Network Segmentation for Secure Manufacturing

The computerisation of OT networks, CNC, and other machinery into the factory setting can also introduce additional cyber security risk. Network segmentation using modern next-generation firewalls can mitigate that risk. Learn how Tarbh Tech worked with an Irish manufacturing concern to secure its network.

Contents

The Challenge

Success in manufacturing today requires a constant focus on improving productivity and quality, leading to a significant increase in the adoption of high-tech or computerisation of the factory floor. This computerisation of Operational Technology (OT) networks is frequently termed “Industry 4.0”, originating from the German government, which promotes the computerisation of manufacturing. Additionally, manufacturing businesses must continually demonstrate to clients that cybersecurity is considered part of this adoption. Therefore, management needs to balance factory floor productivity versus genuine cybersecurity demands, particularly when new machinery often employs embedded systems, runs older operating systems, and is routinely managed remotely.

How do you protect your production environment when you don’t have admin access? In most cases, you can’t install antivirus agents, upgrade operating systems, or apply security patches.

These were the challenges that a Limerick-based high-tech manufacturing company approached Tarbh Tech with for assistance at the beginning of 2020. Despite the worldwide COVID lockdowns, they were experiencing significant business expansion, introducing many new machines, and increased computerisation, and found that their network environment and cybersecurity measures needed improvement.

The Specifics

Tarbh Tech conducted an internal audit, identifying the following deficiencies:

  • Rapid growth meant new staff were onboarded without training on technology “Acceptable Use” policies or information security.
  • Many technology changes on the factory floor were introduced without planning for the overall system life cycle, upgrade, or the retirement of outdated, unsupported systems.
  • Change management was ad-hoc, with no documentation of change requests to firewalls or other critical business systems.
  • The network was a maze of interlinked consumer hubs and switches with significant stability issues.
  • The firewall was also a consumer model and did not provide a sufficient level of security to address modern threats; there was no web filtering, or IP reputation, to limit exposure to damaging websites. Nor was there any intrusion prevention, antimalware, or antivirus capabilities.
  • All company emails resided in Microsoft Office 365, yet no comprehensive anti-spam, antimalware, or anti-phishing measures were in place.
  • Finally, there was neither full-time IT staff nor anyone trained to monitor the environment for potential cybersecurity threats.

The Solution

Working closely with the client, Tarbh Tech implemented several vital upgrades and changes over a number of months, focusing initially on protecting embedded manufacturing systems by adopting network segmentation.

“Network segmentation in computer networking is the act or practice of splitting a computer network into subnetworks, each being a network segment. Advantages of such splitting are primarily for boosting performance and improving security.”​

Source: Network segmentation – https://en.wikipedia.org​
Visio image of proposed Factory network topology, outlining the various zones required for network segmentation.

Tarbh Tech deployed a Fortinet Security Fabric, incorporating Fortigate firewall, FortiSwitches, Forticlient EMS, and FortiAnalyzer to provide a single management plane from edge to endpoint within the company. Many of the existing manufacturing systems had hard-coded network addressing. As a result, much of the effort involved working with the existing IT provider to deploy new Active Directory servers on new subnets, new DHCP scopes, re-IP printers and WiFi access points, and endpoints.

Several FortiSwitches were deployed on the factory floor, with fibre connectivity back to the Fortigate, allowing all network ports and devices to be seen and secured from the firewall. In addition, where supported, the FortiClient antivirus / antimalware agent was installed on endpoints, giving complete visibility of security issues, vulnerabilities, and network activity, as seen in the example below.

Image of a Fortinet Fortigate GUI showing the various components of a Security Fabric.

With the Security Fabric in place, non-production systems were migrated to the new networks. In addition, appropriate firewall, antimalware, and antivirus rules were implemented for all communications between desktops and laptops and the manufacturing systems running the business. Remote access for vendor management was facilitated by SSL VPN, removing the need for remote access software, so often used by malicious threat actors during a cybersecurity incident.

Photo of deployed Fortinet Fortiswitches. This architecture has grown considerably, with switches distributed around the factory floor.

The Result

While network segmentation, using a Fortinet Security Fabric to provide end-to-end visibility, was only one of many changes implemented, it has given the client the confidence to continue their rapid expansion on their factory floor. The number of ports provisioned doubled during the project, improving their manufacturing network’s security and performance.