IDC White Paper shows ROI of 462% for Cisco SD-Access and Assurance

We are pleased to announce the publication of a new IDC white paper, sponsored by Cisco, that examines the business value realized by customers who have adopted Cisco’s Software-Defined Access (SD-Access) and Assurance solutions. The study showed some very impressive results, such as an average projected five-year return on investment (ROI) of 462%.

Cisco DNA Assurance and Cisco SD-Access are two major components of Cisco’s Digital Network Architecture, and are implemented using the Cisco DNA Center management platform. Together, these enable organizations to apply business intent to the network, creating unprecedented levels of visibility and control across the entire enterprise network.

Real customers sharing real experiences

For anyone who has been skeptical about our claims about the benefits of Assurance and SD-Access, this report should help sway your opinion.  There are many firsthand accounts from customers who are using these solutions in their networks, not just as demos or proof of concepts, but to actually run their IT operations. Participants in the study represented a range of business sizes and industry verticals, making it even more impressive that the results were so positive across the board.

Cisco DNA provides real benefits

According to the IDC authors, customers initially turned to SD-Access and Assurance to make managing complex operations easier, prepare for anticipated growth, and become more proactive in their approach to network management. What they discovered was that as network management becomes easier and performance improves, staff productivity increases and greater innovation company-wide becomes possible.

Some highlights of the results

◉ Average annual benefits of $3.18 million on a per organization basis
◉ 462% five-year ROI
◉ 9-month payback period
◉ 49% more efficient network management staff
◉ 35% more efficient network security teams
◉ 86% reduction in unplanned downtime

A key reason that the measured ROI was so high is that the time savings is compounded across all areas of network management and extends to non-IT personnel as well. Customers reported a wide range of positive benefits. With Cisco SD-Access, security is both more effective and easier to deploy and maintain. With Cisco Assurance, service issues are easier to track down and are detected earlier. These improvements lead to reduced downtime and improved application performance.

Source: IDC 2020

Cisco DNA solves real problems

Legacy network processes are inefficient and do not scale to the number of clients and devices now in use today. As the scale of the network increases, the friction inherent in manual processes for onboarding and managing connectivity cause a cascade of difficulties such as:

◉ Less than optimum experience for network users.
◉ Policy enforcement becomes more and more complex and inefficient.
◉ Holes open up in security policies.
◉ Network operators do not have visibility into what is happening in the network at any given moment.
◉ Problems take time to identify and solve, making users frustrated and slowing productivity across the company.

We believe this report helps prove that SD-Access and Assurance aren’t just shiny new toys. These solve real problems experienced by most network operators. With these solutions, you can proactively solve problems. You can match policy to the user, not the machine. You can automate routine tasks and roll out changes more quickly, making your network and your business more agile and able to respond to changing conditions.

Here is a concrete example that one of the customers in the study shared about their experience with SD-Access that illustrates this point about time savings:

A big thing for us is the rapid deployment or moving of different segmented networking groups. For example, right in the middle of one of our projects we had one of the labs moved. But it took 4 hours instead of what would have been about a month prior to SD-Access.

Continue reading

Industrial NetDevOps Enables Your Industrial Network with Programmability and Automation

Industrial NetDevOps solves real-world problems 

◉ Breaking down the barriers and building a closer alignment between the IT and OT departments ◉ Increase network change management, incident management and security
◉ Lower OT expenses and downtime while increasing your network effectiveness and agility

These crucial and well-desired subjects are exactly what Industrial NetDevOps is trying to solve. And DevNet has the tools and learning resources to help you start with that journey right away:

◉ Free Webinar, July 14th — Register Now
◉ New Learning Labs
◉ New Scripts on Code Exchange

What is Industrial NetDevOps?

Industrial NetDevOps brings the culture, tools, technical methods and best practices from DevOps to Industrial Networks.

