Managing a complex network can be difficult. Many manufacturing facilities have hundreds of switches that are all managed individually, making it a challenge to deploy, manage, and support. Most Operational Technology (OT) networks will sacrifice security for manageability, but you shouldn’t have to choose between the two. Software-Defined Networking (SDN) solves both issues and provides additional benefits to traditional OT networks. SDN brings new visibility, security and control to OT networks, historically an afterthought due to complexity.
SDN and Your Facility
SDN is essentially a virtual network that creates an abstract version of your physical network. Devices are provisioned, monitored, and supported from a central level. SDN uses a central controller to control and manage switches on the network, moving the control plane (or processing) from an individual switch to a central controller. The controller communicates with the switches and helps direct which traffic flows (communication policies) are valid.
Traditionally, switches are managed individually. With SDN, the network and switches are looked at holistically. When a flow or policy change is made in the controller, the change is pushed automatically to all switches on the network. This process simplifies provisioning new switches. A technician plugs the switch into the network, tells the switch where the controller is, and then all existing flows are automatically pushed down to the switch as policies.
SDN and Your Network
One of the main advantages of SDN is the additional visibility and control provided through the controller. Traditional networking approaches focus on port-based security and VLAN segregation. With SDN, these things shift to device-based security. A set of policies and rules are applied to an individual or group of devices. SDN brings Zero Trust concepts to networking. No communication is allowed unless specifically defined. When a device first connects to the network, it is not allowed to communicate with anything until a user defines policies for the device. These policies and rules follow the device regardless of where it connects to the network. As devices move around the network to different locations, communication policies already exist, and switches have the flows present to allow communications. Because the controller captures all traffic, SDN provides complete visibility into connected devices and their communications.
Many of today’s networks deploy a firewall between their OT and IT networks to mitigate traditional attack surfaces. This practice also protects against unintended consequences from unauthorized or untrained users. SDN protects above and beyond the industrial control system (ICS) firewall, creating a virtual firewall for every device on your network. This allows protection of East/West traffic in addition to the traditional North/South traffic. In addition to protecting the OT and IT networks from each other, we can now protect devices from one another.
SDN is relatively new to the OT space, but because of the complete visibility and control it provides to the network, it will significantly change the way we look at networking.
This article was originally published in the Current Connections Fall 2020 issue.
David Smit, Systems Analyst