Securing the New Frontiers of Critical Infrastructure Networks

This post is also available in: 日本語 (Japanese)

Beyond "Level 3.5"

At Palo Alto Networks, public-private partnerships are a core part of how we enhance global cybersecurity and protect our digital way of life. Toward that end, I’m honored to have been recently appointed to a new subcommittee of the President’s National Security Telecommunications Advisory Committee, which has been tasked to look at the cybersecurity implications of IT/OT Convergence. It's a privilege to bring my expertise to this important effort to help critical infrastructure networks better protect their Operational Technology and Critical Infrastructure (OT/CI) from cyberthreats.

These systems continue to evolve from air gapped, legacy systems to more modern, IT and cloud-connected systems. This evolution results in an increase in the attack surface that needs to be managed proactively. With escalating geopolitical events, this need for better infrastructure protection is even more pronounced.

While certain types of OT/CI may take some time to be fully converged due to hurdles for cloud adoption related to regulations, a good portion of operators are starting their transformation journey. This includes extensions of industrial infrastructure into the cloud, usage of smart IoT technology and evolution of industrial local and wide area networks (LAN/WAN). This changes the discussion around the scope of OT security, which has traditionally been at the IT-OT perimeter or "Level 3.5" DMZ of the ISA 95 (a.k.a. Purdue) Reference Model. It now includes the extension of industrial networks to cloud, 5G and SD-WANs.

In this third installation of the OT/CI security blog series (read Modernizing Critical Infrastructure Requires Security Transformation), we look at this network transformation and discuss how consistency in the Zero Trust approach could be achieved by applying Palo Alto Networks Next-Generation Firewalls across the new, extended OT/CI network infrastructure.

Industrial Cloud Networks

OT has historically been cloud-averse, but there have been many compelling use cases that have led to OT workload migration from on-prem data centers to the cloud. These include applications from data warehousing/historian to emerging industrial IoT applications, such as predictive maintenance, machine twin, VR/AR and production optimization. They could even be as rudimentary as providing centralized administrative services for the different control systems.

To a lesser degree, we may see SCADA applications, which involve controlling OT from the cloud. It's also important to not forget the adjacent non-OT workloads, such as accounting and billing systems (see Colonial Pipeline hack), which could be as critical to operations as the OT workloads themselves. Whatever the driver might be, it is necessary to secure not only the North-South traffic between OT and the cloud service provider(s), but also the East-West traffic between the different VMs and containers that run the workloads. This means getting granular visibility, applying granular Zero Trust Policy, as well as detecting and stopping threats to prevent the cloud from being compromised and used as a pivot point by attackers.

5G Private LANs

5G cellular technology has brought with it many advancements, which enable the flexibility, agility and performance private networks needed for smart, IoT enabled OT/CI networks. This includes better throughput, reduced latency and network slicing. Asset owners are starting to look at replacing older wired and wireless networks on process control networks (PCN) and field area networks (FAN) with 5G private networks. They want to deploy 5G connected autonomous vehicles, robotics and mixed reality technologies. However, the security challenges with 5G are not well understood yet by most looking to adopt 5G.

A major challenge with 5G security is that its usage entails encapsulation of the traffic into a wrapper protocol (GTP), which could lead to loss of visibility. Correlation of traffic to mobile industrial endpoints could also be a challenge if just based on IP addresses, which are dynamic in many environments. Securing 5G networks not only entails regaining the visibility, but also has the ability to resolve applications, users and devices while applying granular policy and containing threats that may have made their way to the plant floor and could pivot to other areas of the PCN or FAN.

Software Defined Wide-Area Networks (SD-WAN)

CI/OT WANs are also evolving. Specifically, SD-WAN has started to gain the attention of many CI organizations with the ability to overlay a private network over any existing transport layer, whether it be MPLS, low-cost and high-performance broadband or a mix of both. To be fair, adoption is gradual and starts with less critical use cases like Supervisory Control and Data Acquisition (SCADA) networks to non-mission critical remote sites, or to provide backup connections. However, many believe SD-WAN will have a strong future in OT/CI as the technology matures.

One factor for slower adoption has been the perceived lack of security and the complexity of security management when implemented over distributed SD-WAN connections. When adopting SD-WAN, it is important to identify a solution that gives you both the advanced security capabilities and centralized manageability to improve operational feasibility.

Zero Trust Network Security Across OT/CI's New Frontiers

The good news with Palo Alto Networks Next-generation Firewall (NGFW) technology is that it is able to support all of the aforementioned use cases of cloud, 5G and SD-WAN. Rather than having to adopt multiple point solutions, our NGFW-as-a-platform approach, which implements PAN-OS across all versions of NGFW (appliance, virtual, cloud, SASE), provides a singular policy and management framework to these new frontiers for OT networks. It delivers layer-7 security, advanced threat prevention and centralized management as it already has been providing to internet gateways, data center firewalls and IT/OT perimeters (level 3.5).

The VM-series and CN-series virtualized Next-Generation Firewalls (NGFW) are of course key to providing cloud network security. Furthermore, our NGFWs are able to not only decapsulate the 5G protocol (GTP) to reveal the underlying applications, users, devices and threats, but also to correlate security telemetry with unchanging SIM card identifiers (ISIM, IMEI), rather than dynamic IP addresses, which could make attribution tricky. Finally, Prisma Access provides a flexible way to effectively secure SD-WAN deployments. By delivering security from the cloud and closer to the branch sites, Prisma Access lets you optimize networking and security with the same protections that you have at corporate headquarters.

The end result is more effective and consistent security across the extended critical infrastructure network, as well as simplified security operations. Make sure to keep this firewall-as-a-platform in mind and collaborate with the operations teams as you embark on your critical network transformation projects.

Check out the following resources to learn more about our approach to Zero Trust and Critical Infrastructure Protection.