IoT/OT Security Practices Profile
Choose the "Download report" button to save a copy of your results and recommendations.
You know what's connected to your industrial network. This is key to track (and patch) vulnerabilities, ensure all communications are monitored and start segmenting your industrial network. Did you know Cisco Cyber Vision can help you automate the inventory of your assets? It also enables IT and OT teams to work together in grouping assets into production zones to ease segmentation projects.
You cannot protect what you don't know about. You need a comprehensive and up-to-date asset inventory to detect vulnerabilities to patch, identify machines accessible from the Internet, spot unapproved remote access, and more. Cisco Cyber Vision can help you automate the inventory process. Cisco OT Security experts can also build this inventory for you and work with you to define a roadmap to improve your OT Security posture. Contact a customer experience expert for more information.
You have built an industrial Demilitarized Zone (IDMZ) with firewalls isolating the industrial network from the IT network. Now, you might want to consider isolating individual production cells to further solidify your security posture by blocking unneeded communications between zones.
This can be achieved using Cisco Secure Firewall ISA3000 to physically isolate a zone, or Cisco Identity Services Engine (ISE) to implement software-based segmentation. When combined with Cisco Cyber Vision, Cisco ISE is constantly updated with industrial asset groups as defined by operations teams, making it really easy to configure security policies per asset.
The first mandatory step to industrial security is to build an industrial Demilitarized Zone (IDMZ) with firewalls isolating the industrial network from the IT network. Cisco Firepower 2100 Series firewall will offer the filtering, cryptographic, and threat inspection performance your industrial sites require. For smaller distributed operations, the Cisco Secure Firewall ISA3000 is your best option. Both can be managed using the same central platform, Cisco Secure Firewall Management Center, for complete and unified security policy control.
Once you have selected and deployed firewalls across all your industrial sites, you might want to consider isolating individual production cells. By blocking unneeded communications between zones, you can further solidify your security posture. This can be achieved using Cisco Secure Firewall ISA3000 to physically isolate a zone, or Cisco Identity Services Engine (ISE) to implement software-based segmentation. Combined with Cisco Cyber Vision, Cisco ISE is constantly updated with industrial asset groups as defined by operations teams, making it easy to configure security policies per asset.
Detecting malware intrusions and malicious traffic is key to protecting operations, especially when industrial control systems might be running older versions of Windows and industrial assets might have unpatched vulnerabilities.
Hopefully, your firewalls embed Next-Generation Intrusion Protection Systems (NGIPS) and leverage advanced threat intelligence sources such as those delivered by Cisco Talos, the industry-leading threat intelligence group and official developer of Snort signatures.
When selecting firewalls to build your industrial Demilitarized Zone (IDMZ), make sure the solution you deploy embeds next-generation malware protection. Because some of your industrial control systems might run older versions of Windows and some industrial assets might have unpatched vulnerabilities, it is key to detect malware intrusions and malicious traffic before they bring your operations to a stop.
Cisco Secure Firewall embeds Next-Generation Intrusion Protection Systems (NGIPS) powered by threat intelligence from Cisco Talos, the industry-leading threat intelligence group and official developer of Snort signatures.
You have implemented a solution for your OT team, vendors and contractors to connect to your industrial network remotely, but are you monitoring all remote access entry points? Are you enforcing security policies consistently?
Cisco Cyber Vision can detect all remote access activities and show you points of entry you are not aware of. It shares all these events with your Security Information and Event Management (SIEM) tool, so you can monitor live user access (logins, failed logins, successive logins, etc.). It will also trigger alarms if abnormal behaviors that deviate from baselines are detected.
Using Cisco Identity Services Engine (ISE), you can build and enforce security policies to control who can access which machine.
Your OT team, vendors and contractors need remote access to your industrial network to run operations. But don't let them install uncontrolled solutions. Implement clear and secure entry to your network with Cisco Secure Firewall and Cisco AnyConnect Secure Mobility Client.
Build and enforce security policies to control who can access which assets with Cisco Identity Services Engine (ISE).
And with Cisco Cyber Vision, remote access events are recorded and shared with your Security Information and Event Management (SIEM) solution so you can monitor live user access (logins, failed logins, successive logins, etc.). It will also trigger alarms if abnormal behaviors that deviate from baselines are detected.
Tracking abnormal industrial control system behaviors is key to detecting unwanted process modifications. Tracking can also detect asset failures or malfunctions, helping OT teams maintain production integrity, continuity and safety.
