the possibilities are frightening. And numerous.
To protect industrial devices against these risks, you need two things: a clear view of your network activity and the ability to segment your network into discrete parts.
Network Visibility Must Extend to Industrial Devices
Without an accurate view of what’s happening on the IT/OT network, your security team can’t identify attacks or create effective policies to govern access.
The challenge is that many common IT network monitoring tools can’t deliver the visibility required. Why? Industrial assets use IACS protocols that the tools simply were never intended to support.
To help customers enable a more comprehensive plant view, Cisco and Rockwell Automation offer a joint IT/OT monitoring tool that supports both core IT protocols and the Common Industrial Protocol (CIP).
Segment Your Network to Control Infiltrations
Cyber criminals infiltrate IACS networks by looking for the most vulnerable point and exploiting it.
To combat this, network segmentation divides your network up into smaller zones with tightly controlled flow of data between them. Traffic (and attackers or malware) can’t move from one zone to another without permission.
For industrial customers, a common segmentation method is to segment the industrial zone from the enterprise zone via an industrial demilitarized zone. OT/IT teams then collaborate to define access to each zone via access control lists (ACLs).
However, managing ACLs by hand can be tedious. And large lists can affect the performance of network devices.
That’s why, to make segmentation simpler and more flexible, we enable you to define access policies using security groups. Pre-defined group tags can be automatically applied to assets based on their location, purpose, user intent, and more.
Controlling Access for Partners and Mobile Employees
Increasingly, industrial organizations are being asked to enable secure access for partners and mobile workers.
Cisco Identity Services Engine (ISE) allows IT to define roles for employees and trusted partners. These roles can be configured to permit and limit access to assets within the industrial and enterprise network.
Cisco ISE also provides a self-service registration portal for plant personnel, vendors, partners, and guests to register and provision new devices automatically.
Defense in Depth is More Than Visibility and Segmentation
It’s critical to keep in mind that no single product, technology, or methodology can fully secure plant-wide architectures. Visibility and segmentation are critical, but they’re only two parts of your larger strategy.
Protecting IACS assets requires a holistic defense-in-depth security approach that addresses internal and external security threats.