Securing a factory's OT network and the role of trust

March 06, 2017

Securing a factory's OT network and the role of trust

When leaders have advanced knowledge of how and where their cyber defenses will be attacked, they mobilize resources to reinforce the targeted area. T...


When leaders have advanced knowledge of how and where their cyber defenses will be attacked, they mobilize resources to reinforce the targeted area. This strategy applies to both war and to hacking attacks. For manufacturing companies, a common weak link in their enterprise network is their production network.

To establish secure manufacturing, several enterprise aspects must be addressed by a risk management function/team, led by the senior leadership team. The foundation of this risk management approach is based on:

  • Security awareness for the entire staff, as most breaches are the result of human error
  • Secure product design and product lifecycle, with security designed in from the start
  • Best practice security for operational technology (OT) networks, and recognizing that information technology (IT) security is not OT security

With these and other internal system-related items in place, the focus must be on access points, such as:

  • Secure handling of shipping and receiving
  • Vendors and customers implementing secure IT and OT networks
  • Secure identifiers for products, anti-counterfeiting, forensics, and customer use
  • Regular evidence gathering on the efficacy (or inefficiencies) of security

To be effective, trusted and secure manufacturing must include protection of both the IT and OT networks, with consideration that Internet of Things (IoT) devices, industrial control systems (ICSs), supervisory control and data acquisition (SCADA) systems, and related environments are the most vulnerable.

[Figure 1 | Shown are the differences between IT and OT security.]

Security disparities: OT and IT networks

There are substantial differences in the mindset of people who secure IT networks compared to people who build and use OT networks. Companies with OT networks experience significant problems getting devices like PCs and servers to talk to ICSs because OT networks are based on OT protocols, making links between TCP/IP and OT networks fragile. Very few people understand how to make them work and how to keep them working. As a result, there’s strong resistance to change anything on the part of people who use the networks. With this mindset, OT networks with unpatched Windows XP PCs or systems with even older versions of Windows running on them are not uncommon.

Another major difference is that IT networks generally aren’t concerned about latency, so secure software that slows repsonse times by hundreds of milliseconds or more is not an issue. In contrast, an OT network may have devices with zero tolerance for more than a 10 ms delay. These devices generally can’t function on a network that has common IT network security principles applied to it.

Finally, the over-riding theme of IT security is CIA — confidentiality, integrity, and availability – meaning that it’s there when you want it. The overriding concern in an OT network is safety — do whatever it takes to make sure that no one dies during the course of operation.

[Figure 2 | The differences between IT an OT security require different approaches.]

Industry efforts to create a standardized approach to improve factory security have been underway for many years. For example, the International Society of Automation (ISA) defined a generalized security architecture for the protection of OT networks called ISA99, also known as IEC 662443.

This security architecture intentionally leaves implementation “details” to the customer. By doing so, the architecture remains relevant even as security technologies evolve and change; the Trusted Computing Group (TCG) defines trust technologies that enable implementations of ISA99 architectures.

Enclaves and conduits

A typical factory OT network includes many devices that have little or no ability to defend themselves. In ISA99, rather than deal with the idea that some devices can protect themselves while others can’t, the architecture assumes none of the endpoint devices can protect themselves. The architecture dictates that endpoint devices be grouped according to some logic (such as all of the devices in a specific factory).

In ISA99 terminology this is called an “enclave,” and the enclave is protected by network-based security technology. Any telecom link that goes outside the enclave is called a “conduit,” and all of the security technology used to protect an enclave is present in the conduits. For improved security, each enclave should have as few conduits as possible and each conduit must have a trusted, heavily secured gateway where it joins an enclave.

To establish trustworthiness for enclaves and conduits, TCG uses dedicated security hardware to protect secrets and integrity information (hash values). This includes the Trusted Platform Module (TPM) and self-encrypting drives (SEDs). With this technology, devices can police each other and authenticate credentials before any communication occurs.

For legacy products that don’t support TCG-compliant hardware, TCG’s Trusted Network Communications (TNC) can create trust evidence. It provides an open architecture for network access control as well as a suite of standards that define interoperability. One of the benefits of this approach is that any Linux- or Windows-based device can run a client that gathers integrity information.

Trusting our OT networks

Secure OT networks start with the commitment of the board and senior management’s engagement to conduct a risk assessment to define requirements for the security of IT and OT networks. With a risk management function for IT and OT in place and security awareness established, the next step is ensuring that the enterprise is secure by design. Available tools to implement a higher level of security include open standard security architectures and the use of enabling trust and security technologies in those architectures.

Stacy Cannady, a Certified Information Systems Security Professional (CISSP), handles technical marketing, including the Trustworthy Computing Threat Response, Intelligence, and Development (TRIAD) for Cisco and is a member of the Trusted Computing Group’s Embedded Systems Work Group. He represents Cisco on the TCG board of directors and currently is the organization’s treasurer. Stacy has worked in the field of trusted computing for a number of years. As a subject matter expert in trusted computing, his responsibilities require an in-depth understanding of the trusted computing market, including advances in hardware and software security as well as vendor and customer market dynamics.

Trusted Computing Group




Cisco Security






Stacy Cannady, Cisco and Trusted Computing Group