Best Practices for Manufacturing OT Security
This post was co-written with Russell de Pina, former Senior Partner Solutions Architect at AWS
In manufacturing plants, there have been IT systems used for creating, managing and processing enterprise business data and separate OT (Operational Technology) systems used for managing operations of factories and industrial equipment. As manufactures connect their OT systems to IT systems and networks as part of their manufacturing digital transformation (Industry 4.0), to provide insights from data to drive operational efficiencies, they need to ensure they do it securely and apply OT security best practices. The AWS OT Security white paper covers the best practices for OT security. In this blog post, we touch on these best practices under the following broad topics:
- Secure all layers
- Secure network connections to the cloud
- Secure operational data
- Enhance traceability and observability
- Manage devices and gateways to shrink attack surface
Figure 1 above represents the foundational framework for the best practices discussed below. We use the Purdue Enterprise Reference Architecture to define the layers in this diagram. This diagram illustrates how the various layers in a Manufacturing Environment connect to the AWS Cloud.
1) Secure All Layers
Figure 1 shows how the next generation firewalls create trust boundaries to separate the Purdue layer subnetworks from each other. These trust boundaries ensure only the allowed traffic cross the network zones.
Further isolation can be achieved through using firewall rules, routing rules and devices such as data diodes wherever applicable to restrict network traffic.
2) Secure and Monitor Network Connections to the Cloud and Local Resources
To connect OT workloads to the Cloud, the connection needs to be either encrypted or routed through a private network /Virtual Private Network (VPN). AWS Direct Connect and AWS VPN are two options for implementing a direct network connection between the industrial edge (OT network) and the AWS Cloud as shown in Figure 1. Use secure communications protocols (such as Modbus or MQTT) that facilitate encryption for OT communications wherever possible.
Most Manufacturing environments operate under the false assumption that resources connected to the local network are always secure. Such assumptions should be ruled out and any local network edge gateway or agent software should connect with each other using the same strict levels of security as applicable to the external resources . The Secure Network Connection to the Cloud and Secure Network Connection to Local Resources sections in the Security Best Practices for Manufacturing OT whitepaper detail out the options for zero trust design with network.
3) Secure Operational Data
The key pillars to protect data within the OT and cloud environment are:
- Encrypt data in transit and at rest – Enable encryption for the data in transit and at rest. This applies to the data stored both on-premises and in the cloud.
- Use the principle of least privilege – Using the principle of least privilege, grant access to data only to those resources that require it. Restrict data access further by implementing access rules at the application, operating system, and network level.
- Prevent data loss – While taking backups of data stores is important, being able to restore that data from backups is critical to enable business continuity. For example, manufactures who tend to use a hybrid model for their Manufacturing Execution Systems (MES) need a robust solution to backup both their on-premises and cloud data for business continuity. The AWS Cloud is a cost effective, reliable, and secure source for backup and restore of resources in a hybrid environment.
4) Enhance asset traceability and observability
Maintaining an inventory of network assets not only helps keep track of assets on the network but also helps to detect rouge assets that could possibly cause security breaches.
Utilize AWS Services such as AWS Systems Manager to enable traceability and observability of both cloud and on-premises resources through a centralized operations hub. This not only helps to maintain assets’ compliance against your patches and configuration but also automates the configuration and ongoing management of your resources.
5) Manage Devices and Gateways to Shrink Attack Surface
It is important that any device or edge gateway can add to the attack surface. It is therefore best practice to disable or remove unused services, USB ports, applications, and network protocols to reduce risk.
Use vendor specific documentation to harden the underlying operating systems (OS) for edge gateways.
To manage these devices, you can leverage AWS hardware integration features in AWS IoT Greengrass, which supports the use of hardware security modules (HSM) and provides for secure storage and offloading of private keys.
While the AWS Security Best Practices for Manufacturing OT whitepaper details out the end-to-end OT security best practices, this blog post helped us preview key highlights of those under a fewer broad headings.
AWS helps customers with a fast and cost-effective path towards building scalable and state of the art IT and OT security and compliance solutions. Comment on this post or get in touch with us for a deep dive session on this topic.