Instead of using SNMP and CLI, you configure, manage and monitor industrial network devices via standardized network device APIs and software automation tools. Industrial NetDevOps workflows use Open Source, standards and Python scripts alongside commercial devices and tools to deliver fast-responsive and secure industrial networks.

DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). Similar to DevOps, in the industrial space are industrial operations professionals who understand and control the equipment (OT/Dev), but need support from their IT colleagues to make OT-data meaningful, OT-devices accessible and better aligned with other business systems (IT/Ops).

The vision of Industrial NetDevOps is taking the full advantage of both teams by working together: Creating a single source of truth for network configurations (e.g. with Git), making small but well tested changes to the network, deploy configuration changes though APIs, use automation to save time and costs, enable automated IT network services for operations professionals, get real-time health data of your network and OT devices and many more.

What has changed? Why move now?

Operations leaders recognize that operational data they use to support real-time decision making could create additional value for the company. The vision of a fully connected factory is real, the transformation is happening right now. Therefore, the industrial network needs to be as responsive, agile and secure as it has ever been.

Cisco realized this movement and is leading it: The industrial switch series IE3x00, the embedded switch ESS3300 and the industrial router IR1101 are running IOS XE (same as on the Catalyst 9000 Series) which enables model-driven programmability with open APIs and data models such as NETCONF/RESTCONF & YANG. Also, the Cisco Catalyst 9800 Series Wireless Controller supports model-driven programmability along with traditional APIs.

Furthermore, the network controller and orchestration software Cisco DNA Center supports an extensive REST-API as well as the industrial security software Cisco Cyber Vision. As you can see, Cisco’s industrial software and hardware is ready for the transformation!

What are the Use-Cases which you can start right now?

To give you a better understand of how powerful Industrial NetDevOps can be with our Cisco industrial solutions, here are some use-cases which will get you started. However, there are many more!

◉ Enable or disable remote access with just one REST-API Call: By simply defying a service as a python script which will execute pre-defined NETCONF commands to create, enable and disable ACLs on specific industrial hardware, for example the IE3400.

◉ Deploy your desired IOS configuration for hundreds or thousands Cisco IE switches automated with the software automation tool Ansible and just one command. For example, configure the IND bootstrap-, specific ISE-, PROFINET-, CIP-, PTP-configuration and so on with one centralized tool or even application of yours.

◉ Get fully automated and tailored reports about the health of your network and IT/OT devices via the REST APIs of Cisco Cyber Vision and Cisco Industrial Network Director. In the same process-chain, analyze the report with other Cisco tools: Check each DNS query what has been made in your industrial network with the Cisco Umbrella Investigate API to see if some requests were malicious and highlight the originators.

◉ Enable ChatOps in your Industrial Environment: Operations professionals can easily change the network configuration and many other application settings via simple text messages on Cisco Webex Teams (see the example below with the IR1101). What changes the OT worker is allowed to make will be pre-defined by the IT team.

How does the Toolset of Industrial NetDevOps look like?

It depends on your use-cases and requirements what skills are important – you do not need to know them all! Here is breakdown of which technologies and tools will help you further to enable Industrial NetDevOps:

◉ Programmability Basics: Understanding REST-APIs and Python (or any other programming language) are the basics for programmability which will help you automating your tasks and can solve specific IT/OT challenges.

◉ Device Level: In order to leverage the APIs directly on your industrial device (e.g. IE3400) for a single configuration change or getting device operational data, get started with NETCONF/RESTCONF and YANG.

◉ Controller & Orchestrator Level: If you manage your industrial hardware with Cisco DNA Center, Industrial Network Director, Kinetic GMM or vManage, you can simply do that with the REST-APIs and automate your tasks with Python for example.

◉ Configuration Management: If you want to change the IOS configuration on hundreds or thousands of devices, get started with the software automation tools Ansible, Puppet, Chef or others.

◉ Network Verification: If you want to know if your IOS configuration on which of your IE3400s has changed in the last weeks or months or want to test your IOS configuration, definitely get started with the Cisco framework pyATS.

