Cisco IoT Solution Brief

Cisco IoT Solution Brief

Securing Industrial Networks
Securing Industrial Networks

Protecting manufacturing
Benefits
operations against cyber threats:
Improve industrial
cybersecurity by: Introduction to Cisco industrial
• Discovering and network security
inventorying assets
Over the years, manufacturers around the world have been connecting their
• Containing security industrial environments to enterprise networks to automate production and gain
incidents operational advantages. Organizations are now deploying Internet of Things
• Detecting and preventing (IoT) technologies to migrate to Industry 4.0, optimize production, and build
known attacks new generations of products and services.

• Protecting against This deeper integration between IT, cloud, and industrial networks is creating
malware many cybersecurity issues that are becoming the primary obstacle to industry
digitization efforts.
• Integrating enterprise and
operations security Media reports regularly highlight cyber attacks on manufacturers across all
verticals, wreaking expensive havoc on operations. The growing number of
cases shows that industrial networks have become a target and securing them
is now the key to ensuring production integrity, continuity, and safety.

© 2020 Cisco and/or its affiliates. All rights reserved. Page 1 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

Cisco is a leader in securing enterprise networks. Cisco is also a leader in industrial networking. We are leveraging
these unique portfolios of products and solutions, together with threat intelligence from Talos®, one of the world’s
largest security research teams, to make security inherent and embedded in the industrial network.

To help industrial organizations secure their operations, Cisco® Validated Designs (CVDs) provide the core network
foundation of architectures that meet the needs of operations and IT. This solution brief is a high-level overview of
the reference architecture described in the “Networking and Security in Industrial Automation Environments” CVD.
It describes a security journey for an industrial network, starting with strong foundation-level security and then, as
the organization matures, growing into a comprehensive full-spectrum security design.

Securing the industrial network is a journey

Industrial control networks connect devices that have been deployed over a period of many years — sometimes even
decades — beginning back when cybersecurity wasn’t a concern. When organizations attempt to secure their
industrial IoT networks, they encounter three primary issues:
• A lack of visibility: Manufacturers often don’t have an accurate inventory of what’s on their industrial network.
Without this, they have limited ability to build a secure communications architecture.
• A lack of control: A lack of visibility also means that manufacturers are often unaware of what devices are
communicating, and where those communications are going. You cannot control what you don’t know about.
• A lack of collaboration: OT devices and processes are managed by the operations team. Cybersecurity is
generally driven by the IT and security teams. All these stakeholders need to collaborate to build the specific
security policies and enrich events with context so that security incidents do not disrupt production.

Addressing these issues and building a secure industrial network will not happen overnight. To help ensure success,
Cisco promotes a phased approach in which each phase builds the foundation for the next, so that you can enhance
your security posture at your own pace and demonstrate value to all stakeholders when embarking on this journey.

Key requirements
Figure 1 depicts the key requirements for securing industrial networks and can guide the development of a security
lifecycle process. Compliance standards often guide security needs as well. This security solution brief provides the
blueprints for two designs to meet these requirements.
Figure 1. Key requirements for securing industrial networks

Discover Segment Detect Respond

• Asset visibility • Control access • Vulnerabilities • Investigate

• Application flows • Segment and • Anomalies • Remediate
partition to contain • Intrusion • Improve
and limit impact

© 2020 Cisco and/or its affiliates. All rights reserved. Page 2 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

Extending IT security to OT through effective collaboration

To successfully secure the OT environment, all stakeholders must work together. Operations understands the
industrial environment — the devices, the protocols, and the business processes. IT understands the IP network. And
the security team understands threats and vulnerabilities. By working together, they can leverage existing security
tools and expertise to protect the industrial network without disrupting production safety and uptime.

Cisco security solutions are built into the industrial networks to monitor operations, feed security platforms with OT
context, and enable this crucial collaboration.
Network managers will appreciate the unique simplicity and lower costs of Cisco’s edge architecture when looking to
deploy OT security at scale. Operations will gain real-time insight into the industrial processes, so they can maintain
system integrity and production continuity. Security teams will have visibility into industrial assets and
communications with context enriched by control engineers.

Taking a phased approach to industrial security

Cisco’s approach to deploying industrial cybersecurity includes three phases. Initially, there is a minimal level of security
consisting of configuring an industrial demilitarized zone (IDMZ) to separate the industrial and enterprise networks.
This is the mandatory first step in industrial security, and we are assuming that all have already embraced it, so it will
not be discussed in this brief.

But as organizations connect more devices, enable more remote

Many industrial companies
access, and build new applications, the airgap erodes and becomes
insufficient. Industrial organizations need to build on this minimal level of are at minimal security — that
security to move to the Foundation and eventually Full Spectrum is insufficient in today’s cyber-
security models. This CVD is created to protect your investment while security environment.
your security posture matures.
Figure 2. Typical security journey

© 2020 Cisco and/or its affiliates. All rights reserved. Page 3 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

Design 1: Foundation security

The Foundation security design is a blueprint for a secured, robust, and reliable industrial network. It provides for
industrial asset visibility, macro/zone segmentation, zone access control, intrusion detection, threat detection, and
response. It enables coordination with information security for consistent access policy management and
aggregation of industrial security events in the security operations center (SOC).
Figure 3. Foundation security design

Foundation
security features

• Asset visibility
• Macro/zone
segmentation
• Zone access control
• Intrusion and malware
protection
• Threat response

This design follows the Purdue model. Network management and other networking aspects such as redundancy,
etc., are described in detail in the CVD “Networking and Security in Industrial Automation Environments.”

