Software Defined Networking
Veracity applies software defined networking (SDN) best practices to OT networks
How micro-segmentation drives productivity for OT networks
Software-defined networking (SDN) is not a new concept in the IT space, it has been used to manage clouds and server farms for over a decade. On the contrary, their OT network counterparts have for years prioritized the significant cost of downtime – rightfully so – and have gotten by with sub-par cybersecurity solutions. Fast forward to today and OT teams are turning to SDN in response to the need for additional network visibility and control. SDN takes a plant that has hundreds of switches deployed across the facility that are traditionally individually configured and uses a consolidated network management tool to give real-time network monitoring and management. Ultimately SDN hardens the network reducing cybersecurity threats. One of the primary benefits of SDN is its ability to reduce the attack surface through micro-segmentation, in which areas of the network are compartmentalized. In the event of a security breach, the targeted area is isolated limiting how much an attack can spread.
In conjunction with a defense-in-depth approach, critical infrastructure companies are turning to micro-segmentation solutions to secure, harden, and manage their ICS networks – to gain:
- Network management and visibility – management of all devices – regardless of the network protocol – is done via a single solution. This provides a holistic network management tool that automatically inventories the network components and at the same time gives visibility if a connection is broken and issue resolution is needed.
- Automation and network resiliency – Veracity capabilities will automate and keep your network segmentation program current. Eliminating misconfigured firewalls, loopbacks, and the manual task of changing IP addresses for your layers, the Veracity Controller will keep it all up to date for you. For OT environments, SDN inherently provides network resiliency because it will take the fastest path available, meaning if a connection breaks it will automatically route another path as long as there’s a physical connection.
- Zero-trust Security – an SDN solution protects traffic east/west and north/south. It also works as whitelisting for your OT network where only traffic allowed between devices will occur. Not allowing undefined traffic in the network makes attacks much harder to execute and creates a micro-segmented network with the equivalent of a firewall at every port.
Another driver for OT teams is the return on investment (ROI). OT networks often have thousands of devices connected to multiple networks, making network management a time-consuming problem. Automating the management of the network can greatly reduce the effort to maintain or reconfigure networks, reducing downtime and operational cost while having the added benefit of inherent security.
There are many reasons why a micro-segmented SDN approach may be the right one for OT teams – as you evaluate the fit for your application, the chart below shows a few of the key differences between a traditional approach and using SDN.
Traditional Legacy Hardwired Network
SDN Industrial Software Defined Network
Hardwired Segmentation and Zoning. Can't adapt to Critical Events
Dynamic Centralized Software Defined Zoning and Conduits
Firewalling possible with add-on devices for North-South traffic
Distributed firewalling of every port, every switch, every direction
Limited visibility of devices and network traffic due to lack or need for numerous span/tap ports
100% visibility of all devices and traffic on every port
Inability to control comms based on ports and protocols
Complete control of all ports, protocols, and coms
Typically no or inaccurate network drawings or topology without investing in expensive 3rd party tools which ride on top of the network
Automatically generate accurate topology drawings with complete asset inventory in an exportable view
Allows full communication with the introduction of new devices and protocols
Deny by default network will not allow a new device or protocol to communicate without proper authorization
Alerting tools rely heavily on SME and management intervention to monitor, manage, and require using disparate, distributed tools
Manpower multiplier due to the centralized deployment and management of the network
Multiple tactical tools and configuration utilities that can create extra management and training overhead, with significant potential for misconfiguration
Centralized strategic platform that provides a single pane of glass to effectively manage the network, build policy, and provide full tracking and remediation of all network assets using a GUI
If you are planning on updating your OT network, deploying a new OT system, or have an upcoming network segmentation project, you have the opportunity to consolidate and automate your OT network backbone.