◉ Security: Especially in an industrial environment network security is highly important. Together with the industrial security software Cisco Cyber Vision (REST-API capable), Cisco Firepower & FirePower Threat Defense (REST-API capable), the ruggedized Cisco Industrial Security Appliance ISA3000, Cisco Stealthwatch (REST-API capable) and Cisco Identity Services Engine (pxGrid API) enable your network to talk to these security tools and the other way round.

◉ Telemetry and Monitoring: To visualize your collected data from your industrial device (e.g. IR1101 in the image below), get started with streaming telemetry and the TIG-stack (Telegraf, InfluxDB and Grafana), ELK-stack (Elasticsearch, Logstash and Kibana) or any other preferred databases and dashboards.

Where should I deploy the Industrial NetDevOps tools?

As usual, this depends on your architecture, devices, and industry. However, if we look at the Converged Plantwide Ethernet (CPwE) Architecture, it makes sense to include these tools in the Industrial Zone as seen in the image below.

Source: cisco.com

Continue reading

Get Back to a Safe Workspace Faster with Cisco CX Location-Based Analytics

The advent of COVID-19 has affected the way people live and conduct business. It has necessitated new business and epidemiological practices for ensuring business continuity. Many businesses and institutions around the world have moved from absorbing the effects that lead to most workspaces being shut by enabling their employees to work remotely and securely by leveraging video conferencing and VPN solutions. The return to normalcy requires the implementation of specific measures that will help businesses prepare to return to their usual physical workspaces. In some locations around the world, campuses that were closed are beginning to re-open, and employees are gradually returning to work through a phased approach. However, now more than ever, organizations need to ensure their workspaces offer the most secure and safe working environments, which strictly adhere to the COVID-19 guidelines for social and physical distancing.

Some of the most common questions emanating from customers in this situation include the following:

◉ “I want to see how my business is impacted by COVID-19. How can I ensure my campus is safe to re-open?”
◉ “How can I provide personalized customer experiences while ensuring social distancing?”
◉ “How can I ensure the number of employees attending work is within the safe threshold?”
◉ “How can I track and alert employees if the number of people within the campus at a given time poses a threat to the safety and health security of all in attendance?”

Get Help Safely Returning to Your Campus with the Cisco CX offer for Cisco DNA Spaces

Cisco offers a location-based analytics solution—Cisco® DNA Spaces—which digitizes physical spaces to provide you with insight about people throughout your workspaces, including how, where, and when they move through your location. It collects data from your existing Cisco Wi-Fi access points to provide information about people, including employees, customers, patrons and visitors, as well as things, such as assets and sensors, within your properties. Built with a variety of applications (apps), Cisco DNA Spaces sets up workplace density thresholds to monitor the number of employees in buildings across campus, provides notifications when thresholds are reached, shares safety information, and enables rapid response to incidents via proximity reporting.

In line with this, Cisco Customer Experience (CX) has introduced a new Service offer that helps you deploy and address your use cases with Cisco DNA Spaces. The Cisco CX offer for Cisco DNA Spaces delivers our new Advise and Implementation Service that helps with design, configuration, deployment and post-implementation support of Cisco DNA Spaces, which empowers businesses to analyze data from their workspaces and define actionable insights to accelerate office re-openings.

Our CX experts analyze your current environment and requirements, advise you on the best solution design and configuration for agreed upon use case(s), and tests and validates the desired functionality prior to production use. You’ll get expert help with right-fit use-case implementation, including a knowledge transfer session and post-implementation support to enable ongoing use of the solution and help you maintain essential business operations. We’ll make sure you can take full advantage of these location-based services to leverage critical visibility throughout your physical workspace locations, which plays a crucial role in managing the safe return of people to your workspaces.