Did you know that Cisco Cyber Vision can build multiple baselines for your industrial networks, with no learning required? You can build baselines for what is most critical to you (such as a particular asset), detect specific behaviors (such as remote access), and enable accurate detection with minimal false positives (such as during maintenance operations), further reducing event fatigue in the Security Operations Center (SOC).
Attacks to industrial control systems can take the form of a simple change to a variable or a program uploaded to a controller. Events like these cannot be detected by firewalls or Intrusion Detection and Prevention Systems (IDS/IPS) because they are normal communications.
Cisco Cyber Vision can take snapshots of your industrial networks, defining what normal should be. Any deviations from these baselines will trigger a security event. This lets you immediately detect abnormal behaviors that could be an early sign of an attack, or an asset failure or malfunction. This is highly valuable information that will help both the IT and OT teams maintain production integrity, continuity and safety.
You are collecting, archiving and correlating OT security events that can help you run forensic investigations. This might also be a regulatory requirement for your industry.
Did you know that Cisco Cyber Vision logs all OT security events, acting as the "flight recorder" for your industrial network? It also sends OT security events to your Security Information and Event Management (SIEM) tool, such as IBM QRadar or others, so that you can implement a converged event management strategy.
But how can you make all this information actionable? Cisco SecureX is designed specifically for that. It empowers your Security Operations Center (SOC) team with a single console that aggregates threat intelligence and data from multiple security technologies—Cisco and others. It overcomes many challenges by making threat investigation and remediation fast, simple and highly effective.
Collecting and archiving OT security events may be a regulatory requirement for your industry. Tracking these events will also help you run forensic investigations to understand which industrial assets have been affected by an attack. Cisco Cyber Vision helps you achieve this. It logs all OT security events, acting as the "flight recorder" for your industrial network.
Because attacks generally spread across both IT and industrial networks, OT events must be correlated with IT events to ensure you make the right decisions. Cyber Vision sends OT security events to your Security Information and Event Management (SIEM) tool, such as IBM QRadar or others, so that you can implement a converged event management strategy.
Cisco SecureX leverages this OT information to accelerate threat hunting and incident management by aggregating threat intelligence and data from multiple security technologies—Cisco and others—into one unified view.
You have invested time and effort to build a security incident response plan. This is key to minimizing damage and downtime in case you are hit by an attack. But does your team have the skills to update your plan for a landscape filled with ever-changing threats? Do you test it through table-top exercises?
Cisco Talos Incident Response (CTIR) provides proactive services to strengthen your security posture, enhance your plans, test your capabilities and more. If you require emergency assistance, our global responders are engaged within hours to help you respond and recover from a breach. Leverage the world's largest threat intelligence and research group to extend your team's capabilities and bolster your defense.
Don't be caught by surprise. Test your defense. Train your team. Know how to react. Be ready to minimize damage and downtime in case you are hit by an attack. Building incident response capabilities is critical and requires both skills and time.
Cisco Talos Incident Response (CTIR) provides a full suite of proactive and emergency services to help you prepare, respond and recover from a breach. Leverage the world's largest threat intelligence and research group to develop customized playbooks, formalize security incident response testing through table-top exercises, determine what can be detected with real attacks simulated cooperatively with the Cisco Red Team, and more.
You are actively maintaining the skills of your team and keeping up to date on device vulnerabilities, attack tactics and tools. This approach is key to protecting your organization. Here are a few additional sources of information you should consider:
The threat landscape is continuously evolving and attackers are never short of ideas. Maintaining the skills of your team and keeping up to date on device vulnerabilities, attack tactics and the latest tools to protect your organization are key. Here are a few things you can easily do:
Contact us to discuss your needs with an OT Security expert.
For more recommendations on how to secure your industrial operations, please consider reading these documents:
- Industrial Cybersecurity: Monitoring and Anomaly Detection
Find out more about the specifics of OT security and best practices for the threats you fear the most. - Securing IoT Networks with an Edge Architecture
Understand the constraints of legacy OT security architectures and learn how edge monitoring can provide the visibility and security OT and IT teams need at scale. - IT and OT Cybersecurity: United We Stand, Divided We Fall
Learn how IT and OT can establish a collaborative workflow that enables a shared vision and converged IT/OT security features.
| Create PPT | Microsoft PowerPoint* |
| Create PDF | Adobe Reader* |