1 Cyber Vision Center: Centralized analytics platform

2 Cyber Vision network sensor: Deep packet inspection (DPI) embedded in network infrastructure, eliminating the need for a separate SPAN network

3 Cyber Vision hardware sensor: Dedicated sensor appliance that performs DPI on SPAN traffic

4 Application flow: Lightweight metadata streamed from Cyber Vision sensors to Cyber Vision Center

5 Industrial asset metadata flow: Context, vulnerabilities, and events communicated to the SOC

6 Industrial security appliance: Segments, controls access, and detects and blocks intrusions and malware

© 2020 Cisco and/or its affiliates. All rights reserved. Page 4 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

Asset visibility
Visibility into the security stance of industrial devices and communications is a key
capability. Cisco Cyber Vision provides visibility into all industrial assets and creates
inventories that have relevant details such as device type, firmware version, etc.
Cyber Vision Center is deployed as a sitewide application. Cyber Vision sensors are
embedded into the cell/area network equipment to discover devices, monitor
communications, and pass security telemetry to Cyber Vision Center.
These sensors inspect the packets and analyze them for asset details,
communications, and industrial control system (ICS) process data. The Center
visualizes this information and correlates vulnerability information. Investigations and
patching activities can be driven from this. Cyber Vision connects to Cisco
Firepower® Management Center and Cisco SecureX™ to provide industrial asset
information, enhancing context around devices for policy enforcement.

Zone/macro segmentation and malware protection

The industrial network is segmented from the enterprise network by an IDMZ
implemented by a Cisco next-generation firewall (NGFW).

The various parts of the industrial network should also be segmented in a way
that enables each segment to form a semiautonomous zone. The goal is to limit
and contain security incidents within a zone. The ISA/IEC-62443 industrial
cybersecurity standard describes how such an approach can be implemented by
establishing communication conduits between zones, where access and
communication is controlled.

Zones are established by having separate LANs and/or VLANs, with conduits
between zones enforced by the Cisco 3000 Series Industrial Security Appliances
(ISA3000). The ISA3000 provides the access and communication control, as well
as intrusion detection capabilities. The configuration, including access control lists Cisco 3000 Series
(ACLs) and policies, is managed by Cisco Firepower Management Center. The Industrial Security
ISA3000 and Cisco NGFW can also include Cisco Advanced Malware Protection Appliance
(AMP) to provide protection against malware.

Threat investigation and response

The design envisions a security operations center that consolidates security
events and vulnerabilities across the entire organization and manages the
response. Cisco SecureX threat response accelerates investigations by
automating and aggregating threat intelligence and data across your security
infrastructure — both Cisco and third parties — into one unified view.

Solution introduction and operational considerations

Cisco Cyber Vision is a software feature built into the network (Cisco Catalyst®
IE3400, 1101 Industrial ISR, Catalyst 9300 Series, etc.). This makes it very easy
to deploy at scale, as there is no additional hardware or switch port analyzer
(SPAN) connection to deploy. Enabling industrial cybersecurity monitoring is just a

© 2020 Cisco and/or its affiliates. All rights reserved. Page 5 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

question of installing the central console and activating the software within the network. This reduces the risk of a
production outage during deployment and needs very low overhead to coordinate with plant operations.

To get the most out of this design, security, operations, and IT must set up an effective collaboration.
There are fewer products, so operationally this design poses low overhead.
Introducing the ISA3000 does need careful planning, as necessary communications can be stopped and access to
needed resources can be denied.
Table 1. Foundation security features

© 2020 Cisco and/or its affiliates. All rights reserved. Page 6 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

Design 2: Full Spectrum security

The Full Spectrum security design builds upon the Foundation design. It is a blueprint for a highly digitized, centrally
managed, secured, robust and reliable industrial network. In addition to the capabilities of the Foundation security
design, it supports micro-segmentation, network anomaly detection, fine-grained access controls to the devices,
malware protection, and DNS security.

The design integrates security operations across the enterprise and industrial networks. It brings more of the
enterprise security capabilities into the industrial network. The SOC becomes enriched with additional insights into
and controls over the industrial network.
Figure 4. Full Spectrum security design

Full Spectrum
security features

Foundation security
features plus:
• Micro-segmentation
(TrustSec)
• Network anomaly
detection
• DNS security

This design follows the Purdue model. Network management and other networking aspects such as redundancy,
etc., are described in detail in the CVD “Networking and Security in Industrial Automation Environments.”

