The first area of focus is segmentation—having secured connectivity from top to bottom. At the top, ensure that you have a dedicated Industrial DMZ, as with the primary enforcement point being a FirePower Next Generation Firewall (NGFW). Below that, we would like to create a resilient, defensible network infrastructure.
Like all projects, you need to have a starting point, a process, and hopefully a finish.
For segmentation it is the same. In this case we first look to the most critical boundary—the operational network and business network or internet interconnect, and ensure that we have a strong demilitarized zone (DMZ) boundary between them.
After that we need to discover and prioritize the componentry at their respective boundaries.
This might mean identifying production lines, individual cells or machines for your different sites, and it could mean delving deeper to identify components within each machine.
This might mean identifying a clear ESP (Electronic Security Perimeter) for your different sites, and it could mean delving deeper to identify components within each bay.
In either case you will need to find out what is out there and do so at scale.
This is not just a task for tools—operators will have to get involved to ensure that what is visible to the network aligns with the functions we need to segregate. But this is not just about assets—the ability to detect the interactions between assets means protocol and application understanding. Again, tool and people will be at play.
Finally, we take steps to perform the segmentation. At this point we take what was discovered and align it with a resilient and defensible network design. And of course, we fulfill that network design with modern network equipment and application aware control points. With proper visibility, design, and equipment, you can protect diverse assets from potential spillover effects while improving resiliency and defensibility.