Compare SD-WAN Services for Manufacturing

What are manufacturing regulations across cybersecurity and SD WAN?

Regulations and frameworks are specific to where in the world your manufacturing organization is operating, Netify can recommend where to obtain legal advice and check local regulatory requirements before making a decision on vendors and solutions.

Additionally, depending on the type of product a company manufactures, your business could potentially be subject to additional regulations which mandate specific product security controls.

For example, in the United States, manufacturers may be subject to regulations from North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) Standards and the U.S. Nuclear Regulatory Commission’s Regulatory Guide 5.71 when producing energy, or using manufacturing equipment subject to these regulations, or when manufacturing products subject to these regulations. Additionally, one of the most prevalent examples of regulatory requirements for specific product security controls is the Food and Drug Administration (FDA) security requirements for medical devices. Most of the content of the U.S. regulations at least partially overlap with the National Institute of Standards and Technology’s recommendations in the industry specific “NISTIR 8183 Revision 1, Cybersecurity Framework Version 1.1 Manufacturing Profile”, so there is some opportunity for compliance mapping.

In the European Union, organizations have to work within the European Network and Information Security Agency’s Network and Information Security (ENISA NIS) Directives and in the United Kingdom the Centre for Protection of National Infrastructure (CPNI) offers advice and plans as well as resources to help ensure the safety of critical infrastructure. While both the NIS Directives and CPNI requirements were originally meant for critical infrastructure organizations like utility companies, they have quickly become both relevant and, at least partially required, for manufacturers as more and more are using ICS for plant automation.

Which security/services are must haves for manufacturers who need to secure their IT/OT/ICS?

After looking at the applicable regulations to an organization, it is time to map needs to potential solutions. For local or remote access to ICS, organizations will need a strong IAM solution in place as well as PAM.

For remote access, VPN has been the go-to remote access solution for ICS. While VPNs typically provide strong encryption to prevent intercept of network traffic, they often provide authorized users with too much trust. So, as we move toward zero-trust security models, ZTNA is needed for both encryption of network traffic and provision of the minimum necessary trust for access to network resources.

While most ICS networks today are either isolated from the internet or only have limited connectivity, more and more of these solutions are embracing the benefits of cloud. So, in these cases, the components of SASE, including cloud security solutions combined with secure SD-WAN and ZTNA, can offer a comprehensive solution.

In any organization where critical infrastructure components are used or manufactured, even if they’re not connected to the internet, an XDR (Extended Detection and Response) solution that specifically addresses IT/OT/ICS threats should be used to differentiate between benign and genuine threats, detect anomalies, and enable real-time monitoring and response.

Although IT/OT/ICS may use different technologies than other IT or IoT systems managed by an organization, vulnerability management tools that address the specific IT/OT/ICS technologies in use should be used to ensure devices are up-to-date and provide situational awareness in case known vulnerabilities pose an imminent threat to manufacturing operations.

Then, since regulations are likely involved, auditing and compliance management is needed. There are several well-known security companies that aim to provide comprehensive (or as comprehensive as possible) IT/OT/ICS solutions including Tenable, Armis, Nozomi Networks and Claroty. While each of these have a lot of product overlap, each has their strength and weaknesses in their deployment models or areas of focus.

For instance, Tenable offers IT/OT/ICS vulnerability management solutions and they also offer industry-leading vulnerability management solutions for on-premise and cloud network infrastructure, so they stand to provide a more tightly-integrated vulnerability management solution vs competitors.

Nozomi Networks offers SaaS threat detection and response and threat intelligence which are specific to a growing list of ICS devices, and a centralized command center application that can be deployed in-cloud or on-premise. Neither of these two vendors offer XDR solutions, though – but they both offer extensive integration capabilities.

How should your business evaluate manufacturing cybersecurity threats?

As with all organizations in any industry operating in today’s digital landscape, the threat of data breaches and cyber attacks is increasing every year. More and more organizations are having to enhance and upgrade their security solutions, both physical and digital, as they continue to converge as technology evolves.

Some legacy technologies, like VoIP for example, can be relatively easily adapted to modern networking technologies and modern security solutions. Other technologies, like Operational Technology (OT) and Industrial Control Systems (ICS) used in critical infrastructure, energy and manufacturing, are not evolving as quickly or adapting as easily, making them difficult to protect with the same security technologies that protect most other networked systems.

