The Benefits of a “Deny All” Approach to Security

Software-Defined Networking (SDN) has typically been used to protect and manage IT networks, but its device-based, zero-trust security, and administration benefits can provide real value for operational technology (OT) spaces as well.

David Smit, OT Infrastructure and Security at Interstates.
David Smit, OT Infrastructure and Security at Interstates.

The OT space has been historically slow to adopt networking changes, but SDN’s benefits will impel its increased use across the industry. SDN creates an abstract version of your physical network. This virtual network uses a central controller to control and manage switches, moving the control plane from individual switches to a central controller. With SDN, instead of having to change policies individually at each switch, the entire network can be managed from one screen. SDN makes managing networks simple, and its robust security offerings are attractive for OT spaces that require network resiliency and safety.

Why SDN Makes Sense for OT
The benefits are clear. SDN can provide OT networks with zero-trust security, easier management and maintenance, and increased flexibility.

  • Security. One of SDN’s main advantages is the additional visibility and control provided through the controller. Instead of traditional port-based security and VLAN segregation, SDN features device-based security. This brings zero-trust concepts to networking, denying any communication unless specifically defined. Since OT-specific networks are typically very static in nature, SDN makes complete sense for OT networks. It protects above and beyond traditional firewalls and allows protection of East/West traffic in addition to North/South traffic. 
  • Management and Maintenance. SDN can make managing networks simple. Instead of looking at multiple tools for firewalls, network servers, etc., SDN consolidates those tasks into one product. On the maintenance side, SDN inherently takes the fastest path available. This means if a network or connection breaks, SDN will automatically take a different path on its own as long as there’s a physical connection. Instead of having to touch 100-200 switches, you can make the change centrally on a single pane of glass, giving you substantial cost savings when considering time and labor.
  • Flexibility. A good SDN product should be able to interact with many different switch vendors. You can apply SDN to an existing network or a new network – how you roll it out depends on your specific needs and budget. With an existing facility, you can add SDN to one section at a time and grow into your SDN deployment.

Who Needs to Be Convinced?
The specific benefits of SDN in OT spaces are different depending on who is concerned. To get total buy-in from each group, you need to understand what SDN can do for them.

  • Plant-Level Controls Engineers. If it’s not broken, don’t fix it – right? Plant controls engineers might be change-averse, but SDN’s policy-based rules are attractive to people who are constantly having to engage IT to reconfigure devices to different switches or ports. With user-friendly SDN, devices can be moved to other switches or networks by the controls engineers, giving them more freedom.
  • IT/OT Administrators. While these groups may have a history of conflict, SDN allows them to work together. Both groups can have visibility and control of networks.
  • C-Suite/CISO. High-level management roles will be most interested in SDN’s security offerings, which will go beyond what they already have in place. Implementing zero-trust gives a cybersecurity executive job security. They can have confidence that what is on their network is supposed to be there. From a financial perspective, your total cost of ownership between deployment and support should go down because of increased automation and networks being managed in a central location versus individually.

This product currently makes sense for larger companies with multiple facilities and complex network systems. Small companies like grain elevators or single feed mills with just a few devices on their networks can still find value with SDN if they can afford it. They don’t have big network teams working for them, so an affordable SDN solution that is easy to maintain and operate will greatly increase their security. As more SDN products reach the market, prices will even out, and companies of any size can adopt them and reap benefits.

If you’re searching for a complete zero-trust network, SDN could be the answer. Reach out to a trusted systems integrator with OT experience to explore the specific benefits SDN can bring to your operations.

David Smit works in OT Infrastructure and Security at Interstates, a certified member of the Control System Integrators Association (CSIA). For more information about Interstates, visit its profile on the Industrial Automation Exchange.

 

More in Plant Maintenance