Two levels of Advise and Implementation packages are available for Cisco DNA Spaces—small and large packages—based on the size of your organization. You’ll have the option to get support for up to five buildings (or 30 floors or shops) to cover your physical workspaces, smart captive portals for enhanced customer experience, CX post-deployment use assistance, and more.

How Cisco CX Simplifies and Accelerates Your Safe Workspaces

Next-generation sensing capabilities are already built into your Cisco Wi-Fi access points—such as Cisco Catalyst®, Aironet®, and Meraki®. However, they need to be turned on and aligned, and Cisco CX will do that for you. If you don’t already have them, Cisco CX can quickly deploy new Cisco Wi-Fi access points for you. We’ll take care of complete connectivity between your Cisco Wi-Fi access points, Cisco network, and the cloud-based Cisco DNA Spaces solution. Furthermore, the granular data collected by your Cisco Wi-Fi access points feeds the Cisco DNA Spaces apps. From this app data, you can then leverage advanced analytics to achieve powerful insights into end-user behavior​—how people use, move, and occupy spaces. The following apps are seamlessly bundled in our Cisco DNA Spaces solution:

◉ Right Now App​: Sets workplace density thresholds to monitor the number of employees in Wi-Fi enabled zones across campus.​

◉ Notification Trigger: Uses a rule engine to power an API, which triggers notifications when thresholds set by the Right Now App are crossed. Keep your teams updated at all times with automated notifications via Webex Teams™, SMS, or email.​​

◉ Impact Analysis App​: Helps you determine whether your operations need to be adjusted for the improved safety of your people by measuring the effectiveness of your back-to-safe-workspaces policies, including whether it’s safe to introduce more people into your physical workspaces.

◉ Proximity Reporting App​: Delivers historical analytics, allowing you to trace the steps of your Wi-Fi connected people. This app reports the presence and path down to individual users, while also reporting who else was present, allowing you to investigate incident impact across employees and zones by tracing proximity.

◉ Engagements App​: Shares contextually triggered safety information with employees based on where
they are in any of your buildings. ​The rule engine drives dynamic engagements based on each building classification as well as individual employee personas for more relevant information.

With the data stream created by Cisco Wi-Fi access points and fed to the bundled Cisco DNA Spaces apps, you can gauge the effectiveness of your back-to-work policies, and determine when it’s safe to allow more people back into your office. This includes the ability to determine if there is an area in any of your workspace zones where people are clustering and breaking your distancing guidelines. The real-time analytics offered by Cisco DNA Spaces make it easy to monitor the number of people across campus, including the effectiveness of your distancing policies with workspace density thresholds throughout all your monitored zones and across points of ingress and egress. Notification triggers generated by policy breaks and proximity reporting help you take action to keep your people safe. Your employees can also receive safety information triggered contextually based on their presence in any of your monitored physical zones. All this can be managed through a single, cloud-based pane of glass to simplify how you consume and leverage location services to keep your people safe.

Safety Can’t Wait—Start Your Location-Based Analytics Today

If you plan to re-open your campus gradually, we’ll work at your pace, easing into a broader rollout and expanding to deploy more specific use cases when you’re ready. Regardless of your rollout scheme, you’ll enjoy easy procurement and fast deployment. Leverage the right expertise to get up and running quickly with Cisco DNA Spaces in days, versus weeks, all while prioritizing the safety of your people.

Continue reading

5 Important Fundamentals of Your Account Based Marketing Program

Are you a B2B marketing professional looking to set up, or improve, your Account-Based Marketing (ABM) strategy? Perhaps you have a program up and running or are looking to implement one soon.

If you’re feeling the urgency behind ABM, it’s for good reason. This is a growth strategy that has been proven to deliver the highest ROI of any B2B marketing strategy or tactic (according to the ITSMA, who has been advocating for this approach for many years.)

You’re also not alone. In a recent study by SiriusDecisions, 93% of respondents stated that ABM is very or extremely important.

