How to Gain Operational Excellence Safely and Securely

Third phase: Converged security and depth

The final stage is to coordinate security policy across the boundaries between IT and OT. With the long-term goal being to optimize processes, that means a greater flow of data upward. To achieve that and other major use cases, we will need to build strong foundations and reduce the fiefdoms of security policy.

Finally, there is the very challenging problem of ensuring that outside vendors have access to only the right piece of equipment—and only when actually necessary. Whether outside techs are reaching in from afar, or walking into the plant and plugging their laptops in, you need to be able to control what they have access to.

Our end-to-end security story helps address the complex challenge of external vendor access.

Converged Security Diagram

When a vendor needs access to your network, the journey goes through Internet/cloud, Corporate IT, the control layer, and things

Next Generation Firewall (NGFW) provides access using AnyConnect client

Identity Services Engine (ISE) authenticates remote vendor against an Active Directory

ISE assigns a Security Group Tag (SGT) based on authorization policy

NGFW sees and reports the actions of the vendor

The reliance on partners to help maintain your operations represents a complex security challenge. You need their help, but they do represent a potential threat to your operation’s security.

There are a lot of questions at play. How can we know the security state of the partner’s equipment when they dial in? How do we dynamically establish a path across our business network all the way to the only piece of equipment they need to touch? And if we are dealing with a robot or dangerous device in proximity to humans, then we have to be able to provide a “line of sight” for the remote tech to know what is happening.

Naturally we are crossing multiple organizational boundaries. Just within your own company how do you coordinate access across those boundaries? Then there is the question of what is that technician doing with that equipment? Is there any means to know or control that only the actions that were agreed to are going to happen? Could you do anything if it is not?

Finally—how do you control the vendor’s security state, access, and actions when they walk onto the plant floor? With an end-to-end solution like Cisco’s, you have a chance. And when you progress through your security evolution, you can work from a proper base to make these things happen.