Network Access Control Is an Essential Part of Your OT Security
When you compare OT and IT systems in terms of cybersecurity, each has its own peculiarities and requirements.
To take a closer look at how network access control supports robust OT security efforts, we sat down with Professor Dr. Tobias Heer, who teaches IT security and networking at the University of Applied Sciences in Esslingen, Germany. He’s also been part of the Belden team since 2012, serving as a future networking technologies researcher at Hirschmann, a Belden Brand.
Below, we’re sharing his responses to questions about OT security.
Question: Why are some of the industry’s tried-and-true safety concepts, such as air-gapping, no longer practical?
Answer:
Prior to digitization, there was no need to connect production to the network. Today, in the era of Industry 4.0, businesses and productions are highly digitized and based on information exchange, which is not possible with air-gapped systems. If you want to modernize production, then an air gap isn’t pragmatic.
I also dare to doubt that companies used to relying on an air gap always had an air gap. Often, modems were connected to exchange information within the production facility, or data was transferred in and out via storage media, such as USBs or floppy disks. These are not often controlled, which leaves room for OT security attacks.
Question: What role does network access control play in industrial networks?
Answer:
Network access control (NAC) is one of several tools for OT security. It’s not a magic bullet that covers all security measures, but it’s one of the most effective tools available. It works when attackers are local (onsite), as well as for attacks from the outside.
The Local Cyberattack
In large or geographically disperse facilities, local attacks on OT security are frequent. The security of a production facility is physically hard to control. It’s easy to simply plug in a device and access the network. The system may also be compromised because something is connected incorrectly. In these cases, NAC helps because devices cannot simply be connected to the local network in an uncontrolled manner. In an attack from the inside, the attacker must authenticate to even connect a device to the industrial network. With the help of NAC, you can see every network device and endpoint connected to the network and respond to it. This creates transparency so you can understand what’s going on in the network.
The Cyberattack from the Outside
The other possibility is attackers coming from the outside and infiltrating systems that are already in the network. An attack from the outside always leads to compromised devices on the inside. NAC can help here as well. In an attack from the outside, a good NAC system draws on other tools. A vulnerability scanner, for example, identifies vulnerable endpoints and network devices that an attacker might use to gain access. With a NAC system, you can decide how to deal with a vulnerable or compromised device. Do you want to keep it in the network, move it to a quarantine network or inform someone? NAC helps you to respond to unforeseen network changes and acts as a hygiene measure.
Question: What does an industrial environment require from network access control?
Answer:
Things are a little different in OT security than in IT security. In OT, processes depend on communication. Their interruption, by excluding a device involved, can lead to a physical problem.
For example, when control processes are interrupted, this can result in downtime or physical damage. If individual parts of a facility must be shut down, then it can be very difficult to get them back up and running. In some types of industrial facilities, such as in the process industry, this is never an option.
You need a more sophisticated NAC in an industrial network. It helps control what activities are triggered when a fault or attack is detected in the network, and what security measures can be taken if drastic steps, such as network exclusion, are not possible.
NAC brings transparency to industrial networks and reveals the devices that are there. It detects unusual network movements and typical attack patterns.
A good NAC solution should allow endpoints to be divided into appropriate groups. Depending on the group, different defensive actions are executed.
For example, a maintenance laptop that doesn’t meet compliance guidelines can easily be excluded from the network. The endpoint isn’t part of a business-critical process. Nothing unpredictable usually happens here. An industrial PC as part of a control loop, on the other hand, cannot easily be taken off the network because processes in the facility could be disrupted. Network access control can be used to make this distinction and define suitable responses, reducing time-consuming manual tasks.
Question: How do zones play a role in network access security?
Answer:
An important principle in OT security is the creation of zones and zone transitions. It’s so important for the industry that it’s specified in ISO IEC 62443.
With zoning, the endpoints, units, machines etc. that logically belong together are assigned to the same zone. When something happens in a zone, it affects only that area. If an attacker enters the zone, then they remain in it and can’t get beyond it, so the other zones aren’t affected.
With the help of NAC, these zones can be implemented using VLANs. VLAN management can be port-based; assignment is also possible via MAC addresses, username and password, or certificate. This makes zone design convenient and reliable, reducing the administrative burden. Instead of configuring individual switches, security zones are assigned to endpoints and device classes.
Temporary network access for subcontractors and maintenance staff can be provided quickly and securely using the NAC solution. Imagine that a maintenance employee needs to access a specific machine for a regular inspection. NAC enables easy, time-limited secure network access for the endpoint to the zone of the machine that needs to be maintained.
If you want to implement the same thing without NAC, then someone must manually configure a switch, allow the endpoint and reconfigure it again at the end of the day—a time-consuming and error-prone process that requires specialized knowledge.
If too much effort is required, then people quickly tend to soften security measures. You create more and more gaps in your security concept for reasons of efficiency. NAC can therefore be used to increase both security and efficiency. Processes that are usually restrictive and complex can be implemented with little effort.
Learn more about OT Security
Implementing a flexible, scalable and efficient network access control solution helps you bring significant value to network security by improving network visibility, reducing cyber threats and improving network performance.
Learn more about OT cybersecurity and how to improve security with macmon network access control and Hirschmann industrial switches.
Related resources:
About the Author
![System.String[]](https://assets.belden.com/transform/616b1b14-b747-4d86-baa5-e7cdc801c997/tobias-heer?io=transform:fill,width:300,height:300)
Tobias is professor at Esslingen University. He teaches IT Security and Networking. He is also active as researcher in the field of Future Networking Technologies at Hirschmann Automation and Control. He previously led the embedded software development department (embedded development - functions) with a focus on wireless communication, security and redundancy at Hirschmann Automation and Control and was leading hardware and software development projects as multi-project leader. Tobias was involved in the development and standardization of the Host Identity Protocol in the Internet Engineering Task Force (IETF).