It's High Time for OT Security

Headlines about cyberattacks can be found in the media almost every day. Even manufacturing companies are not spared. An attack on a production plant can have devastating consequences. This makes it all the more important to protect yourself against such risks. We explain the measures you can take to protect yourself against attacks.

  • Network Segmentation

It's High Time for OT Security

Network Segmentation for Secure Operating Technology

August 8, 2022-Cyber attack on a provider of IT services in Frankfurt/Main
 

August 7, 2022-Hacker attack on a provider of medical products in Franconia
 

August 4, 2022-Cyber attack on chambers of industry and commerce in Germany
 

Headlines about cyberattacks like this adorn the media almost daily. The German Federal Office for Information Security (BSI) rates the threat to cyber security in 2023 as "higher than ever before". Even manufacturing companies are not spared from cybercrime. An attack on a production plant can quickly bring it to a standstill. The result is damage running into millions. To prevent this, it helps to take a look at OT security.

IEC 62443 and Defense in Depth


The IEC 62443 series of standards is currently regarded as the industry standard for cybersecurity by test centers, product manufacturers and operators. To protect a plant, the three central zones for protecting an industrial plant are defined using the multi-layered basic concept of "Defense in Depth":
 

  1. Plant security
  2. network security
  3. System integrity
     

Here we focus on network security, which is strongly defined by the underlying segmentation.
 

Risks in Existing Systems due to Established Structures 

The first step in securing the system technology is to review the network architecture. This begins with an inventory of the logical and physical network layout. Historically evolved structures are often found here. 

The following security risks can come to light: 

  • No clear separation between IT and OT
  • No channeling of IT access, multiple access points from IT to OT
  • No segmentation and cell formation of sub-systems
  • Direct connections from IT devices to OT and vice versa
  • Direct connection of networks of different security classes through multihoming (end devices as participants in several networks) 

These conceptual security risks make it easier for viruses and malware from the IT sector to gain access to production. Even more critical, however, is the fact that viruses can spread across many networks, plant components, machines and even locations in the event of damage.
The aim of sensible segmentation is to restrict unnecessary cross-functional network traffic. Necessary cross-functional data exchange is strictly regulated, monitored and is only available to those end devices that actually need the information. This ensures the best possible security and performance of the network and therefore of the entire system technology.

Network Segmentation in Practice 

The network configuration shown here illustrates the exemplary network segmentation of a modern paper mill. When designing the network architecture, the system requirements of IEC 62443-3-3 were taken into account and consistently implemented.

In this example, the OT network is segmented horizontally and vertically. The vertical segmentation, based on the "three-layer hierarchical model" developed by Cisco, is divided into access, distribution and core layers, whereby the distribution layer can in turn be subdivided into the aggregation and backbone areas for medium-sized network architectures. 
This type of segmentation, which aims to channel the data flow upwards, leads to significantly fewer connections between individual devices and drastically reduces the complexity of a network. 
The core layer represents the preferred connection of the OT network on the corporate network side and, in this constellation, is not usually the responsibility of operational technology.
 

Access Layer 

The components of individual machine and system parts are networked at access or cell level. Classic fieldbus networks can be found here in ring/line and tree structures, depending on the redundancy requirements. IEC 62443-3-3 requires a logical and physical separation of critical and non-critical automation networks. The required isolation is organized by forming so-called cells. The incoming and outgoing data stream of the cell can also be controlled by a cell firewall.
 

The Criteria for Forming Cells are

  • Functional relationship: Several machines of the same production line can form a cell
  • Real-time requirements: If there are high requirements for latency or clock synchronization between automation technology components, these components must be in the same cell
  • Functional safety: Critical applications in terms of functional safety, which can lead to harm to personnel or machines, require separation from other non-critical applications
  • Risk: Devices that are considered critical in terms of IT security (e.g. computers with outdated operating systems) can be grouped in the same cell in order to be able to control incoming and outgoing data streams.
     

Aggregation Layer 

The main purpose of the aggregation layer is to establish a connection between the access level and the backbone, which requires high data rates from the switches used. In our example, the aggregation layers are divided according to plant areas of the paper mill (PM, SM, power plant, equipment...). In addition, those physical servers, clients, WLAN access points etc. that can only be assigned to the respective plant area, can be connected here. At this level, it is advisable to use VLANs for the logical segmentation of certain functions such as terminal, system and management bus as well as for connecting individual isolated cells. This requires the use of layer 2 switches.
 

Backbone Layer 

The backbone is the central connection point of the network. The network devices in this layer establish the connections of the aggregation levels to the hosts of the data center and the DMZ and from there to IT. High-performance network devices and next-generation firewalls are used to coordinate and check data traffic.
 

Industrial Data Center 

This network area contains the hosts for providing all applications and services that are used exclusively in the OT network and do not require a direct connection to IT. These include virtualized control technology servers, engineering servers, network management, backup systems, production data acquisition and RADIUS. If a domain independent of IT is used for the OT area, the domain controllers can also be hosted here.
 

Industrial DMZ

All systems that require a direct connection to IT or via this to the Internet are hosted in a physically and logically isolated network segment, the demilitarized zone (DMZ). This includes jump servers for remote access, Windows Update Services, anti-virus servers, MES, file transfer, data gateway servers or web services. 
In practice, a DMZ can be created in two ways:

  1. Separate physical ports are used on a single (redundant) firewall where the DMZ is established. The traffic to and from the DMZ is monitored by the firewall. This is also shown in the example overview.
  2. It is even more secure to use two physically separate (redundant) firewalls, one on the DMZ side and one on the OT side. Ideally, the firewalls should be from two different manufacturers so that security gaps from one manufacturer do not necessarily jeopardize the overall security.

We generally recommend the use of redundant firewalls to ensure network availability even in the event of faults or firmware updates. 
The DMZ concept is the logical consequence of some of the system requirements of IEC 62443-3-3, in particular SR5.1 RE 2 "The automation system shall provide the capability to provide network services in automation networks without a connection to non-automation networks [...]."
 

KRIKO as a Partner for Industrial IT
 

Network segmentation is the key to secure operational reliability. By implementing it, you are taking a step in the right direction in terms of OT security. However, this should only be one part of an overall OT security concept. Only the interaction of different measures will successfully protect your production network against attacks. We will be happy to support you in creating your individual security concept. Please feel free to contact us!

 

Go to the Contact Persons