4 Steps to Better Protect OT Networks From Cyber Attacks

abstract cyberspace background

As OT (Operational Technology) networks converge with IT networks, network security is a serious concern. OT systems that used to be air-gapped must still protect network communications without interrupting operations. To protect your industrial networks and critical assets, you need a secure network infrastructure with powerful secure routers to build solid network segmentation.  The following four steps show how you can secure your OT networks while ensuring they are resilient to threats and disruption.

1. Manage Your OT Networks

Operators who manage their OT network (rather than relying on the IT department) can quickly respond to problems and troubleshoot issues more rapidly. Before you can protect the assets on your OT network, you need to know what is there – and what isn’t. It’s critical that OT operators have complete visibility to everything on their networks – just like IT network administrators do. Make sure everything that should be on your OT network is there. And identify anything that should not be there.

Managing your OT network requires controlling who has access to the network by utilizing network Access Control Lists (ACL) and other authentication mechanisms. In other words, everything on the trusted list is allowed to go through the network, and anything not specified is blocked. An Access Control List filters traffic and allows users to configure customized filter criteria and deny access to specific source or destination IP/MAC addresses. For example, access control lists found in Moxa’s Layer 3 Ethernet switches make it easy to quickly establish filtering rules, manage rule priorities, and view overall settings in the display page.

Also, there are simple mechanisms that OT operators can set up to define which equipment, like a PLC, can be connected to the network by port access control or secure “sticky” MAC address, which dynamically associates the mac-address to the port. Without the sticky option, the mac-address association goes away after a specified period of time.

2. Patch Vulnerabilities

Equipment and devices running on OT networks cannot be upgraded or replaced like they can on IT networks. Many legacy OT devices remain unpatched and are relatively easy for hackers to exploit. Some of those legacy devices may be running on operating systems as old as Windows 95. If no patch is available from the original equipment vendor, consider putting a virtual patch on a device that goes in front of your legacy devices.

3.  Segment Your OT Networks

Segmenting OT networks prevent cyber threats from spreading to other parts of the network.

Unlike IT networks that can be segmented by dividing the network into different departments with their own set of permissions, OT networks are basically one big Intranet where everything is connected. This makes OT networks more difficult to segment, but not impossible. There are two ways you can segment an OT network:

  • Vertical segmentation involves adding an Industrial Demilitarized Zone (IDMZ) between the IT network and OT network. Although this separation should be mandatory, many companies still have not segmented their OT networks from their IT networks.
  • Horizontal or lateral segmentation involves creating and separating cells, zones, and sites on the OT network. A cell is essentially a tiny place where all equipment is stored, such as a cabinet. Several cells can form a zone, and multiple zones can form a site.

Moxa recommends:
Establishing Zones and Conduits:

  • VLAN: Moxa’s devices help administrators restrict users access to only data and parts of the network necessary for them to perform their responsibilities.
  • Firewalls: Moxa’s devices help administrators establish conduits in the network to only allow permitted traffic and packets to transfer from one zone to another.
  • NAT: Moxa’s devices help administrators establish a private local zone to hide internal network information from external probing.

Network Security Control:

  • VLAN ID or MAC Addresses: Moxa’s devices only allow users to access data and networks based on their roles.
  • IP Addresses and Ports: Moxa’s devices only allow permitted traffic on the network.
  • Deep Packet Inspection: Moxa’s devices check the content of each packet payload to ensure only approved content is transmitted on the networks.

4. Secure Remote Connections

Besides managing and segmenting OT networks, it’s also important that remote connections are secure. Protecting the data that is secure remote access for OT networkstransmitted from your plant or remote site back to the monitoring and control center is absolutely crucial. Ensure that each remote connection to your OT network is both authenticated and encrypted. Authentication verifies the identity of the user requesting access whereas encryption ensures that the data transmitted is securely encoded and cannot be easily deciphered by prying eyes.

  • Enable a management platform to control all remote connections.
  • Encrypt end-to-end communication to prevent data leaks.
  • Ensure all remote connections are pre-configured with correct access control.

Moxa’s Remote Connect (MRC) Suite is a management suite for remote connections that lets you  easily build remote connections for your devices by using Moxa Remote Connect Quick Link service or you can also build your own private MRC server portal.

As a leading industrial networking provider, MSI TEC can help you develop secure and reliable networking solutions that protect OT environments from cyber threats. As an authorized Moxa, Cisco, Advantech, Axiomtek and Weidmuller distributor, we offer the widest range of rugged networking products that are designed specifically for industrial applications.

Contact us. 

Liked this article? Share:
Facebook
Twitter
LinkedIn
Email

Related Posts

cyber attacks to Industrial networks
Cyber Security

Five Expert Tips to Protect Industrial Networks

As more OT and IT networks converge, there are several attack surfaces emerging in industrial control systems. Some are known vulnerabilities, but there are also some that are unknown. That’s why it’s important that everyone

Read More »
Oil and Gas Monitoring-Systems
iiot

Remote Wellhead Surveillance Case Study

Terra Ferma, Moxa, and MSI TEC extended IT communications from the corporate offices out to the most remote and harsh industrial environments the oil and gas industries have to face. Terra Ferma was challenged with

Read More »
automation

Benefits of the Industrial IoT

The Industrial IoT is bringing new growth opportunities to businesses who are investing in the proper networking infrastructure. While the Industrial IoT movement is in its early stages, there are advantages to investing in connectivity

Read More »
iiot

What is Industrial IoT

The Internet of Things or the IoT is a network of things, objects, and devices that are embedded with software, sensors, and other technologies that connect and exchange data over the internet. This includes every

Read More »

Subscribe to our Newsletter

Be the first to learn about classes, training, webinars, products news and more.