Home / Resources / News and Trends / Industry News / 2022 / Benefits of Adopting Secure Access Service Edge for Operational Technology Security

Benefits of Adopting Secure Access Service Edge for Operational Technology Security

Author: Krishna Das Manghat, CISA, CCIE, CCISO, CISSP, CSSA, Azure and AWS Solution Architect, Forrester Certified Zero Trust Framework Specialist, ISO 27001:2013 LA, PMP
Date Published: 28 April 2022

Traditional operational technology (OT) networks are built based on the rigid 6-level (level 0 to level 5) hierarchical Purdue model,1 which has worked well for the last few decades. However, with Industry 4.0,2 organizations, especially in sectors such as manufacturing and utilities, are starting to question their status quo and explore newer technologies such as the industrial Internet of Things (IIoT)3 to take advantage of benefits and stay ahead of their competition. However, these newer industrial technologies related to OT focus primarily on performance and do not necessarily come with sufficient built-in security. Therefore, it is imperative to explore supporting technology stacks such as secure access service edge (SASE)4 to address gaps and bolster security for OT networks.

The Traditional Purdue Model

Traditional OT networks that are built based on the Purdue model consist of 6 levels (figure 1):

  • Level 0 contains physical process devices such as sensors and actuators.
  • Level 1 hosts field controllers such as programmable controllers.
  • Level 2 hosts systems including supervisory control and data acquisition (SCADA) and human-machine interfaces (HMI).
  • Level 3 hosts systems including control and monitoring systems:
    • Between level 3 and 4, a demilitarised zone (DMZ)5 is configured to protect the OT networks from potential attacks coming from or through enterprise IT networks.
  • Level 4 includes database servers, application servers and file servers.
  • Level 5 includes enterprise IT networks and systems.
  • Enterprise IT systems connect with their remote OT networks and corresponding management servers or OT devices through shared wide area networks (WAN) such as multiprotocol label switching (MPLS) networks.

Figure 1— The Purdue Model

Source: Adapted from Ackerman, P.; Industrial Cybersecurity: Efficiently Secure Critical Infrastructure Systems, Packt Publishing, United Kingdom, 18 October 2017

With the traditional model, OT networks are adequately secured because they are not directly exposed to WAN or the Internet, only through the enterprise IT network, which incorporates DMZ and adequate perimeter security solutions such as firewalls that support features including site-site virtual private networks (VPNs), intrusion detection systems (IDSs), intrusion prevention systems (IPSs), IP whitelisting and payload encryption.

The IIoT Model

IIoT is the extension and use of the Internet of Things (IoT) in industrial sectors, where OT networks form a key part of the technology stack. IIoT derives efficiency and performance primarily from cloud computing. Organizations adopting IIoT can leverage benefits including flexibility and scalability and are able to perform processes native to public cloud computing. However, adoption of a public cloud comes with security concerns, especially for organizations connecting their on-premises OT networks with public cloud environments.

With the cloud-based IIoT operating model, the traditional 6-level Purdue model becomes obsolete as OT networks and enterprise IT networks are separate and connect with the cloud separately and directly over WAN/Internet for management, orchestration, monitoring and control. This connectivity, as shown in figure 2, focuses primarily on performance.

Figure 2— IIoT Model

However, this new model also brings a critical security concern because a successful attack and compromise of a gateway in the OT network could expose the entire OT infrastructure to attack. Thus, it becomes imperative to add adequate guardrails across the 3 types of sites/networks:

  1. OT network sites, which consist of physical OT devices (e.g., actuators and sensors) and programmable controllers
  2. Enterprise IT sites
  3. Cloud, which hosts the organization’s OT and IT platform services for management, storage, orchestration, monitoring and control

The traditional best practice for adding guardrails involves implementing a defense-in-depth (DiD) strategy whereby security solutions are added one on top of another so attacks are either mitigated or prevented across multiple levels. Although this approach is effective, it presents challenges for organizations running IT and OT environments. The top 3 challenges faced by these types of organizations are high CAPEX and OPEX cost, management complexity and poor user experience.