1 Cyber Vision Center: Centralized analytics platform

2 Cyber Vision Network Sensor: Deep packet inspection (DPI) embedded in network infrastructure eliminating the need for a separate SPAN network

3 Cyber Vision Hardware Sensor: Dedicated sensor appliance that performs DPI on SPAN traffic

4 Application flow: Lightweight metadata streamed from Cyber Vision Sensors to the Cyber Vision Center

5 Industrial Asset Metadata Flow: Context, vulnerabilities and events communicated to the SOC

6 Industrial Security Appliance: Segments, controls access and detects and blocks intrusions and malware

7 Identity Services Engine (ISE): Provides capability for micro segmentation and TrustSec. Supports 802.1x

8 Stealthwatch: Detects network anaomolies

© 2020 Cisco and/or its affiliates. All rights reserved. Page 7 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

Asset visibility and zone/macro segmentation

You cannot protect what you cannot see. Cisco Cyber Vision provides this core capability. The macro-segmentation
capability is provided by the Cisco ISA3000 Industrial Security Appliance. These Foundation security capabilities are
also available in Full Spectrum security.

Device/micro segmentation
Cisco Identity Services Engine (ISE) enables micro-segmentation to the device level, and fine-grained access
control can be created per user and device. Consistent security policies can be created across the entire network
based on context. Cisco ISE becomes the policy engine for users and assets that require access to the industrial
network.

Cisco ISE is depicted in the Full Spectrum security design, in which the Policy Administration Node (PAN) is in the
SOC and the Policy Enforcement Node (PEN) is in the operations zone of the industrial network. ISE can also take in
information from Cyber Vision through Cisco pxGrid to get specific device context.
An example of this operation is when Cyber Vision detects a new industrial device in the network. Cyber Vision will
send detailed information about this device to ISE, so that the appropriate security policy can be applied based on
the asset characteristics. Combining Cyber Vision and ISE is a great way to dynamically enforce zones and conduits.
For instance, ISE can be configured to let an ICS controller communicate only with devices within its cell.

Cisco ISE can reduce risks and contain threats to a device by dynamically controlling network access. It enables
wireless device onboarding and provisioning with 802.1X. In an industrial environment that needs to capture
telemetry data from sensors and other devices, a fine-grained or micro-segmentation capability can help make
operations secure.

Network anomaly detection

Cisco Stealthwatch improves threat defense with network visibility and security analytics. It helps gain situational
awareness of all users, devices, and traffic on the network, so that threats can be responded to quickly and
effectively. Stealthwatch leverages NetFlow data from network infrastructure devices. The data is collected and
analyzed to provide a complete picture of network activity.

Malware protection and DNS security

Cisco Advanced Malware Protection (AMP) for Networks can be enabled on the NGFW to detect and protect against
malware in content that is downloaded into the industrial zone. AMP can also be enabled on the ISA3000. Cisco
Umbrella is deployed for DNS security to block requests to malicious domains.

Threat investigation and response

In the Full Spectrum security design, the SOC can detect a wider variety of threats and respond in a more coherent
manner across enterprise and industrial networks. Cisco SecureX integrates intelligence from Firepower
Management Center, Cyber Vision, ISE, Stealthwatch, AMP, and Umbrella. This seamless integration among Cisco
security products makes deeper investigations very easy, and it also lets you take corrective action directly from its
interface without having to log in to another product.

© 2020 Cisco and/or its affiliates. All rights reserved. Page 8 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

Solution introduction and operational considerations

Cyber Vision and Stealthwatch are built into the network and are easy to introduce. They offer visibility and network
anomaly detection capabilities.
Introducing Cisco ISE, however, commands attention. Enabling micro-segmentation and Cisco TrustSec capabilities
requires good planning and testing of the Scalable Group Tag (SGT) scheme to ensure that policies are supporting
manufacturing needs and are providing the targeted security cover.
To get the most out of this design, security, operations, and IT must work together in a collaborative manner. The
skill levels of the personnel need to be in step with these technologies, and operational processes need to be fine-
tuned in order to get the best from the large number of products in this design.
Table 2. Full Spectrum security features

© 2020 Cisco and/or its affiliates. All rights reserved. Page 9 of 10

Cisco IoT Solution Brief
Securing Industrial Networks

Foundation to Full Spectrum security evolution

Manufacturing digitization is deepening and evolving. In order to support this evolution and keep your business
protected, you need to enhance your security posture. Cisco’s comprehensive portfolio of industrial network
technologies and security tools lets you evolve from minimal security to Foundation security and to Full Spectrum
security, while preserving your investments.

These designs build on each other and maximize reuse of technology, processes, and people. Figure 5 illustrates
the applicability of these designs. Minimal security is recommended in all cases. Foundation security can be used by
organizations that are digitizing their operations and need to implement a robust security posture. Full Spectrum
security is intended to be deployed in organizations where the digitization is mature and the scale of operations has
increased the threat surface. One example is when wireless devices become a part of the mainline production
network and need 802.1X authentication.
Figure 5. Evolution of security approaches

Remote access
Remote access has not been specifically addressed in this brief, as the recommendation is for remote workers and
third-party contractors to follow the enterprise supported solution. Cisco provides a well-integrated solution with
Cisco AnyConnect® and NGFW that can also include multifactor authentication with Cisco Duo. This solution is
described in other designs.

© 2020 Cisco and/or its affiliates. All rights reserved. Page 10 of 10