The four-step journey to securing the industrial network

Just as the digitization and increasing connectivity of business processes has enlarged the attack surface of the IT environment, so too has the digitization and increasing connectivity of industrial processes broadened the attack surface for industrial control networks. Though they share this security risk profile, the operational technology (OT) environment is very different from that of IT. This post looks at the key differences and provides a four-step approach to securing the industrial network.

In industries like utilities, manufacturing, and transportation, the operations side of the business is revenue generating. As a result, uptime is critical. While uptime is important in IT, interdependencies in the OT environment make it challenging to maintain uptime while addressing security threats. For example, you can’t simply isolate an endpoint that’s sending anomalous traffic. Because of the interdependencies of that endpoint, isolating it can have a cascading effect that brings a critical business process to a grinding halt. Or, worse, human lives may be put at risk. It’s important to understand the context of security events so that they can be addressed while maintaining uptime.

With uptime requirements in mind, securing the industrial network can feel like an insurmountable challenge. Many industrial organizations don’t have visibility into all of the devices that are on their OT networks, let alone the dependencies among them. Devices have been added over time, often by third-party contractors, and an asset inventory is either non-existent or grossly outdated. Bottom line: organizations lack visibility into the operational technology environment.

To help industrial organizations address these challenges and effectively secure the OT environment, we’ve put together a four-step journey to securing the industrial network. It’s important to note that while we call it a journey, there is no defined beginning or end. It’s an iterative process that requires continual adjustments. The most important thing is to start wherever you happen to be today.

There are many places from which to begin, and what makes a logical first step for one organization will not necessarily be the same for another. One approach is to start with gaining visibility through asset discovery. By analyzing network traffic, deep packet inspection (DPI) can identify the industrial assets connected to your network. With this visibility, you can make an informed decision on the best way to segment the network to limit the spread of an attack.

In addition to identifying assets, DPI identifies which assets are communicating, with whom or what they are communicating, and what they are communicating. With this baseline established, you can detect anomalous behavior and potential threats that may threaten process integrity. This information can then be fed into a unified security operations center (SOC), providing complete visibility to the security team.

How you deploy DPI is important. Embedding a DPI-enabled sensor on switches saves hardware costs and physical space, which can be at a premium, depending on the industry. DPI-enabled sensors allow you to inspect traffic without encountering deployment, scalability, bandwidth, or maintenance hurdles. Because switches see all network traffic, embedded sensors can provide the visibility you need to segment the network and detect threats early on. The solution can also integrate with the IT SOC while providing analytical insights into every component of the industrial control system. With DPI-enabled network switches, industrial organizations can more easily move through the four-step journey to securing the industrial network.

Continue reading

Peace of Mind with Cisco Optics (A)

Cisco sells the highest quantity of optical transceivers in the world. Through a combination of internal development and OEM and JDM engagements with suppliers, Cisco has developed an extensive portfolio of transceivers that has shipped to thousands of customers.

The value proposition of this optics portfolio is best viewed through several interrelated aspects – the breadth of product portfolio, stringent qualification requirements on Cisco platforms, and assurance of robust supply continuity along with worldwide logistics and distribution.

This first blog in a three-part series reviews the variety of Cisco platforms and the ease of deployment that comes with deploying Cisco optics. Additionally, the Cisco Transceiver Compatibility Matrix simplifies the network architect’s job of selecting transceivers to connect Cisco host platforms to each other.

Cisco Platforms for End-To-End Network Connectivity

Cisco offers the most comprehensive set of platforms of any NEM (Network Equipment Manufacturer). These solutions address a variety of applications and markets such as IoT (Internet of Things), Service Provider, Campus Enterprise, and Datacenter segments. In addition to platform hardware and software, Cisco provides optical transceivers to connect the different switches and routers in these networks. The following table samples the variety of Cisco platforms along with their application.

To connect all these devices at various places in the network, Cisco has developed an extensive portfolio of transceivers that spans multiple Form Factors, Reaches, and Speeds.

Transceiver options for all of Cisco Platforms

Cisco provides a comprehensive portfolio of pluggable transceivers to cover the entire range of applications for IoT, Service Provider, Campus-Enterprise, and Datacenter segments. These include pluggable optics for multi-mode fiber and single-mode fiber, and cables at various data rates and distances. In addition to optical transceivers that comply to IEEE standards and/or MSAs (Multi-Source Agreement), Cisco innovation is built into transceivers with proprietary optical specifications that give customers flexibility in their operations. For example, Cisco QSFP BiDi (Bi-Directional) and SFP and QSFP CSR (Cisco Short Reach) allow customers to migrate to higher data rates while reusing their existing fiber infrastructure without modification.

The Table below provides a high-level overview of the product portfolio highlighting the standards, form factors, and platforms supported.

Table 1. Transceivers for multiple platforms and places in the network

Detailed information on the entire transceiver product portfolio is available in their respective datasheets, which are organized by speed and form factor. Cisco has shipped millions of transceivers in 100M, 1G, 10G, 40G and 100G speeds. As market adoption continues, Cisco will continue this leadership with 25Gbps and new 100Gbps transceivers.

Cisco Transceiver Compatibility Matrix

The Cisco Transceiver Compatibility Matrix is a menu driven tool that lists Cisco platforms and all transceivers qualified on each platform.  For example, the network architect can quickly select transceiver options for the NCS540, a Service Provider Access platform.

Example 1. Using the compatibility matrix tool menus and appropriate filter settings, QSFP transceivers can be selected for the 100Gbps uplinks that span from 500 meters up to 40Km reaches over single mode fiber, which results in the following options for one line card example: QSFP-100G-PSM4-S, QSFP-100G-CWDM4-S, QSFP-100G-SM-SR, QSFP-100G-LR4-S, and QSFP-100G-ER4L-S.

Example 2. Similarly, 1 Gbps transceiver can be selected for the downlink data rates that span from 1Km to 10Km reaches. In both cases, the SW release version of the switch is provided, along with indication for DOM support (if available).

Buying Optics from a Platform Vendor

Cisco optical transceivers are qualified on the largest portfolio of routers and switches in the industry. By vetting transceivers for the most applications, Cisco routinely identifies issues during qualification that would otherwise go undetected until after network deployment has started. Cisco optics indeed provide peace of mind and the assurance that the entire network will be brought up and continue to operate reliably.

Continue reading

Cisco Small and Medium Business Switch Portfolio Refresh

Big Game tonight with the Boston Bruins and the Toronto Maple Leafs square off for the final game, Game 7, in Boston Garden! Always a great time of year with Basketball and Hockey Playoffs, Baseball Season is in high gear, tennis is happening in Barcelona, with Roland Garros waiting patiently next month, and for golf, we have the US Open in June. Indeed, it’s a great time for sports!

Continue reading

Flexible Algorithm makes Segment Routing Traffic Engineering even more agile

As more and more Service Providers and Enterprises operate a single network infrastructure to support an ever-increasing number of services, the ability to custom fit transport to application needs is critically important.

In that respect, network operators have been exploring Traffic Engineering techniques for some years now but have obviously run into many scaling issues preventing them from having an end-to-end, fine-grained control over the myriad services they offer.

Continue reading