This document discusses transformative trends in cybersecurity for industrial networks and the Internet of Things. It covers several key topics: Industrial networks have benefited from transitioning to modern Ethernet and IP technologies, but require features like reliability and security. Securing these networks involves ensuring confidentiality, integrity and availability at the edge, in the WAN, for internet-facing systems and through interconnects. Modern security also segments networks and provides consistent policy control and high performance. The document provides guidance on traditional and modern firewall design and considerations for securing wireless networks and branch offices.

1. GENERAL PERSPECTIVE ON
TRANSFORMATIVE INDUSTRY TRENDS IN
CYBER-SECURITY AT DESIGNING
SOLUTIONS FOR THE INDUSTRIAL
INTERNET OF THINGS, TRADITIONAL
PNEUMATIC AND ACTUATING CONTROL
SYSTEMS.
-
By Kapil Sabharwal

2. INDUSTRIAL PROCESS AUTOMATION SYSTEMS, PROCESS CONTROL SYSTEMS & DATA SYSTEMS BENEFITED GREATELY FROM TRANSITIONING
OF THEIR OPTIMIZED NETWORKS THAT WERE TYPICALLY USED IN PAST TO MODERN ETHERNET & IP NETWORKING TECHNOLOGIES.
INDUSTRIAL NETWORK DESIGN REQUIREMENTS INCLUDED FOLLOWING KEY FEATURES:
INDUSTRIAL CHARACTERISTICS:
THE ENVIRONMENT IN INDUSTRIAL PLANTS PRESENTS UNIQUE CHALLENGES, SUCH AS RF DISTURBANCE, AMBIENT TEMPERATURE,
SHOCK OR VIBRATION, HUMIDITY & CHEMICAL INTERACTIONS THAT MUST BE CONSIDERED.
INTERCONNECTIVITY & INTEROPERABILITY:
THE PROTOCOLS APPLIED IN INDUSTRIAL NETWORKS & DEVICES FROM DIFFERENT VENDORS SHOULD BE VALIDATED FOR
INTERCOMMUNICATIONS WITH EACH OTHER.
REAL-TIME COMMUNICATION, PERFORMANCE AND HIGH AVAILABILITY:
INDUSTRIAL NETWORKS ARE MISSION CRITICAL, REVENUE IS IMPACTED NEGATIVELY IF THEY ARE NOT AVAILABLE.
SECURITY: SECURITY FOR INDUSTRIAL NETWORKS WHEN CONNECTED EXTERNALLY AND INTERNALLY IS PARAMOUNT.
SCALABILITY, RUGGEDIZED AND HARDENED NETWORK DEVICES IN THE PLANT OPERATING ENVIRONMENT.

5. Whenever there is a reference of the Cybersecurity: Three Points directly applies to it.
Confidentiality, Integrity and Availability of Systems & Data achieved through procedures, softwares and hardware
products.
Securing the Edge:
WAN:
Challenges: Connecting to external sources
Solution: Hardened, trusted routing, securing overlays and underlays.
Internet facing systems:
Challenges: Known, Unknown vulnerabilities, Malware.
Solution: Deep Packet Inspection with custom signatures.
Availability:
Challenges: DDOS Attacks.
Solution: Heuristic-based ID for all traffic including Layer 7.
Interconnects:
Challenges: Confidentiality and Integrity of the data transmitted.
Solution: IPSEC tunneling at Layer 3 MPLS over GRE, EVPN or VPLS at Layer 2.

6. Securing Data Center Core
Challenges:
• Complexity inherent with Virtualization and Containerization.
• Speed and Performance.
• Resilience.
Solution:
Segmentation and micro-segmentation.
Management and policy control consistency.
High Speed performance connections.
Separation of data, control plane.
Stateful HA, High reliability.

7. Traditional Security Architectures:
• IPSEC VPNs.
• NGFWs.
• Threat Management.
• Stateful Security or Session Based.
Firewall Design Requirements:
A)
• Identify Security requirements for your Organization.
• Network Applications Discovery.
• Automated network discovery.
B)
Define overall Security Policy. Define Environment, Identify resources, systems critical to the network and other
systems that require security.
C)
Objectives for your firewall deployment.
Private addressing usage, specify how the firewall is to be managed and updated.
Identify the security vulnerabilities in the network and rectify them.
D)
Firewall enforcement Points:
Edge: Internet / Border Facing.
Core: Corporate Facing: Outgoing traffic, attack protection from the inside network.

8. Confidentiality:
Keep data secure with cryptography/ encrypting the data.
Integrity: Ensuring the data remains unchanged.
Authentication:
Threat Management Services:
Anti-Virus.
Anti-Spam.
Anti-Malware Grid.
Web-Filtering.

9. Modernize your Perimeter/ Edge:
Application Visibility Control.
Intrusion Prevention.
User-Based Firewall.
Threat Management:
Anti-Virus.
Anti-Spam.
Web-Filtering.
NAT.
Reporting.
Botnets/ C&C.
VPN.
Analytics.
Evasive Malware protection.
Reporting and Analytics.
Routing and Automation.

10. Network Security Tasks for Branch Offices:
Need to control access for wired and wireless users.
Allow remote access and BYOD.
Isolate network segments and control communications.
Protect from threats.
Securely Connect to different locations.
Classify who is the customer of your network?
Corporate Users : Must be authenticated, Access based on role.
Guest Users:
How is the access Provided?
Wired.
Wireless.
Remote: IPSEC VPNs and SSL VPNs.
Network Segmentation and Edge Security, Application Level Security, Access Control and Authentication,
Layer 2 Security Functions.
Make policies standard and simple, Add deny all rule with Session logging last, use global policy feature.

11. Wireless Considerations:
Encryption and Authentication.
Guest Access.
Access Point Types:
Controller Based.
Non-Controller Based.
Location Services and Analytics.