macmon NAC for operational security in manufacturing

    Michael Reinholz | November 15, 2023

    What is Factory 4.0?It is a new interpretation of industrial standards and application areas in manufacturing, in simple production and processes that were previously handled analogously via Industrial Ethernet protocols.In addition to numerous potentials, digitalization also provides new gateways for hackers.To protect Factory 4.0, macmon NAC has developed the Factory of ZTNAconcept: the Zero Trust approach for factories.Robotics, mechanics, and logging were previously implemented via analogue paths using complex cabling.Technological developments can help to simplify and modernize these processes and make them more cost-effective.

    NAC - an essential element for industrial plant security

    Network security is becoming an increasingly important topic for the industry in the context of IT-OT convergence. A modern Network Access Control solution is a key element in the implementation of security concepts in the industrial environment. Network overview, control and security are important here. Network Access Control is an important element in an overall security concept such as ZTNA. macmon NAC complements existing cyber security guidelines. Even with analog structures, the NAC solution can communicate with the network, namely with the controlling bodies. With macmon NAC, security zones can be set up to monitor analog networks, for example using profit protocols. If an unknown device enters the security zone due to an employee or an attack from the inside, this is made visible by the NAC solution. The threat is limited to the zone, cannot spread to the entire network, and can be handled in isolation.

    macmon NAC can be implemented as a virtual or hardware appliance, whichever is better suited to the customer company's infrastructure. In times of Factory 4.0, the virtual appliance is usually recommended as it offers flexibility and security. With the help of virtualization, the building blocks for a secure environment can be placed in a DMZ, ensuring protection from inside and outside. DMZ, short for demilitarized zone, describes a computer network with controlled, secure access options to connected servers.

    macmon NAC offers more granularity than conventional firewall approaches. A variety of architectures can be applied by assigning authorizations based on the authentication level. With our Advanced Security, additional properties of endpoints can contribute to this. With macmon NAC Scalability, a redundancy principle can be implemented, which prevents the failure of business-critical processes and ensures high availability. This ensures operational security even in the event of an attack or technical failure.

    Handling a NAC project in the industry

    Overview

    macmon NAC communicates with the infrastructure in your company and reads the values it contains. The solution can then track where your assets and control systems are located. The solution uses various management protocols via which the switches can be read out. macmon NAC offers a flexible view and a clear monitoring tool. It can be used to map production lines and routes.

    Individually customizable dashboard

    • Display of all activities and movements in the network
    • Direct access to all functions and menus
      • Endpoints
      • User devices
      • Network
      • Guidelines
      • Reports
      • Past Viewer
      • Scalability
      • Statistics
      • Status
      • Settings

    Topology & Reporting

    • Graphical overview of all network devices
    • Live inventory management of all endpoints
    • Comprehensive reporting on monitoring data
    • Extensive analysis data

    Network Access Control

    In the second step, you as the operator of the system and owner of production security decide to what extent NAC is applicable for you. The tool is flexible and can adapt to the conditions of any environment, so that you can regain control of your network.

    NAC policies

    • Automatic rule engine with NAC policies
    • Sorting of endpoints into groups
    • Parallel introduction of security zones
    • Integrated NAC rules cover 95 percent of use cases
    • Notifications for security events

    Access control

    • Simple implementation of VLAN concepts and security zones
    • Access denial for unknown devices
    • Access via various identity sources possible
      • 802.1X
      • Industrial standards

    Compliance

    Compliance is an optional step. Here, non-compliant devices can be excluded, moved to a secure network area or a notification can be sent to a responsible employee. Network security can be further increased in collaboration with other security solutions that are already in use. These can be integrated quickly and easily using the REST API.

    Special use cases of macmon NAC for industry

    OT networks are structured differently to IT networks. This results in special use cases for Network Access Control in the industrial environment.

    The maintenance mode

    Maintenance mode is a function for replacing defective hardware or maintaining existing devices in a controlled environment. In the industrial sector, static networks are used in most cases, as changes during operation within a closed security unit are not desired. Using logging, macmon NAC can detect when an endpoint is no longer in operation. To replace this, the maintenance mode allows a temporary switch from static to changeable operation. This is necessary, for example, if a system or other endpoint in a security zone needs to be serviced, completely replaced or converted. A completely static network would not allow a new device. Maintenance mode gives the plant operator and assembly personnel the flexibility to replace a machine and then return to production mode.

    Flat network segmentation

    Network segmentation through firewalls is complex and cannot be carried out without interruption. In addition, most OT networks have evolved historically and practically. Subsequent segmentation of a flat, evolved network in this way would hardly be possible without a fundamental redesign. With the help of macmon NAC, segmentation can be carried out at the network boundary without changing the topology.

    Recommended articles

    • 29.11.2023 | Patrick Deruytter

      Data security in Operational Technology

      What are the differences between IT and OT security, what are the challenges in operational security and how do you protect OT and IT networks?

      more

    • 25.04.2024 | Julian Friesen

      macmon NAC: virtual appliance versus hardware appliance

      [Translate to English:] Die NAC-Lösung von macmon wird als Hardware Appliance & als virtuelle Appliance angeboten. Was sind die Vor- und Nachteile der verschiedenen Appliances?

      more

    • 13.07.2023 | Sarah Kolberg

      Interview Prof. Dr. Heer: OT Security & Industrial NAC

      How do you protect an OT network? How can industrial networks be secured with NAC? Find out more in the interview with Prof. Dr. Tobias Heer.

      more

    • 10.05.2023 | Sarah Kolberg

      IT OT convergence: Operational technology as a target

      IT and OT: The boundaries between the two systems are blurring. IT OT convergence is creating new challenges for operational technology security.

      more

    • 28.02.2024 | Sarah Kolberg

      OT Security: a dialog between IT and OT

      OT systems have special requirements. IT security solutions often do not address these. OT and IT must cooperate for OT security.

      more

    © macmon secure GmbH