Protect your critical OT systems
Challenge
Securing data and infrastructure has never been more important than today. In an evolving market of cyber security threats, security in depth is necessary to retain a secure and stable operation.
Today's cybersecurity landscape is characterized by the increasing sophistication of threats, fueled by advancements in technologies like AI and machine learning. Attackers are exploiting a wider range of vulnerabilities, from supply chains and IoT devices to cloud environments, targeting diverse victims, including individuals, businesses, and even nation-states.
Our vision is to reduce the impact of an security related incident as much as possible.
Solution
Build for security, design for failure.
Designing for failure involves architecting an infrastructure that prioritizes disaster resilience. Ensuring minimal impact from successful attacks is essential to keeping your organization operational. Building for security focuses on a security-first approach at every stage, from design to end-user privileges. This approach secures every chain in the data infrastructure, segregates applications and systems to reduce impact, and relies on role-based access control to ensure appropriate access permissions.
So how do we actually build for security and design for failure? Zero trust, Role Based Access Control (RBAC) and application isolation are the main keys in our security methods.
Zero trust
Zero Trust is a security model centered on the principle of "zero trust, always verify." In this model, all connections—whether for data ingress or egress—must be initiated by an authenticated and authorized individual or system. Each connection is verified before gaining access to any systems, ensuring only trusted identities can interact with the network. This approach prevents unauthorized access and connection spoofing by continuously verifying credentials and permissions, aligning with the goal of ensuring that only authenticated and authorized entities can access the system.
RBAC
Role-Based Access Control (RBAC) is a method of managing user permissions and access within an organization based on assigned roles. Each role corresponds to a set of responsibilities and permissions, which defines what actions a user in that role can perform and what resources they can access. RBAC goes hand in hand with the zero trust, only grant the necessary privileges to perform the necessary operation for your role. This not only applies to humans, but computers and services as well.
Identities are only given the minimum rights to perform their operation, reduces the impact of a compromised user. Seen from the AVEVA PI perspective this is one of the core measures that are implemented on the application level.
- Setup identities that covers your need
- Strictly protect administrative privileges
- Strictly protect write (edit/delete) privileges
- Use role based access, segregate systems and humans
Application isolation
Segregate your applications with network isolation. This isolates applications and networks from communicate without explicit approval. Applications are isolated from one and another to prevent the spread of an active threat while retaining the necessary communication for operations. In a cloud context this is often described as a hub and spoke design, but the principals should apply to all aspects of your operation.
Key Features
“Ensure your AVEVA PI data infrastructuremake is configured using best practices"
Outcome
By implementing modern security measures in your data infrastructure you reduce your operational risk. The impact of an successful attack can be significantly reduced with the modern measures as you would effectively prevent the spread within your organization. Reduced risk of unintentional and intentional data manipulation by implementing RBAC where only authorized personnel has access to modify data.