The benefits of ABM are numerous:

◉ Greater focus – ABM allows your Sales and Marketing teams to focus time, budget, and efforts on those accounts that are most likely to drive revenue for you. Think of it as a “zero waste” strategy.

◉ Larger deals – Deals generated through ABM tend to be larger, with better buy-in and executive support.

◉ Increased close rates – Companies report higher close rates with those accounts engaged through ABM.

◉ Faster deals – Because the right individuals within the right accounts are targeted, ABM deals tend to get stuck less, and move quicker.

◉ Integration – ABM by nature integrates your sales and marketing teams who now work together against the same account criteria list.

I believe B2B organizations with large and complex sales have a great deal to be gained by implementing an account-based approach. Some say this is always the way B2B was meant to be. I tend to agree.

Wherever you are in your journey, here are the most important fundamentals that can dictate success for your ABM programs:

1. ABM is strategic. Some mistakenly approach ABM as a tactic, failing to invest appropriately in resourcing, executive buy-in or change management to bring it to life. This should be a highly strategic growth initiative that combines people, processes, and technology.

What’s important is to realize that simply buying ABM technology is, itself, not enough to see results. Like any other core marketing technology, how you shift the behaviors of your team will truly make all the difference.

2. Leave lead-centric practices behind. While ABM can run simultaneously to traditional demand generation within a pilot program, it truly is a new mindset to adopt.

The lead-based marketing automation and lead management approaches popularized throughout the 2010’s have been a kind of “normal” for the B2B industry. In this approach:

– Deals are comprised of individual leads
– Deals are high-velocity, taking hours, days or weeks
– Deal sizes are low, and there’s a lot of them

But, for those organizations with large and complex deals, traditional lead-based demand gen is often not appropriate. This is where ABM is appropriate, as it involves:

– Many stakeholders
– Months-to-years time to close
– Low quantity, highly-defined universe of target accounts
– Large deal size

3. Marketing has a different role to play in ABM. Because ABM requires different motions than lead-based marketing, the resourcing and responsibilities for a marketing team deploying ABM will look different. For example, the way your team may spend their time will include working with Sales to define accounts, and their goals and plans. They may also be responsible for gathering account intelligence and building engagement strategies, from content to live events.

In ABM, Marketing is a true partner with Sales, targeting the same list of high-value accounts, and working together to engage those accounts over the lifecycle of the account’s journey – from awareness to engagement to close, then after the deal to renewal and expansion.

4. Multi-channel is the best ABM approach. On that note about channels, the explosion of digital marketing has introduced more ways to engage individuals within our target accounts than ever. But, for an ABM program to be successful, we have to leverage them in a more focused way.

Here’s how B2B teams use all channels in ABM:

– Email marketing looks different with ABM. Sales owns more early-stage email outreach with highly personalized, tailored, and targeted notes.
– Direct mail is used to send custom, bespoke assets appropriate for a small amount of specific accounts.
– Field events are more targeted as well, used to nurture relationships with key accounts in cities they are more concentrated in. These can be VIP experiences, lunch and learns, breakfast roundtables, or panels.
– Digital ads are used to serve content to specific accounts by IP addresses, or a list of contacts.

5. ABM requires leading with insight. Corporate Visions found that 74% of buyers chose the sales rep that was FIRST to provide value and insight. This aligns with research from Edelman and LinkedIn that reveals thought leadership enhances B2B decision-makers trust in a vendor (88%), their perception of a vendor’s capabilities (88%), their respect of that organization (90%) and even convinces 61% to pay a premium because it demonstrates deep thinking and other virtues important to them.

Because ABM is inherently outbound (whereas traditional lead generation let us publish content and attract leads in an inbound model) the quality of our outreach is held to a much higher standard.

Unfortunately, only 15% of decision-makers say the thought leadership they read is very good or excellent. This presents an enormous opportunity for B2B marketing leaders to improve, and for those with strong thought leadership programs in place today to differentiate and thrive.

