Radiflow, ST Engineering strengthen OT network segmentation and compliance for CCOP v2 standard
OT cybersecurity vendor Radiflow has partnered with ST Engineering to secure OT facilities with a zone-security approach and tools to manage compliance for the new Singapore’s CCOP v2 standard. The technology keeps operational technology (OT) networks segmented, isolating attackers should a breach occur. The move to protecting multi-facility organizations is critical to ensure continuous operation and compliance with the latest regulations, such as Singapore’s CCOP.
The Radiflow-ST Engineering technology will be displayed during the GovWare 2022 conference, allowing Singaporean entities and asset owners to automate their compliance credentials and ensure continuous streamlined operations.
“In order to monitor OT networks, the IDS needs to receive a copy of the traffic from the network switches, while the management of the IDS should be connected to the enterprise SOC on the IT network,” Ilan Barda, co-founder and CEO of Radiflow, told Industrial Cyber. “To ensure that this path is not used as a potential attack path, it’s recommended to use a data diode to ensure a one-way data flow from the OT network to the IDS and maintain the segmentation from the enterprise network. Should a breach occur on the IT network, the monitoring path of the IDS can not be used to hop from the IT network to the critical IT network,” he added.
The integrated solution that Radiflow and ST Engineering introduced in GovWare enables the deployment of such secure architecture using ST Engineering’s new compact data diode, Barda said. “The Radiflow smart collector software is installed on the OT side of the data diode, while the Radiflow IDS is installed on the other side of the data diode connecting to the SOC on the IT network while keeping the OT network isolated. This one-box integrated solution provides an easy deployment without compromising on the secure architecture,” he adds.
Network segmentation is one of the ways to safeguard the OT environment in the event of an attack. Barda explains that, in most cases, network segmentation is done using firewalls. “Unfortunately, there are vulnerabilities in such logical segmentation solutions. When deploying an IDS, the port mirror is also supposed to be a logical one-way link but vulnerabilities were found in port mirror implementations in some network switches as well,” he adds.
“Data diode is physical isolation that relies on a one-way optical link, rather than a logical network segmentation that can be breached,” according to Barda. “The data diode solutions have been deployed in critical facilities, such as nuclear plants, for many years and have never been breached. With the new integrated iSID on the compact ST data diode, this solution can also be deployed in smaller critical infrastructure OT facilities,” he adds.
OT facilities are uniquely positioned where market demands, regulatory requirements, and cybersecurity vulnerabilities put a 24-hour strain on equipment and operators. Organizations’ security practitioners are unable to shut down operations to audit the network’s true cybersecurity posture.
“The integration provides a one-box solution for full visibility into the organization’s OT assets, topology, system behavior, cyber-attacks, and breaches to OT cyber security policies,” Goh Eng Choon, president for cyber at ST Engineering, said.
Radiflow will also present its risk management tool CIARA with support for the CCOP v2 standard. With the tool, utilities will be able to incorporate an actual digital image of their OT network and automatically assess their level of compliance with the CCOP standard, generate compliance status reports, and plan their roadmap to reach full compliance. Cybersecurity teams can also use CIARA to ‘run’ virtual cyber breach attack simulations to calculate threat likelihood and production loss scenarios.
“CIARA risk management tool takes into account the security controls deployed in the OT network to evaluate the risk for a breach that will result in an attack flow to the critical assets,” Barda said. “The CIARA mapping of security controls was initially designed using the IEC 62443 standard and the MITRE ATT&CK framework. With the new CIARA version, security controls are mapped according to CCOPv2 standards, enabling a unified language between the authorities and the CII operators when presenting their compliance status and their security roadmap,” he adds.
The use of CCOPv2 security controls in the CIARA also includes mapping the security controls to the attack tactics as defined in the MITRE ATT&CK framework, Barda explains. “This mapping enables CIARA to evaluate not just the compliance status but also the attack likelihood of relevant attack groups. This combined risk & compliance model is the basis for an optimized security road-map plan while continuously evaluating the exposure to new threats.”
Addressing the biggest challenges that the Radiflow-ST Engineering alliance for the CCOP v2 standard will address within OT environments, Barda said that the CCOPv2 standard provides detailed guidelines for critical infrastructure organizations to secure their OT networks.
However, for such organizations, the gap from the secure design defined in the CCOP v2 standard is quite large, and they need to plan a gradual road map to close the gap. When building such a road map, it’s important to start with the security controls that address the critical risks in attack tactics with the highest likelihood of breaching the network.
“The CIARA breach and attack simulation perform the simulation of the relevant attacker tactics on your specific digital image,” Barda said. “It then recommends the most important security controls that should be implemented as well as evaluates the effectiveness of the security controls planned by the customer. This risk posture evaluation provides the critical infrastructure operator the tools to discuss with authorities their road-map plans until they reach full CCOPv2 compliance,” he adds.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