There are many reasons for this ranging from architectures which aren’t easy to change to regulations that haven’t caught up with modern technology. Therefore, there are many emerging cybersecurity solutions that are aimed at meeting the unique challenges of ICS and manufacturing environments.

While traditional cybersecurity controls like PAM (Privileged Access Management), MFA (Multi-factor Authentication), monitoring and intrusion detection can be implemented for ICS, their regulatory considerations as well as unique risk factors since ICS compromise could lead to real-world risk to life of property. Thankfully, we’re beginning to see new resources, tools, and guidance for securing IT/OT and ICS in manufacturing environments. One of the most useful resources available to manufacturing organizations regarding IT/OT security is the MITRE ATT&CK Framework for ICS. The framework provides a matrix that tries to cover the entire lifecycle of an attack or breach and then map the lifecycle stages to their tactics, and in turn, their mitigations, as well as ways to test these areas in any given organization.

In summary, while we’re beginning to see some really useful resources for organizations who need to implement or enhance ICS security, there is still a lot to consider: there are various regulations regionally, there are many national resources with recommendations or standards for ICS security and there are emerging frameworks like the MITRE ATT&CK Framework for ICS which are aimed at comprehensive security covering all areas and offering a guide to organizations looking to enhance and upgrade their ICS security.

1. How are our systems interconnected?

1. Local network
2. Distributed network (multiple independent sites)
3. Federated network (multiple sites managed under one HQ or overarching enterprise)
4. They’re not Requirement: SD-WAN

Requirement: SD-WAN

It is important to understand what type of connectivity is used throughout the organization in order to align the organization with the best possible solution for that type of network environment.

2. What type of systems comprise our manufacturing operations?

1. Internet-of-Things (IoT) devices
2. Industrial Control Systems (ICS) or OT
3. Critical Infrastructure (CI) manufacturing systems
4. Traditional Windows or Linux endpoints
5. Some or all of the above

Requirement: Endpoint protection

Endpoint protection is important for all network connected devices. When considering a solution for a manufacturing organization, it is essential to consider the types of devices an organization uses and the types supported by the solution(s) in question. If traditional devices are used, a good EDR solution may be enough. Conversely, if an organization has ICS or OT systems, they should consider security solutions that are specifically designed to protect ICS or OT systems.

3. What geographic areas do we operate in and therefore are subject to their regulations?

1. United States of America only
2. United Kingdom only
3. European Union only Combination of above
4. None of the above

Requirement: Regulatory compliance reporting and monitoring

No matter where an organization operates, it is increasingly likely that they will be subject to regulations that dictate what types of security measures must be implemented. Ensure that the compliance reporting and tracking solution is suitable for the regulations affecting the organization.

4. Do we have the technical expertise and human-power to handle disparate systems’ design, implementation and maintenance?

1. Yes, we can manage many, many individual solutions effectively
2. No, we can barely manage these aspects of the solutions we already have
3. We can handle a few separate solutions, but it’ll get difficult if we do too much
4. We can handle different solutions effectively, but would rather work with a product that combines as many solutions as possible into one

Requirement: Comprehensive and integrated solution or managed services

When an organization is required to secure many different types of devices, processes, people and systems, the organization must consider the solution that works best for both their business operations and their desired security posture. In other words, ensure the solution the organization chooses is completely comprehensive or potentially includes managed services that can scale up so that no unnecessary additional labor is required with the implementation of the new solution(s). That being said, when looking at managed services providers to support environments with IT/OT/ICS, it’s especially important to ensure that potential providers are able to meet the specific needs of your organizations.

5. Is remote access required?

1. Yes, we allow remote access to our systems from employees and vendors and we use whatever software the vendors require or employees are comfortable with
2. No, remote access is not allowed to our network or systems
3. We allow specific people access to specific network segments or systems
4. We evaluate each request for remote access individually and have a process in place for this

Requirement: ZTNA

Remote access to any part of an organization poses a great security risk as that is frequently the first point of access to an organization. The consequences of cybersecurity breaches in ICS have recently been in the news. When considering a solution be sure to verify and validate that you’re able to implement ZTNA and maintain strong IAM whenever remote access is required.

