August 8, 2022-Cyber attack on a provider of IT services in Frankfurt/Main
 

August 7, 2022-Hacker attack on a provider of medical products in Franconia
 

August 4, 2022-Cyber attack on chambers of industry and commerce in Germany
 

Headlines about cyberattacks like this adorn the media almost daily. The German Federal Office for Information Security (BSI) rates the threat to cyber security in 2023 as "higher than ever before". Even manufacturing companies are not spared from cybercrime. An attack on a production plant can quickly bring it to a standstill. The result is damage running into millions. To prevent this, it helps to take a look at OT security.

IEC 62443 and Defense in Depth

The IEC 62443 series of standards is currently regarded as the industry standard for cybersecurity by test centers, product manufacturers and operators. To protect a plant, the three central zones for protecting an industrial plant are defined using the multi-layered basic concept of "Defense in Depth":
 

1. Plant security
2. network security
3. System integrity
    

Here we focus on network security, which is strongly defined by the underlying segmentation.
 

Risks in Existing Systems due to Established Structures 

The first step in securing the system technology is to review the network architecture. This begins with an inventory of the logical and physical network layout. Historically evolved structures are often found here. 

The following security risks can come to light: 

• No clear separation between IT and OT
• No channeling of IT access, multiple access points from IT to OT
• No segmentation and cell formation of sub-systems
• Direct connections from IT devices to OT and vice versa
• Direct connection of networks of different security classes through multihoming (end devices as participants in several networks) 

These conceptual security risks make it easier for viruses and malware from the IT sector to gain access to production. Even more critical, however, is the fact that viruses can spread across many networks, plant components, machines and even locations in the event of damage.
The aim of sensible segmentation is to restrict unnecessary cross-functional network traffic. Necessary cross-functional data exchange is strictly regulated, monitored and is only available to those end devices that actually need the information. This ensures the best possible security and performance of the network and therefore of the entire system technology.

Network Segmentation in Practice 

The network configuration shown here illustrates the exemplary network segmentation of a modern paper mill. When designing the network architecture, the system requirements of IEC 62443-3-3 were taken into account and consistently implemented.

In this example, the OT network is segmented horizontally and vertically. The vertical segmentation, based on the "three-layer hierarchical model" developed by Cisco, is divided into access, distribution and core layers, whereby the distribution layer can in turn be subdivided into the aggregation and backbone areas for medium-sized network architectures. 
This type of segmentation, which aims to channel the data flow upwards, leads to significantly fewer connections between individual devices and drastically reduces the complexity of a network. 
The core layer represents the preferred connection of the OT network on the corporate network side and, in this constellation, is not usually the responsibility of operational technology.
 

Access Layer 

The components of individual machine and system parts are networked at access or cell level. Classic fieldbus networks can be found here in ring/line and tree structures, depending on the redundancy requirements. IEC 62443-3-3 requires a logical and physical separation of critical and non-critical automation networks. The required isolation is organized by forming so-called cells. The incoming and outgoing data stream of the cell can also be controlled by a cell firewall.
 

Aggregation Layer 

The main purpose of the aggregation layer is to establish a connection between the access level and the backbone, which requires high data rates from the switches used. In our example, the aggregation layers are divided according to plant areas of the paper mill (PM, SM, power plant, equipment...). In addition, those physical servers, clients, WLAN access points etc. that can only be assigned to the respective plant area, can be connected here. At this level, it is advisable to use VLANs for the logical segmentation of certain functions such as terminal, system and management bus as well as for connecting individual isolated cells. This requires the use of layer 2 switches.
 

Backbone Layer 

The backbone is the central connection point of the network. The network devices in this layer establish the connections of the aggregation levels to the hosts of the data center and the DMZ and from there to IT. High-performance network devices and next-generation firewalls are used to coordinate and check data traffic.
 

Industrial Data Center 

This network area contains the hosts for providing all applications and services that are used exclusively in the OT network and do not require a direct connection to IT. These include virtualized control technology servers, engineering servers, network management, backup systems, production data acquisition and RADIUS. If a domain independent of IT is used for the OT area, the domain controllers can also be hosted here.