Zero Trust is the way forward for network security

16 April 2024

The Siemens Manufacturing Karlsruhe (MF-K) plant produces key components for automated and digitalized manufacturing processes. For quality assurance and in-house 3D printing, the plant is optimising its processes by giving experts remote access to its operational technology systems, enabled by a Zero Trust approach.

In the manufacturing industry and critical infrastructure, cybersecurity has become a top priority for companies. No wonder, as attacks, misuse, and cases of industrial espionage have rapidly increased. 

Communication in the factory environment is changing rapidly. Operational technology (OT) systems have traditionally been isolated with no external access. However, in recent years, the need for flexible and mobile working in manufacturing and development environments has rapidly increased. Companies are looking for ways to gain controlled access to OT systems and data from within IT environments. And the goals of this IT/OT convergence have gone further than simply maintaining operations as in times of pandemic: Above all, it opens new opportunities for increased OT efficiency and availability.

One focus area for secure access to the OT in the Siemens MF-K plant is the X-ray inspection for quality assurance. Here, the solder joints on circuit boards are routinely checked. If a fault occurs during the X-ray inspection, this process stops. "The causes can usually be fixed quickly if an expert is in the plant – but that's not always the case," explained Uwe Bollinger, IT Infrastructure & IT Security Manager at MF-K. "Previously, the expert could connect via a jump computer. But this was cumbersome so the possibility of remote access from anywhere in the world helps us. Errors can be corrected faster. This allows us to continue working quickly, with focus, and without significant interruptions”.

Another example concerns an in-house 3D printer unit at the facility. In practice, devices and equipment designed in-house can help to simplify work processes – such as a robot gripper. If special components or parts are to be manufactured for this purpose, the design engineer from Siemens' Toronto location, who developed the robotic gripper, can help without any delays. "Our colleague in Canada sends a secure print job directly into our secure production VLAN and onto our 3D printer. There, the part is manufactured using additive manufacturing. After that, it is printed and available a short time later," explained Patrick Hammer, Head of Engineering at MF-K.

A prior decision was made by MF-K relating to cybersecurity: the introduction of Zero Trust OT Access Service – in combination with communication technology and the local processing engine. Zero Trust means that no participant is empirically trusted when requesting access to an OT system and its data. He or she must earn this trust with every request by proving identity and integrity. This is essentially based on multi-factor authentication, a high standard for identity assurance.

If access is granted, it never applies to the entire network. It always remains strictly limited to the respective application or device. This is almost comparable to a telephone exchange in times long past: No subscriber could call the other directly but had to be put through via the exchange for exactly one call and exactly to one call partner. With Zero Trust, the caller must verify his identity each time. This explains the principle ‘never trust, always verify’.

Successful integration 
By using a Zero Trust Gateway, the Siemens-specific solution allows secure remote access even in existing OT landscapes. This is important because OT networks and devices were never originally designed for purposes such as access via the cloud. In industrial automation networks, the focus is on other requirements. The proven perimeter-based Defense in Depth cybersecurity concept is entirely tailored to OT-specific concerns, such as availability and real-time capability. It enables network designs that are compliant with the principles of the IEC 62443 standard series for cybersecurity.

That is exactly why Zero Trust – although being familiar from IT and office networks – cannot be directly transferred to OT and a shared IT/OT network. IEC 62443 explicitly requires the separation of IT and OT. However, the approach chosen by Siemens combines both worlds – It makes Zero Trust Network Access a fundamental part of an industrial network so follows the Defense in Depth strategy supported by the Zscaler Zero Trust Exchange. Here, the processing engine assumes the role of a Zero Trust Gateway. It runs the Zscaler App Connector in a Docker Container format directly on the network cells and alongside the existing cell firewalls.

Commenting on the solution, Uwe said: "With the X-ray system and the 3D printer, we are taking the first steps towards applying Zero Trust in our OT network. But the possibilities go much further. The combination with the proven protection provided by firewalls makes Zero Trust an interesting solution for manufacturing companies. It allows us to fully preserve high availability, real-time capability in machine-to-machine communication and even functional security support."

The solution used in the plant today is based on a Zscaler and Siemens partnership which is paving the way for Zero Trust in the production environment. For a 1:1 implementation in OT, all participants in the network – from the user to the end devices – would require specific functionalities: to ensure the identity and integrity of the devices, to authenticate communication requests, and to encrypt data communication. However, because most OT devices are not yet able to do this a Zero Trust Gateway in the process engine is acting as a proxy to authorise communication requests for the respective OT devices. 

Contact Details and Archive...

Print this page | E-mail this page