The final stage is to coordinate security policy across the boundaries between IT and OT. With the long-term goal being to optimize processes, that means a greater flow of data upward. To achieve that and other major use cases, we will need to build strong foundations and reduce the fiefdoms of security policy.
Finally, there is the very challenging problem of ensuring that outside vendors have access to only the right piece of equipment—and only when actually necessary. Whether outside techs are reaching in from afar, or walking into the plant and plugging their laptops in, you need to be able to control what they have access to.
Next Generation Firewall (NGFW) provides access using AnyConnect client
Identity Services Engine (ISE) authenticates remote vendor against an Active Directory
ISE assigns a Security Group Tag (SGT) based on authorization policy
NGFW sees and reports the actions of the vendor
The reliance on partners to help maintain your operations represents a complex security challenge. You need their help, but they do represent a potential threat to your operation’s security.
There are a lot of questions at play. How can we know the security state of the partner’s equipment when they dial in? How do we dynamically establish a path across our business network all the way to the only piece of equipment they need to touch? And if we are dealing with a robot or dangerous device in proximity to humans, then we have to be able to provide a “line of sight” for the remote tech to know what is happening.
Naturally we are crossing multiple organizational boundaries. Just within your own company how do you coordinate access across those boundaries? Then there is the question of what is that technician doing with that equipment? Is there any means to know or control that only the actions that were agreed to are going to happen? Could you do anything if it is not?
Finally—how do you control the vendor’s security state, access, and actions when they walk onto the plant floor? With an end-to-end solution like Cisco’s, you have a chance. And when you progress through your security evolution, you can work from a proper base to make these things happen.