It can feel like ABM is only the B2B marketing industry’s hottest new buzzword. But, I think of it as a far more critical industry transition. ABM gives our department a way to serve our businesses in more strategic, impactful ways.

Continue reading

Enhancing the Single Pane for Webex Edge for Devices

Bringing the Most Modern Experience of Webex to any Device with Webex Edge for Devices

Earlier this year, we released Webex Edge for Devices with our CE 9.10 software release for Webex Rooms. This enabled administrators to easily link their on-premises registered devices to the Webex Platform, delivering an enhanced feature set which included device analytics and diagnostics for on-premise deployed rooms.

Webex Edge for Devices is bringing the most modern experience of Webex to any device regardless of how it is provisioned today. We have had an amazing uptake of this new deployment model, which has in turn generated a wide range of feature requests, and I couldn’t be more excited to announce a new set of features that Webex Edge for Devices customers will receive from the Webex platform.

Creating a Better Experience for Administrators and End-Users

With the 9.12.3 release, we released the ability to use a HTTPS proxy on the device to connect to the Webex Platform. This gives more flexibility for administrators to allow traffic to flow through proxies as it leaves their corporate network!

For Webex Meetings 

The next two features are related to Webex Meetings. Now, customers can search for a PMR (Personal Meeting Rooms) directly on devices which have been linked with Webex Edge for Devices through the “Join Webex” button. This makes it even easier to join Webex Meetings!

For Administrators

The other Webex Meetings feature is for the administrators. When you need to troubleshoot a device, you can now get access to the same data our full cloud registered systems have. This includes drill down minute by minute diagnostics over packet loss, jitter, latency and even resolution for all Webex Meetings!

For Configurations

The next one is a big one. Our customers have been asking for a while when they will be able to configure devices from Control Hub? Well, now is the time! With CE 9.13, customers can opt into configurations controlled from Control Hub instead of UCM or TMS. This truly makes Control Hub the single pane of glass to manage every workflow. The ability to bulk edit configurations for Control Hub is also just around the corner. This paired with the upcoming configuration API means it is possible to add programmability if you want to make large sweeping changes.

Workspaces

The final feature I want to mention is something we just recently released, namely Workspaces! People have been asking me if this works for both cloud registered and Webex Edge for Devices linked workspaces? The answer is Yes! Workspaces delivers real time metrics directly from your workspaces into Control Hub and brings value for every activity in the space.

Continue reading

Fukui-ken Saiseikai Hospital deploys Cisco DNA Center for IT transformation

The acceleration of medical device digitization has led to an explosion in the number of new devices on the Fukui-Ken Hospital network. Cisco DNA Center provides the solution for policy, security, and assurance.

IT departments everywhere are dealing with the explosion of new devices and users on the campus network. Provisioning, securing, and maintaining performance of constantly growing networks is daunting for us all. Hospitals are probably the most affected by this because of the sheer number of healthcare and life-saving devices that they require. The Fukui-ken Saiseikai Hospital, located in Fukui City, Japan has deployed Cisco DNA Center in order to accelerate their digital transformation with greater efficiency.

Mr. Masaru Takeuchi, Medical Information Division Section Leader, defined the hospital’s challenges as a lack of visibility and control over network access as well as inconsistent IT staff proficiency in managing complex network issues and troubleshooting. Mr. Takeuchi outlines that Cisco DNA Center, with Cisco Identity Services Engine (ISE) addressed all of their challenges from policy and security, to automation and orchestration and, of course, assurance. He knew that automating the lifecycle management would result in greater IT efficiencies, but he wanted to first focus on a stable, well performing infrastructure: “First we are going to build the reliable infrastructure that is necessary for automation. The implementation of Cisco DNA Center provides real-time visualization. By constantly monitoring and analyzing the health of the entire network to quickly identify signs of trouble, it is possible to take proactive measures, thereby enhancing assurance.

