“Software Defined Networking(SDN) is the next big thing in OT”. That’s what Dave Whitehead, CEO of Schweitzer Engineering Labs told me when I asked why SEL has invested in Veracity Industrial Networks.
As we continued our discussion it became clear that not much has evolved in the OT networking space over the last 10-15 years. OT networking is still mostly old school point to point ethernet, but with IT/OT convergence, Cyber Threats, and onshoring of manufacturing, the time is right to revisit how OT networks are configured, managed and protected.
Using SDN to manage and automate networks has been around for quite some time. It is an approach and technology that is very common in both data center and cloud deployments for IT.
Defense in Depth approaches in OT have also been around for many years. Over the last 10 years, industrial critical infrastructure companies have hardened the perimeter with firewalls, instrumented AV/whitelisting on endpoints, embraced network segmentation philosophies, deployed OT network IDS, and if budget was available deployed (or outsourced) skilled teams of security staff to monitor networks and hunt for threats.
But what our industry hasn’t done is taken a credible run at hardening the jewel(or in some cases, the diamond in the rough) we are trying to protect – the ICS network itself. Let’s review why SDN is an important layer in a defense in depth strategy and the advantages of using SDN to secure, harden and manage the attack surface of ICS networks.
Benefits of Deploying SDN capabilities:
Network management and visibility. Today almost everything in the OT network is connected via ethernet. We have all seen the ICS cabinets that look like a bird’s nest of wires, switches, connectors etc. Drawings or up to date documentation of what is actually on OT networks are few and far between. SDN allows management of all devices on the network by inventorying the network components and building flows between the switches and the endpoints, including embedded devices. If a connection is broken the SDN software will automatically re-route traffic and notify that there is an issue. If something has changed on the network, the SDN controller can quickly identify what has happened and where, reducing mean time to resolution of OT network issues. In addition, loop backs, VLAN errors, and ACLs are things of the past that no longer are needed or occur in an SDN network.
Network Segmentation. SDN can automate and keep your network segmentation program current. Instead of hard wiring your layers, software can do the job for you and keep it up to date, eliminating the need to manually monitor for new, retired or disabled devices and connections across levels. SDN also provides simplified policy changes. With SDN, communication is managed on a device to device basis and only traffic on specified protocols is allowed creating a micro-segmented network with the equivalent of a firewall at every port.
Cyber Security. SDN works as whitelisting for your OT network. Only traffic allowed between devices can “flow”. Ransomware and other attacks generally require taking command and control of endpoints and devices. By not allowing undefined traffic in the network attacks are much harder to execute as the attack surface is minimized, reducing the ability of adversaries to take control of the network by restricting access to only known “good” connections. Network traffic that is not allowed can be blocked and events can be generated to alert operators or security staff that action or investigation is required.
There is another compelling reason to consider SDN technologies for OT – ROI. By automating the management of the network it can greatly reduce the effort to manage or reconfigure networks. It’s a bit of a two fer. Reduced downtime and operational cost pays for the extra security inherent in SDN.
If you are planning on updating you OT network, deploying a new OT system, or have an upcoming network segmentation project, these are all excellent opportunities to automate and innovate using SDN as your OT networking backbone.
You can learn more about Veracity’s Net-Optix SDN controller at http://www.veracity.io