Critical infrastructure is under a rapidly-intensifying wave of cyberattacks – attacks on hospitals, attacks on robotic devices, attacks on any operation where hackers can grab a hold of assets and use that disruption to extort money. Many medical devices, railway assets, and robots are OT technologies were not originally conceived to be on a network, and are now being brought online via the rapid spread of IoT technology.
When you run assets like these, you want to be thinking about how to make your network security-oriented from its foundations. Flat networks that rely on security by obscurity are a thing of the past when hackers can work with the same OT protocols your machines use to send and receive commands. Even more troubling, by now hackers have already developed and tested attack strategies for the environments created by industry regulations. This is why we recommend making protection part of the foundation of your network by applying 3 methodologies – segmentation, inspection, and virtual patching.
Segmentation is the process of splitting up a network into more easily-defended zones. These zones are strictly determined by what assets need to talk to each other. In this kind of environment, it’s naturally much more difficult for hackers to gain information, send malicious commands, or deploy threats.
A segmented network is also much easier to monitor. Once your network is segmented, it’s much easier to implement the next natural step: inspection. To provide inspection to OT work sites, a cybersecurity appliance needs to be equipped with a special understanding of OT protocols. With this understanding it’s possible to outright deny all unusual commands – this has the added benefit not only stopping malicious commands, but also misoperation.
The last part of this triad of OT network security is virtual patching. Virtual patching is a network-based behavior that puts a ‘shield’ around vulnerable assets. This is specially designed for a number of situations, for example when an asset is past its end-of-service date, when an asset can’t be modified due to regulations, or when it’s necessary for productivity goals to keep an asset running until the next scheduled maintenance.
TXOne Networks’ Edge series includes next-generation IPSes and firewalls that were designed with this setup in mind. Not only that, even large-scale deployments can be managed from one central location, where logs are collected into an easily-referenced database. With the Edge series, OT facilities can maximize security and prevent cyberattacks without having to settle for reduced productivity.