The Fukui-ken hospital IT staff focused on setting up network access controls and threat detection, in compliance with their security policies. This is done via the policy section of Cisco DNA Center where endpoints are categorized into groups and each group is given a set of policies that determine what types of data traffic and network resources that endpoint can access. Once their policies were set up, Cisco DNA Center simply updates policies in all switches, wireless controllers, access points, and routers. Policies follow users and endpoints, so there is no more need for ultra-complex QoS and IP-based segmentation.

Now the team can focus on operating a policy-based, zero-trust infrastructure. Doing this is a cinch with Cisco DNA Assurance, one of the main features in Cisco DNA Center. As I noted above, there was inconsistency in the IT staff proficiency in managing complex network issues and troubleshooting. Meaning that some of the level-one engineers did not have the experience to diagnose complex issues without consulting a more experienced staff member. When Cisco DNA Assurance raises a network “Issue” it then offers guided remediation on steps to resolve that issue (see screenshot below). Any suggestion that can be resolved through a Cisco DNA Center configuration will have a “RUN” button next to it, for one-click resolution. This allows level-one engineers to fix complex network challenges quickly and independently. It also serves as a platform for learning as each issue that is remediated provides greater experience and, ultimately, improved network literacy.

As the Fukui-ken hospital IT team grow their network they plan on implementing more capabilities within Cisco DNA Center. Enabling AI/ML analytics will allow them to compare wireless service areas and locate opportunities for Wi-Fi service improvement. Cisco DNA Automation will provide time savings for device lifecycle management and improve consistency in device configuration. Cisco DNA Center is a full-featured intent-based network controller that brings the elements of security, automation, and assurance together for a complete operations and management platform. As Fukui-ken Hospital decides to integrate these additional capabilities into Cisco DNA Center their existing Cisco DNA Advantage subscription gives them immediate access to deploy and use those new capabilities on their existing hardware.

The trend in modern hospitals is the acceleration of medical device digitization and the reduction in on-site operational staff. The Fukui-ken hospital IT team is building a campus network to support this trend and take them into the next phase of healthcare.

Source: cisco.com

Continue reading

Three requirements to securely connect your industrial network

Digital transformation initiatives are driven by the desire to make data-driven business decisions. Whether you’re looking to increase production, reduce waste, or improve safety, the answer resides in your data: collecting it, analyzing it, and learning from it. But what happens when your data lives in extreme locations? Perhaps in places of severe heat, cold, humidity, salinity, or dust? How do you gather information with such harsh conditions? And how do you do it securely?

The first step is to converge to a single IP network. Network convergence is a proven formula for pulling together all the data in your environments. Cisco has been helping hundreds of thousands of organizations to converge their voice, video, data, and IoT networks to a single IP network. We’ve been doing this for over 30 years, and we know it works. A single network is easy to manage and operate and reduces your total cost of ownership. However, the primary challenge with a converged network is that it needs to be secure. There are three elements you need to securely connect an industrial network: 1) purpose-built hardware, 2) digitally signed and authentic security software, and 3) extensible architectures.

1. Choosing the right hardware

Start with the right hardware. For industrial internet of things (IIoT), the network hardware must satisfy the requirements of both the operational technology (OT) department and the IT department. At a high level, OT runs point on operations and understands how the organization produces its goods or services. IT connects the network and wants to make sure it’s done securely. OT and IT each have different priorities, goals, and concerns, yet the hardware has to meet both sets of requirements.

In addition to meeting the requirements of both OT and IT, the network hardware you select for connecting the industrial network should have a hardware trust anchor. A hardware trust anchor ensures that whatever software runs on the hardware will do so in a secure manner. To this end, the hardware should have an anti-theft, anti-counterfeiting, and anti-tamper chip that is completely immutable, meaning that it cannot change. Also look for built-in cryptography functions, secure storage for certificates and objects, and certifiable entropy for random number generators.