6. Do we have a SIEM solution currently?

1. No
2. Yes, we have a SIEM solution that we are comfortable with and are not willing to move away from right now
3. Yes, but it is outdated, unintuitive and limited in functionality and we are willing to replace it
4. Yes, but it is outdated, unintuitive and limited in functionality but it is so integrated into our organization that we don’t know if we can replace it or not

Requirement: SIEM, managed SIEM, or SIEM integration Security

Information and Event Management solutions are very common in the manufacturing industry, especially because industrial automation equipment both generates and consumes huge amounts of data. They are a very important part of any security solution, but proper management and tuning is critical as many SIEMs won’t have out-of-the-box workflows or alerting for IT/OT/ICS. It is key for an organization to ensure that their SIEM is performing as required and that it will work well with any new solutions that are implemented as integrating data sourced from existing IT/OT/ICS.

7. Do we (or 3rd parties) perform audits on our systems?

1. Yes, we regularly perform security audits and score the audits to monitor areas that need improvement
2. No, we do not do audits as we are still trying to fully grip our security solutions
3. We audit some things and plan to audit others when they are fully implemented
4. We have a 3rd party audit and track our results as well as give feedback and recommendations based on those results

Requirement: Security audits

Whether we like them or not, audits are an essential component to any security program. These audits verify proper operation of security controls in place and points out possible weak spots in the security solutions being used. It also keeps teams responsible for the organization’s security thinking about the eventual tests that will be performed to verify their work and statements made. When it comes to ICS used by manufacturing organizations, consider ICS-specific security solutions like Tenable.ot, Nozomi, etc. to automate the audit process while ensuring that audits are tailored specifically to these types of systems.

8. Do we already use artificial intelligence and/or machine learning to detect anomalies in the network, user behavior or system behavior?

1. Yes, we have the entire organization monitored by the most current proven technologies for anomalous behavior across the organization
2. No, we have people for that
3. We have some AI and ML solutions in place but we still mainly use human-power to detect and respond to threats and anomalies
4. We lean heavily on AI and ML to help the human teams effectively and efficiently monitor, detect and respond to threats and anomalous behaviors.

Requirement: Automated threat detection

In any organization that is interested in leveraging technology as a human force multiplier, they need to have automated detection of anomalous behavior, devices or traffic. With the amount of devices and vast amounts of data organizations generate today, especially those with automated manufacturing plants, it is just implausible to manually detect threats. In the same manner, it is impossible for any solution to recognize every time of threat – especially when it comes to ICS which may operate using legacy or proprietary protocols that aren’t well-studied. Therefore, it is imperative that the solution leverages some understanding of normal ICS operation and uses technology to detect anomalies or even predict possible threats that have not been seen before.

9. Does the organization have a simple and effective way to determine if threats are real or false-alarms?

1. We have people that investigate every possible threat and detection
2. We have a team to investigate what our AI/ML solution can’t determine is a false-alarm
3. Our solution attempts to verify the threat while simultaneously sending alerts to appropriate team members who immediately respond if the solutions automated response is not enough
4. We have a 3rd Party monitor and respond to events whether they are actual threats or false-alarms

Requirement: XDR and/or MDR combined with process and procedure

Any organization, even with their favorite solutions fully implemented, will certainly face both false and real threats. In a manufacturing environment, proper handling of false-alarms is crucial to avoid plant stoppages (which cost time and money), while quickly responding to real threats is just as important to avoid data breaches or equipment failure that can cause loss of life or property.

10. Does our asset tracking solution cover all humans, devices, network segments and access points?

1. We have an automated solution that finds every device and provides methods of monitoring and tracking them
2. We have a team that manually tracks and monitors all devices in a spreadsheet format
3. We have an asset tracking and monitoring solution that requires the manual addition of each device or group of devices/device type
4. We have an automated solution that finds most things but also allows us to add things manually to track and monitor if they are not automatically tracked and monitored by our solution

Requirement: Asset management

One of the most important and first things an organization needs to do (there’s a reason why the Center for Internet Security consistently lists IT asset management at the top of their list of Critical Controls) is determine the best way to track all of the devices and assets the organization has, and to ensure that the inventory is kept up-to-date (and preferably automated). There are many solutions that incorporate or integrate with systems for tracking and monitoring assets as required, but these solutions may not be able to automatically discover or manage unique properties of an ICS device. Therefore, an asset management system which is specific to IT/OT/ICS may be necessary.