Securing the new boundaries of networks for critical infrastructures beyond “Level 3.5”
Palo Alto Networks has been observing different effects of IT/OT convergence on cybersecurity for quite some time. The focus is on the question of how critical infrastructure networks can be better protected against cyber threats. These systems are evolving from air-gapped legacy systems to more modern systems connected to IT and the cloud. This development leads to an increase in the attack surface, which must be managed proactively. With the escalation of geopolitical events, the need for better infrastructure protection becomes even clearer.
Although the full convergence of certain OT/CI types may take some time due to regulatory-related cloud adoption hurdles, a large proportion of operators are already starting the transition. These include the expansion of industrial infrastructure into the cloud, the use of smart IoT technology and the further development of local and wide area networks (LAN/WAN) in industry. This changes the discussion about the scope of OT Security that traditionally took place at the IT-OT Perimeter or “Level 3.5” DMZ of the ISA 95 (aka Purdue) reference model. It now includes the expansion of industrial networks to cloud, 5G and SD-WANs.
Palo Alto Networks explains the network transformation and explains how the consistency of the zero trust approach can be achieved by using next-generation firewalls in the new, expanded OT/CI network infrastructure.
Industrial Cloud Networks
Operational technology (OT) has been cloud-shy in the past, but there have been many compelling use cases that have led to a migration of OT workloads from on-premises data centers to the cloud. These include applications ranging from data warehousing/historian to new industrial IoT applications such as predictive maintenance, machine twin, VR/AR and production optimization. They could even be as rudimentary as the provision of central management services for the various control systems.
To a lesser extent, SCADA applications are also conceivable in which OT is controlled from the cloud. Also not to be forgotten are the adjacent non-OT workloads, such as accounting and billing systems (see hack of Colonial Pipeline), which can be just as important for operation as the OT workloads themselves. Whatever the trigger, it is necessary to secure not only the north-south traffic between OT and the cloud service provider(s), but also the east-west traffic between the various VMs and containers running the workloads. This requires granular visibility, the application of a granular zero trust policy and the detection and stopping of threats. In this way, it is possible to prevent the cloud from being compromised and used by attackers as a fulcrum.
5G Private LANs
5G mobile technology has brought many advances that enable the flexibility, agility and performance of private networks needed for smart, IoT-enabled OT/CI networks. These include better throughput, lower latency, and network slicing. Plant owners are beginning to replace older wired and wireless networks in process control networks (PCN) and field area networks (FAN) with 5G private networks. They want to use autonomous vehicles, robotics and mixed reality technologies connected to 5G. However, most companies that want to introduce 5G do not yet know exactly what security challenges are associated with it.
A major challenge in 5G security is that the traffic is encapsulated in a wrapper protocol (GTP), which can lead to a loss of visibility. Mapping traffic to mobile industrial endpoints could also be challenging if it is based only on IP addresses that are dynamic in many environments. Securing 5G networks is not only about restoring visibility, but also about the ability to resolve applications, users and devices while applying granular policies and containing threats that have found their way to the factory floor and could spread to other areas of the PCN or FAN.
Software-defined wide-area networks (SD-WAN)
The CI/OT-WANs are also evolving. In particular, SD-WAN has attracted the attention of many critical infrastructure operators, as it provides the ability to lay a private network over any transport layer, be it MPLS, low-cost and high-performance broadband, or a mixture of both. In fairness, it must be said that the introduction is gradual and begins with less critical use cases, such as SCADA (Supervisory Control and Data Acquisition) networks to remote non-mission-critical sites or to provide backup connections. However, many believe that SD-WAN will have a great future in the field of OT/CI when the technology is mature.
One reason for the slower adoption is the perceived lack of security and the complexity of security management when implementing distributed SD-WAN connections. When implementing SD-WAN, it is important to find a solution that provides both the advanced security features and central manageability to improve operational feasibility.
Zero Trust Network Security across the new boundaries of OT/CI
The good news is Modern next-generation firewall technology can support all the above use cases of cloud, 5G and SD-WAN. Instead of having to use several individual solutions, a possible NGFW-as-a-platform approach provides an effective policy and management framework for these new limits for OT networks. It ideally includes layer 7 security, advanced threat prevention and centralized management, as is already available for Internet gateways, data center firewalls and IT/OT perimeters (level 3.5).
Virtualized next-generation firewalls are the key to the security of cloud networks. In addition, the NGFWs are not only able to decapsulate the 5G protocol (GTP) to reveal the underlying applications, users, devices and threats. They are also able to correlate security telemetry with immutable SIM card identifiers (ISIM, IMEI), rather than with dynamic IP addresses, which could make mapping difficult. Finally, Secure Service Edge (SSE) solutions provide a flexible way to effectively secure SD-WAN implementations. By delivering security from the cloud and closer to the branch offices, you enable the optimization of networks and security with the same protection as in the corporate headquarters.
The end result is more effective and consistent security across the extended critical infrastructure network, as well as simplified security operations. Organizations should keep this firewall-as-a-platform in mind and work with operations teams as they embark on their critical network transformation projects.