Software Defined Networking

Veracity applies software defined networking (SDN) best practices to OT networks

How micro-segmentation drives productivity for OT networks

Software-defined networking (SDN) is not a new concept in the IT space, it has been used to manage clouds and server farms for over a decade. On the contrary, their OT network counterparts have for years prioritized the significant cost of downtime – rightfully so – and have gotten by with sub-par cybersecurity solutions. Fast forward to today and OT teams are turning to SDN in response to the need for additional network visibility and control. SDN takes a plant that has hundreds of switches deployed across the facility that are traditionally individually configured and uses a consolidated network management tool to give real-time network monitoring and management. Ultimately SDN hardens the network reducing cybersecurity threats. One of the primary benefits of SDN is its ability to reduce the attack surface through micro-segmentation, in which areas of the network are compartmentalized. In the event of a security breach, the targeted area is isolated limiting how much an attack can spread.

In conjunction with a defense-in-depth approach, critical infrastructure companies are turning to micro-segmentation solutions to secure, harden, and manage their ICS networks – to gain:

  • Network management and visibility – management of all devices – regardless of the network protocol – is done via a single solution. This provides a holistic network management tool that automatically inventories the network components and at the same time gives visibility if a connection is broken and issue resolution is needed.
  • Automation and resiliency – Veracity capabilities will automate and keep your network segmentation program current. Eliminating mis configured firewalls, loop backs, the manual task of changing IP addresses for your layers, the software will keep it all up to date for you. For OT environments, SDN will inherently take the fastest path available, meaning if a connection breaks it will automatically route another path as long as there’s a physical connection.
  • Zero-trust Security – an SDN solution protects traffic east/west and north/south. It also works as whitelisting for your OT network where only traffic allowed between devices will occur. Not allowing undefined traffic in the network makes attacks much harder to execute and creates a micro-segmented network with the equivalent of a firewall at every port.

Another driver for OT teams is the return on investment (ROI). OT networks often have thousands of devices connected to multiple networks, making network management a time-consuming problem. Automating the management of the network can greatly reduce the effort to maintain or reconfigure networks, reducing downtime and operational cost while having the added benefit of inherent security.

There are many reasons why a micro-segmented SDN approach may be the right one for OT teams – as you evaluate the fit for your application, here are a few of the key differences between a traditional approach and using SDN:

Traditional Legacy Hardwired Network

SDN Industrial Software Defined Network

Hardwired Segmentation and Zoning. Can't adapt to Critical Events

Dynamic Centralized Software Defined Zoning and Conduits

Firewalling possible with add-on devices for North-South traffic

Distributed firewalling of every port, every switch, every direction

Limited visibility of devices and network traffic due to lack or need for numerous span/tap ports

100% visibility of all devices and traffic on every port

Inability to control comms based on ports and protocols

Complete control of all ports, protocols, and coms

Typically no or inaccurate network drawings or topology without investing in expensive 3rd party tools which ride on top of the network

Automatically generate accurate topology drawings with complete asset inventory in an exportable view

Allows full communication with the introduction of new devices and protocols

Deny by default network will not allow a new device or protocol to communicate without proper authorization

Alerting tools rely heavily on SME and management intervention to monitor, manage, and require using disparate, distributed tools

Manpower multiplier due to the centralized deployment and management of the network

Multiple tactical tools and configuration utilities that can create extra management and training overhead, with significant potential for misconfiguration

Centralized strategic platform that provides a single pane of glass to effectively manage the network, build policy, and provide full tracking and remediation of all network assets using a GUI

If you are planning on updating your OT network, deploying a new OT system, or have an upcoming network segmentation project, you have the opportunity to consolidate and automate your OT network backbone.

IT Support by SADOSSecure, Fast Hosting for WordPress