In Part 1 of the article “Design and maintain OT/IT security network based on IEC 62443 standards”, the writer introduced an overview of the IEC 62443 standard, and some notices on building the system in accordance with IEC 62443 standard. Part 2 of this article will give you insights on how to design and maintain OT/IT network security.
Design and maintenance of OT/IT security network
It should be based on the IEC 62443 standard combined with the integrator’s practical experience to help design and maintain the most secure OT / IT network. Firstly, the system is capable of listening, analyzing, and automatically simulating network behavior, demonstrating to the operators all the information needed to understand the network as to how the network operates and how to identify weaknesses or points that may be affected in the future. The system must be able to perform all of these tasks in a fully proactive manner, providing the most accurate possible picture of network behavior- with minimal errors, and no latency or adverse influence on the performance of the system and the workflow of both OT and IT networks.
At the same time, surveying, evaluating and understanding customers’ specific needs, along with practical implementation experience of the integrator, will help to design/develop an appropriate IT/OT network security system for the customer.
- Specify compliance with IEC 62443 as follows:
- Allows for immediate and automatic identification of all active network devices and data retrieval to facilitate the identification of secure boundaries and access points.
- Quickly and completely updates existing and emerging risk models with both OT (ICS) and IT networks. According to current information, there are currently more than 750 threats and special threats dedicated to the ICS standard with over 300 vulnerabilities for known ICS devices, allowing for rapid risk assessment and having available methods to be risk defensive or minimized when attacked.
- Supports performing network segmentation on partitions and link to partitions, ensuring no unwanted information.
- Provides the best possible protection, with daily operations for the network; Thanks to the advanced threat detection tool currently available, you can detect new and unknown cyber-attacks which are not as easy as everyday threats.
- Monitoring network traffic and gathering device information:
- Network Traffic Monitoring and Threat Detection: OT/IT operators/units can statistically collect and aggregate information related to active devices in the network and make reports in a comprehensive way. Combined with control processes, information flow control, protocols, and analytical tools which produce immediate, clear and accurate results for each of the relevant networks, supporting the operator to operate the system, quickly identifying vulnerabilities and security breaches that can occur from sources such as using unsafe protocols and services or to use too much industrial network bandwidth. In addition, all of this information is intelligently captured – using technologies such as mirroring or TAP portals that do not change the status and affect network performance.
- The information obtained through the intelligent reporting/analysis tool is designed to be an interactive network map that helps the administrator to understand the main network issues, such as:
- The evolution of network interfaces/protocols over time.
- Circular charts scale the different aspects of public relations – such as the most commonly used protocols – to determine the structure of the network.
- Tree diagrams show details of all communication models monitored in the network, and help identify unwanted information flows.
- Listings of network assets and their properties, or record of unwanted events for a certain period of time.
- Intuitive network mapping helps to classify network devices, logical connections, and public relations flows. At the same time, users can filter maps and find out details about personal devices, operating systems, patch versions, network addresses, as well as the threats they are experiencing (for example, known vulnerabilities).
- Collectable information, graphs, and analysis images that are customizable and can be displayed can be filtered and cross-filtered in different sizes. Diagrams provide real-time monitoring of the network and can be used to analyze and report in ways that the administrator is interested in. In fact, behind the visual analysis platform, there is a full-featured data-store that allows operators to combine all of the databases, which can be queried with historical data, providing all of the privileges – necessary to analyze deeply the behavior of OT networks as well as IT.
- Combined with dedicated analysis tools, the administrator can clearly understand the rules as well as the flow of information in the network. Each rule specifies which server is monitored, which port is used, what protocol to use, and what actions or commands to run on those protocols. This information is the key to determining the presence of unwanted information or services that are unsafe due to unwanted network devices or process activities – like malware.
The results of this analysis can be used to determine the security status of the network, removing misconfigurations on the system, and adjust firewall systems to prevent specific unwanted traffic streams. In addition, it includes all required inputs to support the identification of “zones” and “network segments”, as recommended by IEC 62443. In other words, this is the first step in designing and deploying a secure network.
- Network separation and threat detection
- Actually, the automated rules created by the monitoring system can be enforced to ensure that whenever communication is different from the intended network behavior, the operator will be alerted immediately. For example, the system will warn in real time in case a new host, formerly present in the network monitoring system, or an unwanted protocol or service is used ( see picture below). In other words, the system will report any violation of the network segment identified in the “build solution” step (step 3 of IEC 62443 frame deployment).
- In addition to smoothly controlling the flow of information, the system needs the most advanced detection tools to analyze public relations through industrial protocols. The system must use a self-learning mechanism – to automatically generate the model used by the OT network. As a result, the system is capable of analyzing each unit and value contained in a message in the OT protocol, to ensure that the message not only complies with the protocol rules but also the operations and value ranges used specifically in the monitoring network. As soon as an unauthorized access attempts to exploit the vulnerability in the network device, the system will detect it and report it. This is far beyond the capabilities of existing network monitoring systems when they stop at the level of analyzing at the “command line”. Therefore, the system should provide protection from a more comprehensive range of attacks, from the simplest to the most advanced.
It takes an ideal approach and platform to develop a design and methodology for system operation to achieve and maintain all the requirements of an OT / IT network. This will give the unit/organization the performance of the system without sacrificing network security, as described in IEC 62443.
As such, the system delivers superior value to traditional network security solutions, helping to identify and provide analysis/reporting on activities and issues that may have disastrous effects, similar to a cyber-attack. In general, the system needs to achieve the most comprehensive and powerful platform for integrating OT and IT monitoring.
This article references some of the solutions provided to customers and the following references:
Song Phuong – FPT ISRelated posts: