Safeguarding industrial control systems (ICS) from cyber threats is a critical priority, but transforming these intentions into effective actions can be challenging. Given the complexity of ICS and their networks, which often rely on outdated technologies and inadequate security measures, it can be difficult to determine the best starting point. Cisco Validated Designs (CVDs) are proven networking and security reference architectures that industrial organizations can use to build advanced capabilities and create a flexible foundation for the future.

The Cisco Validated Design for Industrial Security has been updated to create additional blueprints for securing critical infrastructure. Taking a phased approach to secure the industrial network, the Cisco Industrial Threat Defense solution comprises of OT asset visibility, zero trust access and segmentation, and cross-domain detection, investigation and response.

Cisco Industrial Threat Defense comprehensive OT/ICS security capabilities

Comprehensive OT visibility driving network segmentation

The previous version of Cisco's Industrial Security Validated Design described how the Cyber Vision sensor software embedded in Cisco switches and routers could help gain visibility into connected industrial assets without having to deploy dedicated appliances or SPAN collection networks. It explained how control engineers and network managers could use this comprehensive asset inventory toimplement adaptive zone segmentation in the industrial networkby having Cyber Vision and Cisco Identity Services Engine to seamlessly work together.

The updated CVD now includesusing the Cisco Secure Firewall to secure plant networks.Rising investments into AI and the virtualization of the plant floor is resulting in the industrial data center (IDC) becoming a critical component of operational networks. Virtual PLCs are an example of this shift, where virtual controllers allow for a more flexible and modular design of production plants.

In a traditional Purdue model architecture, the IDC would reside in level 3, the industrial operations zone. But many operational networks who have implemented some levels of network traffic control have done so at the IDMZ, or level 3.5. As the IDC becomes more modern, it also becomes more connected, relying on cloud connectivity for services to run as intended. More connectivity expands the attack surface, so placing the IDC behind a firewall is needed to protect it if an attack was to breach the boundary firewall.

Cisco Secure Firewall for protecting the industrial data center and segmenting OT networks

The Cisco Secure Firewall, supplemented by an integration with Cisco Cyber Vision, can also be used to dynamically segment the industrial network and prevent cyber-attacks from spreading. The updated CVD explains how to use the Cisco Secure Dynamic Attributes Connector (CSDAC) to make OT asset groups created in Cyber Vision automatically available to the Firewall Management Center (FMC) as dynamic objects. Dynamic objects can easily be incorporated into access control policies to allow or deny communications based on source/destination, ports, protocols, and even Industrial Control System (ICS) commands using OpenAppID. Cisco Secure Firewalls installed in the industrial distribution frame, or Purdue level 3, will enforce these access policies, driving east-west and north-south segmentation with the need to deploy dedicated firewall appliances in each zone.

A blueprint for securing distributed industrial infrastructure

The second major update to the CVD provides design guidance forbuilding a cyber resilient network for distributed field assets with Cisco Industrial Routers.While we often talk a lot about cybersecurity, which refers to the robust tools and policies implemented to prevent attacks from occurring in operational networks, we often overlook cyber resiliency. Cyber resiliency refers to an organizations ability to maintain its critical operations even in the face of cyber attacks.

Cybersecurity is of course part of a cyber resiliency architecture. Capabilities such as firewalls, segmentation, and the implementation of a zero-trust model means that if an attacker does get a foothold in the network, their reach is limited and both reconnaissance and lateral movement can be prevented. However, cybersecurity practitioners and networking teams often make the mistake of treating themselves as siloed entities in the organization. The network configuration is just as important as the security appliances deployed in the network. Quality of Service (QoS) ensures that critical traffic always has priority when the network is in a degraded state. Lossless redundancy protocols ensure that critical traffic meets latency metrics when network paths go down. Management plane security ensures only trusted users get access to the network infrastructure and cannot be taken down by malicious actors. Plug and play ensures that new network devices are onboarded with a secure configuration out of the box. While all these features are typically considered part of networking, it's the combination of networking and security that results in a cyber resilient architecture.

Cisco Industrial Router provides the best of OT security and rugged industrial networking

Zero trust remote access made for OT

Last, but not least, the CVD explores the various options for securing remote access to industrial networks and describes how to deploy Cisco Secure Equipment Access toenable zero trust network access (ZTNA) to the plant floor. Remote access solutions come in many forms, and it can often be confusing to understand which one will meet business needs. The design guide compares virtual private networks, the remote desktop protocol, and the evolution towards zero trust network access, ultimately leading to the deployment of Cisco SEA within a Purdue model architecture.

Cisco Secure Equipment Access enables ZTNA remote access in industrial settings

Learn More

The new version of the Cisco Industrial Security Validated Design is available now. It's free to help everyone involved in building and/or securing industrial networks to implement advanced capabilities without fear of integration complexities or performance surprises. For further help, browse through a library of our industrial CVDs, or schedule a free, no-obligation consultation with a Cisco industrial security expert, and we will reach out to you.

Sign up for the Cisco Industrial IoT Newsletter