Using Software-Defined Networking
Interstates’ IT/OT team recently faced a complex networking challenge at our prefabrication shop. Specifically, the network needs of this facility left our traditional enterprise network vulnerable and made it difficult for team members to do their jobs efficiently. Multiple third-party vendors were able to access the network without Interstates knowing when, why, or who. Vendors could remote in and potentially access other resources on the enterprise network and even view different vendors’ activities. Facing this obvious cybersecurity risk, Interstates needed greater visibility, control, and management of our network.
Instead of relying on an entire suite of third-party products, our IT/OT experts found the solution to this challenge in Veracity’s OT Network Controller, and an SDN-enabled switch from DYNICS. SDN has multiple network security benefits, from zero trust concepts to increased visibility. Consolidating these tools into a single solution allowed us to prevent attacks and easily manage who was accessing the network.
The Veracity OT Network Controller manages deployed SDN switches intuitively, giving ICS designers and operators significant control and visibility into their networks by micro-segmenting traffic. ICS networks differ significantly from information technology networks. Unfortunately, most existing Ethernet networking-related technologies are based on information technologies and practices. The Veracity OT Network Contoller is unique in that it was created for the OT space.
Achieving Real Results
Gain visibility into who was accessing our network and limit what those parties could do
Make it easier for our team members to access the data they need to work smarter, not harder
Meet Cyber Insurance requirements
Challenges
- Cybersecurity & Network Management. Interstates needed more control and better visibility into our prefab shop’s manufacturing network, which couldn’t limit outside access and didn’t allow our IT team to see what was really going on. Fixing the network would require purchasing multiple third-party tools and installing them individually on the layer level – an expensive, complicated, and time-consuming process.
- Functional Access & Third-party Risk. Since multiple employees utilize the machines throughout the day, personal logins and regular Interstates computer access did not make sense. The machines also required an outside connection to the internet for their manufacturers to provide software support and troubleshooting.
- Manual Connections. Because many machines require BIM-generated data files to run, workers had to walk back and forth between machines to manually connect components (“sneakernet”), an inefficient process that doesn’t utilize the technology to the best of its abilities, not to mention the risk that transferring files over USB drives presents to the network.
Solution
Traditional networks rely on VLANs and segregations with different IP subnets, requiring multiple devices like firewalls and various switches. You must also implement security measures through an access control list or other tools for identity or access management. With all this effort, you still don’t get OT-specific protocols or the information you really need to keep your plant data secure.
Instead of having to install multiple third-party solutions at each network layer, SDN provides an all-encompassing approach to allow IT/OT teams to manage networks efficiently and with consistency. The Veracity OT Network Controller is configurable and easy to adjust. It can be implemented on a line level, tied into a traditional network, or deployed site-wide. At this prefab shop, the Veracity OT Network Controller was first installed on one line to test the system and see where else it was needed.
Leveraging an SDN solution delivers multiple networking security tools in one package. Interstates used its expertise in OT environments to deploy this solution for better, easier management at the prefab facility. Instead of walking back and forth between machines, everything our workers need is now visible on one pane of glass.
Results
With the Veracity OT Network Controller installed, the prefab facility successfully met the following objectives:
- Isolating separate skids (Scotchman cold saw, HACO press brake, ShopSabre CNC plasma table, and ShopSabre CNC router)
- Isolating the manufacturing network from the corporate network
- Controlling access to and from certain aspects of the network
- Controlling third-party access
- Meeting Cyber Insurance requirements
The Veracity OT Network Controller enabled us to isolate and limit communication between our skids so that vendors could only access their own skid. Because Interstates installed and configured this solution, we can support it long-term with a nuanced understanding of the initial configuration and SDN learning modes. The goal, however, is for SDN to be simple and easy to manage once set. For example, at our prefab shop, using the Veracity OT Network Controller lowers the risk factor of cutting over a single station. This is important because at least one of the skids we were working with was a high-volume machine we did not want to take down for an extended period. When the time is right, the new switch can be wired up and ready to go with simple steps. Shop workers can put the switch in learn mode at lunchtime and no longer worry about having the VLANs configured on all the ports or making sure they plug the right devices into the exact right port.
End users haven’t noticed any technical issues after switching to SDN. In fact, it has improved and simplified their work. Previously, they would take a USB key, download the files they needed, and then physically run it out to the skid. The Veracity OT Network Controller allows them to securely access the files they need on the network.
With this installation, there were also some unexpected benefits. First, the work we did to segment our network allowed us to meet some specifications required by our Cyber Risk Insurance Provider. Second, this process also allowed us to uncover risks to the business that we weren’t aware of, such as legacy software.