Across the UK, the security of Critical National Infrastructure (CNI) is a growing concern, as the increasingly interconnected nature of the systems we depend on create a whole new range of potential attack vectors – all of which global bad actors are already racing to take advantage of, executing a range of increasingly insidious, sophisticated strategies to compromise the systems on which we all depend.
With this in mind, it is essential that the CNI sector as a whole is ready to work closely with its technology partners to establish a new standard of security – one that encompasses both IT and OT, ensuring that their increased and ongoing convergence does not put the integrity of our critical data at risk. This presents a number of challenges when we consider the highly remote nature of most CNI environments, the inherent complexity of the resulting cross-site dataflows, and the need for a cyber security posture that ensures reliable and remote access can still be provided, when required.
What is a Demilitarised Zone (DMZ)?
A DMZ is combination of equipment (including, but not limited to, routers, firewalls, and switches) deployed when third parties require secure remote access to certain assets within the site. It accomplishes this by segmenting the on-site network, based on access rights and security policies on a per user or per team basis, so the measures taken to grant access (e.g. opening the ports on firewalls) can be automated, reducing the need for manual intervention. Dual-factor authentication is the applied to ensure only an “allow-list” of individuals can gain access. This way, it is impossible for bad actors to access the assets in question without gaining control of the designated individuals’ own equipment, allowing seamless remote access to coexist with a robust security posture.
A DMZ is a key security tool for any challenging and remote CNI environments (e.g. offshore windfarms) where providing third parties with on-site access will not typically be an option, due to cost, safety, and compliance obligations. However, while the concept is ostensibly simple, putting it into practice is challenging…
Securing the most complex CNI environments
The process for creating an effective DMZ will naturally vary from site to site, depending on the nature of the systems and the access rights that will need to be established and implemented. This all begins with a pro-forma document, setting out the systems that need to be secured (including all IP addresses and subnets), the teams, individuals, and their roles that require access, and the tools and protocols they will be using to do so.
In other words, it is an inherently bespoke process that demands a keen understanding of the convergence of IT and OT, the new dataflows this creates, and how these can be secured without compromising operational performance. Any DMZ project must begin with a period of in-depth consultation to collate all the information required for the design and deployment phases. This will be followed by a period of intensive testing and review to ensure the pro-forma is correct and has been correctly executed.
Once the DMZ has been established, it will need to be continually monitored, audited, and updated, as policies evolve, team members join and leave, and new security vulnerabilities emerge. This will require CNI organisations to cultivate strong, long-lasting partnerships with their technology providers, entrusted to provide ongoing support and consultation as the threat landscape evolves.
If you would like to explore the security of your own CNI environments, do not hesitate to contact the team. Vysiion has served a trusted technology partner for organisations across the UK’s CNI sector since 1996, delivering over £200 million of projects on an international scale. As part of this, we have designed, deployed, and continue to manage and maintain a range of leading-edge DMZs, drawing on our deep knowledge of IT/OT integration and Cloud transformation, and utilising the full range of our evolving solution portfolio. Whatever the nature of your sites, dataflows, and security requirements, we will work closely with you to deliver a tailor-made solution that optimises both data protection and operational efficiency, then work closely with you to maintain it as the threat landscape evolves.
Envisaging a new breed of Hyperconverged Infrastructure, tailored to the very harshest environments
The Cloud has fundamentally changed the way organisations across a range of sectors design, manage, and scale their IT infrastructure. In many cases, this has allowed them to stay abreast of unexpected shifts in the digital landscape while retaining full control of...
Rethinking CNI’s long-term resilience as the new NIS 2 directive approaches
With the new UK Network and Information Systems (NIS) regulations launching in October 2024, intended to boost the whole CNI sector’s operational resilience and ability to manage cyber risk, Operators of Essential Services (OES) must be ready to take a proactive,...
The new NIS 2 Directive and IEC 62443: Establishing an edge-to-core approach to cyber security and risk management in 2024
With the public demanding robust evidence that their data will always remain secure when accessing a critical service, the regulatory landscape has become increasingly complex – a trend that shows no signs of slowing down. Indeed, in October 2024, we will see the...
Recent Comments