2. Selecting the right software

Going up the technology stack, the next component you need to securely connect the industrial network is the right software. Complement the secure hardware with digitally signed images, a secure boot process, and runtime defenses to ensure the software is secure and hasn’t been tampered with.

What is meant by digitally signed images? When we compile an image at Cisco, we execute a hash function on the binary code. The result of that hash function is encrypted using Cisco’s private key, and that signature is embedded right within the software image. At boot time, two things happen: 1) the local machine computes its own hash based on the binary of the software image, and 2) it decrypts the information they’re in, looking for that signature and making sure the two match. This process provides reassurance that the software hasn’t been tampered with and that it’s safe to boot up. Digitally signed images are an important component to a secure boot process.

Now that the software has securely loaded on the device, the network administrator has at his or her disposal the most powerful and secure networking operating system in the industry: Cisco IOS XE, which contains over 1,300 security feature commands and keyword options.

Cisco IOX XE also supports application-hosting in containers so that they can run on networking devices. Leveraging this application-hosting capability, Cisco has recently delivered an OT-specific security solution, namely Cisco Cyber Vision.

Cisco Cyber Vision provides innovation in OT security. For example, Cisco doesn’t require customers to install dedicated hardware sensors, but rather virtualizes their sensor to run as an application on network infrastructure, such as Cisco Catalyst Industrial Ethernet (IE) switches or Cisco ISR Industrial Routers (IR) or even Cisco Catalyst 9300 switches (which may be found in some industrial environments, albeit in temperature-controlled cabinets/rooms). Cisco’s unique approach of using a software sensor for OT protocols is not only an industry-first, but also the most scalable solution in this space, as it allows for the security solution to simply scale with the network infrastructure itself.

Another innovation that Cisco brings to OT security is the use of distributed analytics and OT flow metadata to minimize bandwidth impact. The Cyber Vision sensors running on the network devices perform deep packet inspection (DPI) on all OT flows. However, rather than mirroring these flows to a central analytics engine (i.e. the Cisco Cyber Vision Center) these sensors summarize OT flows as metadata, similar to NetFlow records (though the metadata Cyber Vision uses far exceeds the data contained in NetFlow records). Cisco Cyber Vision goes beyond NetFlow by detailing attributes of the devices sending and receiving the flows, the OT protocols used, the commands sent and received, and even the specific variables that these commands reference. As an analogy, while NetFlow can tell you who is talking to who, Cyber Vision metadata can tell you not only who is talking to who, but also the languages they are speaking, as well as specific details of their conversation. And the summary of these flows is highly efficient, typically consuming only 2-5 percent of incremental bandwidth.

3. Architectural integrations

The third piece in the tech stack is architectural integrations. Look for security solutions that leverage the existing network hardware to provide visibility into network traffic, and to identify and stop potential threats. Both IT and OT can benefit from having complete visibility of the OT environment, but IT cannot afford the operational overhead required to support a separate SPAN network. By integrating sensors into network hardware, IT can see anomalous behavior anywhere in the environment, while OT can obtain new and deeper insights into operations.

Ideally, the security solution also integrates with the technology used by the Security Operations Center (SOC) to monitor, investigate, and remediate security incidents in the IT environment. This way, the SOC has all the information it needs in one location to reduce the time to detect and respond to a security incident. Security analysts can see, for example, whether an attack originated in the IT environment and moved laterally to the OT environment, or if an attack entered the OT environment via something like a vulnerable device.

How Cisco can help

Cisco’s industrial-grade network hardware and Cisco Cyber Vision are designed to work together to meet the three requirements for securely connecting an industrial network. Our ruggedized networking switches and routers are built to withstand the harshest environmental conditions while delivering enterprise-level networking capabilities, including a hardware trust anchor. Our software uses digitally signed images to validate that software has not been tampered with, and Cisco Cyber Vision leverages the network architecture to deliver visibility and control over the OT environment. Cyber Vision also provides real-time threat detection and integrates with the SOC.

Continue reading