![[Translate to English:]](https://www.macmon.eu/fileadmin/_processed_/7/d/csm_Cybertek-Logo-Biale-Tlo_erweitert_630bb2cf7d.jpg "[Translate to English:]"){kind=logo}
Interview with Prof. Dr. Heer: OT Security & Industrial NAC
Sarah Kolberg | July 13, 2023
In contrast to classic IT systems, cyber security in the industry comes with several particularities. In the interview with Prof. Dr. Tobias Heer, we look at OT security and how network access control can help implement an industrial security concept. Prof. Dr. Tobias Heer teaches IT security and networking at the University of Applied Sciences in Esslingen, Germany. He is a researcher in Future Networking Technologies at Hirschmann Automation and Control and has been part of the Belden team since 2012.
Prof. Dr. Tobias Heer is co-Author of the white paper Enhanced Security for Industrial Networks. Learn more about cyber security of OT networks and how a security concept can be implemented with the network access control solution macmon NAC and Hirschmann industrial switches.
How well prepared is the German industrial landscape for current cyber threats?
Prof. Dr. Tobias Heer: That's difficult to answer because there is no such thing as "the German industrial landscape”. There are companies that have been dealing with the topic of cyber security for years and have implemented standards. These are mostly companies from industries that are already partially or fully regulated anyway. Companies that fall into the sector of critical infrastructure of a certain size are obligated to take security measures for years because of the first Act on the Federal Office for Information Security (BSl Act). Suppliers to the automotive industry must likewise implement security guidelines as part of the supplier conditions in the areas of research and development as well as IT. The proportion of companies that are already addressing the issue of cyber security is correspondingly large. Other companies, on the other hand, are still at the very beginning.
In the area of critical infrastructure, for example infrastructure for supplying the population, Germany is not in a bad position, because regulation has been in place here for a long time. In smaller utilities, we just started getting there through the directive of the European Union NIS2 and its implementation.
Why are tried-and-tested safety concepts from the industry, such as the Air Gap, no longer practicable?
Prof. Dr. Tobias Heer: The Air Gap used to be a measure that often worked rather accidentally. There was no need to connect the production with the network. In the era of Industry 4.0, businesses and productions are highly digitized. This is based on information exchange, which is not possible with Air Gap. If I want to modernize my production, an Air Gap is not pragmatic. No one walks into the production facility with a docket and works it off like they did it back in the 80s.
I also dare to doubt that companies that used to rely on the Air Gap always had an Air Gap. Often, modems were connected to exchange information within the production facility or data was transferred in and out via storage media such as USB sticks and floppy disks. These are often not controlled, so there is room for cyber-attacks.
What role does Network Access Control play for industrial networks?
Prof. Dr. Tobias Heer: Network Access Control is one of several tools for IT security in industry. It is not a magic bullet that covers all security measures, but it is one of the most effective tools we have. It works against attacks where the attacker is local - on-site - as well as attacks from the outside, even if you wouldn't think so at first glance. Let me elaborate:
The local attack: in widespread facilities, you have local attacks more frequently. The security of a production facility is physically hard to control. It's easy to simply plug in a device and access the network. The system may also be compromised because something is connected incorrectly. In these cases, NAC helps because devices cannot simply be connected to the local network in an uncontrolled manner.
The attack from the outside: The other possibility is attackers come from the outside and infiltrate systems that are already in the network. An attack from the outside always leads to compromised devices on the inside. NAC can help here as well.
In the first case, an attack from the inside, the attacker must authenticate to even connect a device to the industrial network. With the help of NAC, you can see every network device and endpoint connected to the network and respond to it. This creates transparency to understand what is going on in my network.
In the case of an attack from the outside, this is not so easy to use. However, a good NAC system draws on other tools, for example: a vulnerability scanner. This tool identifies vulnerable endpoints and network devices that an attacker might have used to get access. With a NAC system, you can decide how to deal with a vulnerable or compromised device. Do you want to keep it in the network, move it to a quarantine network or inform someone? NAC helps to respond to unforeseen changes in the network. Network Access Control acts as a kind of hygiene measure for my network.
What does an industrial environment require from network access control?
Prof. Dr. Tobias Heer: Things are a little different in industry than in the classic IT environment. In industry, you have processes that depend on communication. Their interruption by excluding a device involved can lead to a physical problem. For example, if control processes are interrupted, it can result in downtime or physical damage. If I have a facility and shut down individual parts of it, it can be very difficult to get it back up and running. Especially in the process industry, that's never an option. So you need more sophisticated NAC in an industrial network. Specifically: What activities are triggered when a fault or attack is detected in the network? What security measures can be taken if drastic steps, such as network exclusion, are not possible?
NAC brings transparency in industrial networks and shows which devices are there in the first place. It detects unusual network movements and typical attack patterns. A more differentiated approach is required here. Should every network device and endpoint be treated equally?
A good NAC solution should allow different endpoints to be divided into appropriate groups. Depending on the group, different defensive actions are executed. For example, a maintenance laptop that does not meet compliance guidelines can easily be excluded from the network. The endpoint is not part of a business-critical process. Nothing unpredictable usually happens here. An industrial PC as part of a control loop, on the other hand, cannot easily be taken off the network because processes in the facility could be disrupted. Network Access Control can be used to make this distinction and define suitable responses. NAC can reduce time-consuming manual tasks of the IT Department.
An important principle in the industry is zones and zone transitions. When something happens in a zone, it affects only that area. You take endpoints, units, machines etc. that logically belong together and assign them to the same zone. If the attacker enters the zone, he remains in it and cannot get out. The other zones are not affected. With the help of NAC, these zones can be implemented using VLANs. VLAN management can not only be port-based. Assignment is also possible via MAC addresses, via username and password or via certificate. This makes zone design very convenient and reliable. This reduces the administrative effort enormously. I don't have to configure individual switches, but instead assign my security zones to endpoints and device classes.
The zone-conducting concept is so important for the industry that it is specified in the ISO standard IEC 62443 (Industrial communication networks - IT security for networks and system). If you configure switches by hand, it quickly becomes confusing, not very agile and the maintenance effort is high. With network access control solutions such as macmon NAC, this can be implemented very easily.
Temporary network access for subcontractors and maintenance staff can be provided quickly and securely using the NAC solution. Imagine a maintenance employee needs to access a specific machine for a regular inspection. NAC enables an easy, time-limited secure network access for the endpoint to the zone of the machine that needs to be maintained. If I want to implement the same thing without NAC, it means someone has to manually configure a switch, allow the endpoint and reconfigure it again at the end of the day - a time-consuming and error-prone process that requires specialized knowledge. If the effort is too big, people quickly tend to soften security measures. You create more and more gaps in your security concept for reasons of efficiency. NAC can therefore be used to increase both security and efficiency. Processes, that are usually restrictive and complex, can be implemented with little effort.