The traditional best practice for adding guardrails involves implementing a defense-in-depth strategy whereby security solutions are added one on top of another so attacks are either mitigated or prevented across multiple levels.

SASE: An Alternative Approach

With the advent of SASE, a technology used to deliver WAN and security controls as a cloud computing service,6 organizations adopting principles of Industry 4.0 and IIoT can apply one single solution that is based on zero trust network access, utilizing functions including VPN, software-defined WAN (SD-WAN)7 and cloud-native security functions such as secure web gateways, cloud access security brokers (CASBs) and firewalls. The ways SASE addresses the top-3 challenges posed by organizations that adopt the traditional defense in-depth approach include:

  • SASE solutions are license based. These licenses come with options that are suitable and appropriately priced for organizations of all sizes based on their needs. Many organizations running IT and OT networks have already realized the low total cost of ownership (TCO) based on the single license and lower maintenance costs compared to the traditional model.
  • Many SASE vendors provide a single pane for management of orchestration, visibility, monitoring and control. This is critical as it allows organizations to perform activities including change management and incident management and response in shorter windows, ensuring availability, which is the most important aspect of the CIA triad for OT environments.8
  • SASE solutions provide improved user experience while maintaining security guardrails using the highly effective zero trust architecture.

Conclusion

Organizations, especially in industries such as manufacturing and utilities, that are aiming to transform themselves by adopting principles of Industry 4.0 understand the need to keep security at the core of their transformation. However, the traditional approach of following the DiD strategy is expensive, complex and not user friendly. Therefore, it is critical for organizations to consider adopting the SASE architecture. SASE, with all its network and security capabilities embedded in a single software stack, helps organizations address critical security concerns, reduce TCO, simplify management and improve user experience.

Author’s Note

The views and opinions expressed in this article are the author’s and do not reflect any official position, policy or view of the author’s employer.

1 Ackerman, P.; Industrial Cybersecurity: Efficiently Secure Critical Infrastructure Systems, Packt Publishing, United Kingdom, 18 October 2017
2  Moore, M.; "What Is Industry 4.0? Everything You Need to Know," TechRadar, 2 January 2020
3 Posey, B.; L. Rosencrance.; “Industrial Internet of Things (IIoT),” TechRadar, March 2022
4 Korolov, M.; “What Is SASE? A Cloud Service That Marries SD-WAN With Security,” Network World, 8 September 2020
5 Lutkevich, B.; “DMZ in Networking,” TechTarget, July 2021
6 Op cit Korolov
7  Irei, A.; “SD-WAN (Software-Defined WAN),” TechTarget, April 2021
8  Chai, W.; “Confidentiality, Integrity and Availability (CIA Triad),” TechTarget, January 2021

Krishna Das Manghat, CISA, CCIE, CCISO, CISSP, CSSA, Azure and AWS Solution Architect, Forrester Certified Zero Trust Framework Specialist, ISO 27001:2013 LA, PMP

Is an associate director at KPMG Australia. He provides advisory consulting and strategic services related to cybersecurity. He specializes in cyberstrategy and governance and cyberdefense services. He has assisted many organizations across sectors including manufacturing, retail, government and public sector, banking, telecommunications, technology, and utilities in Australia and the Asia-Pacific region. Manghat is a national cyberlead for cloud security and critical infrastructure service lines. He is also an event speaker, a member of the board of the ISACA® Sydney (Australia) Chapter and a mentor at the University of New South Wales, Australia. He is an author and expert reviewer of cybersecurity content that has been published by organizations including ISACA. Manghat is passionate about helping organizations discover their strengths and weakness and helping them develop road maps arrive at strategies to achieve their business objectives. He shares this knowledge through research studies with manufacturers, consultants, education services and standard recommendations.