Industrial Infrastructure is Moving to the Cloud with Cryptographic Zoning
Things are changing for industrial infrastructure, and the choices operators make will determine which organizations will win or lose. The shape of organizations that will emerge as winners is clear: they will be efficient, effective and – most importantly – they will be connected. Part of this connectivity will be cloud-based, and the industrial cybersecurity community has been stymied trying to come up with a way to deliver appropriate protection for Industrial Control Systems (ICS) in the cloud. Cryptographic zoning provides a framework that supports the business needs of industrial enterprises while remaining within the standards and guidelines for industrial cybersecurity.
The traditionally isolated and rigid nature of industrial operations leans implementers and operators away from outsourcing infrastructure to cloud providers. At exactly the same time, enterprises in all non-industrial sectors are benefitting from lower costs and/or higher agility provided by moving on-premise systems into more efficient cloud infrastructure. Industrial executives are seeing these benefits in their IT operations and beginning to do more than just glance suspiciously at their industrial operations, often wondering aloud: “Remind me again why some of this stuff couldn’t give us the same competitive benefits?”
Inside the pondering depths of the ICS security space, where subject matter experts debate the details of approaches, the discussion on cloud has gotten rather sharp in the past two years. What had been a common belief that only a complete idiot would put anything related to ICS into this mysterious box called “cloud” has been tempered by growing executive pressure and the pragmatic reality that industrial operators aren’t always well served by having to own and operate racks of computers. Panels on cloud for ICS are becoming common at not just the ICS cybersecurity conferences but at almost every industrial forum. But practical answers have been lacking.
A core concept of ICS security architectures is segmentation or “zoning”: dividing the ICS and supporting networks into zones defined by function and criticality. The Industrial Society of Automation’s ISA99 Committee defined a structure of zoning that has been adopted by the International Electrotechnical Commission as the IEC-62443 standard, and has become the accepted framework good ICS architects follow. Zones are traditionally created physically with an Ethernet switch connected by wire or wireless to control system or operational devices, precluding any application of cloud and complicating on-premise devices remote from each other. This ability to remain within standards and best practices needs to be addressed before any ICS architect can consider cloud as part of their industrial architecture.
The ISA99 Committee has been considering this issue and how cryptographic zoning could provide an answer. Cryptographic zoning is an approach that provides equivalent achievable protective value with distributed devices as can be realized where all the devices in a zone are connected by a single physical network. Using cryptographic zoning, industrial architects can define zones based on operational and protective needs without being constrained by the physical location of constituent devices. An administrative zone could have SharePoint servers and other services in the cloud. Historian servers could be implemented in the cloud and still be part of an IEC-62443-compliant zone managed by the enterprise, without the cost and overhead of racks of physical Historian servers.
Working with partners in the cloud and industrial vendor space, Unisys has implemented the first IEC-62443 compliant cryptographic zone in the cloud using our Unisys Stealth® technology embedded in vendor and cloud provider offerings. The implications for industrial operators are profound.
Industrial enterprises can lower capital investments and increase agility while remaining compliant with standards and the regulations which refer to them. Security architects can design adaptive defensive zones that respond to defined conditions by altering themselves, perhaps shrinking or isolating themselves to maintain productivity during peripheral systems fault or attack. Industrial operators can look at their infrastructure as a more flexible rather than fixed asset, opening up competitive opportunities in every sector.
The world is always changing, whether we like it or not. These changes always bring opportunities, and the organizations who choose wisely will lead their markets. Cryptographic zoning provides an opportunity for wise industrial enterprises to move ahead of their competition.