A Quick Look at How To Secure The Manufacturing Plant Floor
Director and Principal of Security, Versa Networks
April 18, 2023
Recently I have had a few manufacturing customers requesting to have in-depth conversations about how they can better secure their plant floor/non-carpeted environments. During these conversations we explored the different types of manufacturing environments that a single customer can have; the many different operational requirements for each environment; the certain fears that each of these customers have; and the different ways that each manufacturing environment are secured today based on those requirements. One of the things that I found incredibly interesting was that all of the customers I was talking to had very similar objective: to consolidate the different security methods to a singular solution that has the ability to meet all of the requirements set forth for each manufacturing environment.
First off, let’s define what a non-carpeted area is. A non-carpeted area, also known as a shop floor, is the area where production takes place. A non-carpeted area excludes the area used or designated for administrative activities also known as the carpeted area. These areas normally have very few “smart” machines such as desktops/laptops but are highly populated with computer aided machinery which falls under the IoT (Internet of Things) technology umbrella. Typically, these devices are highly susceptible to malicious attacks due to the fact they run on a minimal operating system, which is usually Linux based. Because of this fact, customers worry about things such as the weaponization of this equipment, using IoT devices to initiate phishing attacks, reprogramming these devices to potentially initiate a distributed denial-of-service (DDoS) attack, or even have them become network listeners/jump systems that allow a malicious actor to exfiltrate data. The March 2021 breach of video and AI company Verkada is a perfect example of one of these fears coming true. Threat actors breached the network and gained access to over 150,000 internet-connected security cameras for 36 hours. Adversaries moved laterally across the network and gained access to videos and images from Verkada’s customers, including Tesla and Nissan. The data was then leaked online, creating panic among the organizations.
Other security solutions that have been implemented include security segmentation (micro/macro) using layer 3 access control lists (ACLs), or even security group tags to highly restrict traffic across the layer 2/layer 3 segments of the network. And lastly, a common implementation is the use of layer 4/layer 7 firewalls to create protected enclaves for these networks.
All of these solutions have a common theme, however. The maintenance of the environments become extremely manual as each solution requires you to restrict access to the enterprise network as much as possible. These restrictive approaches basically sacrifice network usability and access in favor of increased security. If the organization doesn’t have the ability to remotely manage the environments, then it must incur the costs of having either highly trained professionals at each site who can directly log into the environment, or incur the costs of travel for individuals to be able to go to these locations and perform periodic maintenance. Also, each one of these environments incur additional costs to build as a completely separate architecture must be implemented to support each solution.
This is where the Versa SASE Platform comes into play. The platform includes a Zero Trust Everywhere (ZTE) solution delivering inline Zero Trust enforcement at the LAN layer. This approach allows an organization to achieve all of the security criteria above, with features such as multitenancy for air-gapped networks or strict logical/physical segmentation; layer 7 firewall rules that eliminate the need for basic layer 3 access control lists; and Zero Trust network access using identity based network access control to allow authorized users to cross from the carpeted environment to the non-carpeted environment. Also, because the ZTE solution is delivered as part of the Versa SASE platform, an organization can also implement the Versa Secure SD-WAN to securely connect each segmented environment to each other as one large production floor network, managed from a single pane of glass. Finally, using the Versa SSE portion of the SASE platform, an organization can implement integrated Next Generation Firewall services that will perform deep packet inspection while delivering advanced threat protection for the non-carpeted environment. This allows an organization to apply granular security by identifying IoT devices in the non-carpeted environment, allowing for more automation and easier management, while giving the ability to keep all devices up to date with the latest patches, and much more.
If you are interested in what a ZTE solution can mean to your environment, please check us out. Hit the Contact Us and drop us a line. We will get you in touch with a security expert to help identify the right security architecture from Versa Networks to fit your security needs.