How to Gain Operational Excellence Safely and Securely

First phase: Secure connectivity and segmentation

The first area of focus is segmentation—having secured connectivity from top to bottom. At the top, ensure that you have a dedicated Industrial DMZ, as with the primary enforcement point being a FirePower Next Generation Firewall (NGFW). Below that, we would like to create a resilient, defensible network infrastructure.

For manufacturing environments . . . Our Industrial Ethernet switch infrastructure would be optimal for the lower levels of your factory.
For utility environments . . . Our Industrial routers, switches, and wireless infrastructure would be optimal for the lower levels of your generation or distribution system.

Segment in stages to avoid interrupting operations

Like all projects, you need to have a starting point, a process, and hopefully a finish.

For segmentation it is the same. In this case we first look to the most critical boundary—the operational network and business network or internet interconnect, and ensure that we have a strong demilitarized zone (DMZ) boundary between them.

After that we need to discover and prioritize the componentry at their respective boundaries.

What’s an intranet demilitarized zone (IDMZ)?

Sometimes referred to as a perimeter network, the IDMZ is a buffer that enforces data security policies between a trusted network (industrial zone) and an untrusted network (enterprise zone). The IDMZ is an additional layer of defense-in-depth to securely share IACS data and network services between the industrial and enterprise zones. The demilitarized zone concept is commonplace in traditional IT networks, but is still in early adoption for IACS applications.

Source: Rockwell Automation

Manufacturing

This might mean identifying production lines, individual cells or machines for your different sites, and it could mean delving deeper to identify components within each machine.

Utilities

This might mean identifying a clear ESP (Electronic Security Perimeter) for your different sites, and it could mean delving deeper to identify components within each bay.

In either case you will need to find out what is out there and do so at scale.

This is not just a task for tools—operators will have to get involved to ensure that what is visible to the network aligns with the functions we need to segregate. But this is not just about assets—the ability to detect the interactions between assets means protocol and application understanding. Again, tool and people will be at play.

Finally, we take steps to perform the segmentation. At this point we take what was discovered and align it with a resilient and defensible network design. And of course, we fulfill that network design with modern network equipment and application aware control points. With proper visibility, design, and equipment, you can protect diverse assets from potential spillover effects while improving resiliency and defensibility.