The use of Industrial NAC explained with the Titanic

    Prof. Dr. Tobias Heer | 03 November, 2023

    Network Access Control Titanic

    If you want to be a little lurid, you could compare an industrial network with the famous passenger ship Titanic. If there are no interferences, you sail off into the sunset on a calm sea and Rose and Jack are standing at the railing, it doesn't matter what the 900 crew members are doing. It's the same in the industrial network. If everything works, a minimum level of control is required. However, it is much easier to guarantee this. As soon as a safety incident occurs and water runs into the bow, it is difficult to maintain control. How can you establish control in such a situation? How can it be maintained? What control mechanisms are available? One instrument can be Network Access Control.

    The safety of the Titanic

    Was the Titanic a good ship? Based on today's knowledge, we would clearly say: No. However, there were several safety mechanisms in the Titanic.

    The Titanic had numerous barriers. There were 16 compartments from the front to the end of the ship. If one of these filled with water, the design was intended to prevent the next compartment from also filling with liquid. The collision with the iceberg alone caused five of the compartments to tear. With up to four compartments torn, the ship would still have been able to stay afloat. The compartments were not pulled through the entire height of the ship – for reasons of cost and aesthetics. Nevertheless, the compartments saved time, as the ship did not sink immediately.

    If a so-called “float” is pushed upwards by water, the compartment door closes automatically – a new technology for the year 1912. Despite these functionalities, the Titanic sank. This was partly because the journey through the ice field on a moonless night was accepted, even though the danger was known. In addition, at the time of the collision, the Titanic only had binoculars at its disposal, which were reserved for the captain. The person in charge with the key to the other binoculars was transferred to another ship shortly before departure and continued to carry the key with him.

    Accordingly, an employee in the lookout had to try to spot icebergs at high speed at nightwithout binoculars. In addition, there were not enough lifeboats for the number of passengers on board. What does all this have to do with Network Access Control?

    Functionalities of NAC

    Some of the Titanic's safety measures can also be found in a Network Access Control solution. Visibility was not given due to the lack of access to binoculars. Segmentation using the compartments was not sufficient to protect the ship from sinking. The design of the compartments was not effective in isolating the flooded parts of the Titanic from the rest of the ship. Further safety integrations were not sufficient to prevent the collision or to respond to the incident with confidence afterwards.

    Visibility

    • What is my current situation?
    • What can I see on my ship or in my system?
    • What else can I see in the event of an incident?
    • What can I see automatically?

    With the help of Network Access Control (NAC), I can get and maintain an overview of my installation. With a NAC solution, I can see which network devices and endpoints are in the network. I gain insight into this: Where are these devices connected? Which devices are connected to the network, and which are no longer connected? I can view information provided from other security tools that are integrated with the NAC solution. This makes it possible, for example, to record the security status of the connected devices. Do they meet the company's compliance guidelines or are there any warnings? The visibility of the network is an important point if I want to ensure control. Similar to a ship, however, control is not only important during normal operation. Especially under exceptional circumstances (e.g. during a security incident), manual and often too slow control mechanisms work particularly poorly. Automation can make a decisive difference. What is an automatic door in a ship that closes automatically in the event of water ingress can be a NAC solution in an industrial plant that reacts automatically to attacks or provides information from all parts of the network without human intervention.

    Segmentation

    In an industrial network, there is the principle of “Zones & Conduits”. The network is divided into zones. An attempt is made to isolate these zones from each other as far as possible. If something goes wrong in one zone, it should not spill over into the next zone. What properties are used to define the zones? The zones should not be designed to be particularly large or permeable for reasons of comfort, as it was the case on the Titanic. With a NAC solution, many steps of a zone control system can be automated. For example, endpoints can be assigned to zones very easily, regardless of where they are connected to the network. The assigned zone remains the same. The zones define where the device can communicate. In the event of a problem, the error or attack that has occurred can thus be limited. Only the devices that are assigned to the same zone are affected. Convenience is also a critical factor here. Although small zones are more secure, they are a nightmare to manage. A good NAC solution takes away a lot of the administrative workload, so that even small-scale and secure zone solutions are easy to administer.

    Isolation

    Ideally, a set of rules should be used to trigger an automated response so that action can be taken as quickly as possible in an emergency. With the help of network access control, isolation or partial isolation can be carried out automatically. This can happen, for example, if an endpoint no longer conforms to the company's compliance guidelines. If the device is involved in business-critical processes, it may not be desirable to isolate it. For example, group-based rules can be found on how to deal with endpoints in the event of compliance violations.

    Integration

    Even the best security solutions are not effective if they are not properly integrated. Therefore, when choosing a NAC solution, it is essential to look at what integration options it offers, such as vulnerability scanners or firewalls.

    You want to keep your production afloat? macmon NAC offers a sophisticated network access control solution that addresses the security needs of OT networks, especially in industry.

    Recommended articles

    • 13.07.2023 | Sarah Kolberg

      Interview Prof. Dr. Heer: OT Security & Industrial NAC

      How do you protect an OT network? How can industrial networks be secured with NAC? Find out more in the interview with Prof. Dr. Tobias Heer.

      more

    • 10.05.2023 | Sarah Kolberg

      IT OT convergence: Operational technology as a target

      IT and OT: The boundaries between the two systems are blurring. IT OT convergence is creating new challenges for operational technology security.

      more

    • 01.08.2024 | Sarah Kolberg

      The role of security by design for OT systems

      What does Security by Design mean & what role does the concept play for OT? How does a product become "secure by design"? Read more about the benefits!

      more

    • 14.03.2024 | Malte Marquardt

      OT market study: Tips for future-proof OT Security

      What measures do industrial companies rely on for OT security? Read the recommendations resulting from our OT market study “Moving Beyond Visibility”.

      more

    • 28.02.2024 | Sarah Kolberg

      OT Security: a dialog between IT and OT

      OT systems have special requirements. IT security solutions often do not address these. OT and IT must cooperate for OT security.

      more

    © macmon secure GmbH