Security and optimization of the production network in Dormer Pramet Šumperk

Dormer Pramet s.r.o. is engaged in the development, production and sale of cutting tools. It offers a combined range of insert and monolithic tools for any operation in general engineering and metalworking - from turning, milling, drilling/drilling, threading to tool clamping. The production line in Šumperk consists of approximately 250 independently operating machines, with plans to expand to 1,000 units in the future. The company does not operate only in the Czech Republic, but has three other production plants around the world - in Brazil and India. It operates a total of 20 sales offices and a distribution network covering more than 100 countries. Our ambition is to expand the solution to these countries as well.

The original production network, like many others at the time, was designed to support production - connecting production technology to control elements. The only parameter was that the production technology should have the necessary connectivity without any limitations. Functionality was the requirement, not safety. Today, however, we look at production networks in a completely different light, as unrestricted access opens up a vast field of risks. Dormer Pramet saw the biggest cybersecurity risk to its production process in the connection of foreign devices. In particular, the service equipment of contractors who used their laptops to connect to individual production machines, and often not just laptops but also various remote access devices, potentially opening the way for the introduction and spread of malware. The open access to the production network and its resources, coupled with the lack of visibility into operations, potentially allowed undetectable cyberattacks to be conducted on the entire production infrastructure. A contractor, even one who came in good faith to service a particular production machine, had principled access to all other machines through that machine. Production and therefore the network are the backbone of the company, which has long relied on the quality network solutions of the company Cisco Systems. Cisco offers a comprehensive range of industrial network security solutions that rely on the identity of each resource connected to the production network, mapping and trending communications. At the same time, the original requirement of robustness and resilience of delivery is not forgotten

The key objectives of the project were to control the access of each individual asset to the production network, including individual machines, while ensuring the robustness and security of the industrial network as a whole. The first step was to implement micro-segmentation based on the identity of each resource (one device per segment). The second step was to map the conducted communication to create communication rules. At the same time, this established the basis for the subsequent automatic detection and elimination of potential cyber threats. The customer received a unified and integrated solution based on clearly defined rules, both for access and communication. In addition, the production network as a whole was separated from the IT/administrative network by deploying a firewall with an industrial set of IDS/IPS detection signatures directly designed to protect production-specific industrial protocols.

The Cisco solution delivered is fully automated in its response to security incidents. This is not the only reason it remains easy to manage and grasp. Its integration also makes it easily portable and universally applicable, not only in other Dormer Pramet plants.

The project created a secure and segmented production environment for the customer using the latest Cisco technologies. Industrial networks need not only robustness but also security. In this case, production security means that no one can log on to a machine that is machining, powdering or pressing parts in production who is not authorized to do so or who has no business being there, such as service contractors, other outsourced workers and their brought-in equipment. The network has been segmented into the smallest possible units, micro-segments. This allowed for better access control and isolation of the different parts of the production. Each production facility is segmented according to its identity, which is based on its role and mode of communication and is therefore completely individual and unquestionable. Segmentation has prevented the spread of potential threats between devices in the production network.

A firewall with both detection and prevention capabilities (IDS/IPS) has been deployed at the network interface. The manifestation of a threat entering the production network will be automatically eliminated and, in specified cases, may result in the preventive disconnection of end equipment from the production network. To detect an incident within the production network, CyberVision sensors have been installed to monitor and analyse in detail the communication between production machines and their control elements. It is said that the devil is in the detail, and this is doubly true for production control. Here, it depends on each instruction to ensure that it does not deviate from the expected interval, that it comes from the expected source and that it arrives at the specified time. Anything significantly different from the expected sequence and content can be considered a potential disruption to production continuity. Of course, these values need to be monitored over the long term and only retrospectively determine the baseline.

The system was designed to provide automated responses to security incidents and simplified access management. Strict access controls have been implemented to restrict access to only authorized users or devices, both of which are possible. With micro-segmentation, a high level of isolation has been achieved - threats cannot easily spread not only between production devices, but equally between different parts of the corporate network. If a threat in the form of, for example, a contracting company's laptop being infected, it does not get out of its closed segment and thus no longer poses a risk to the rest of the production machines or even the administrative part of the network.

Key security points include:

• Identification of all industrial equipment to set appropriate security
• Isolation of inter-network zones leading to protection from threat propagation or attacker movement
• Detection of abnormal IT/OT instructions and behavior to protect production processes
• Gaining enhanced insight into event communications for further investigation

A comprehensive suite of Cisco software tools for industrial networks has been deployed, including the Firepower Management Center (FMC) firewall manager and identity and access management solutions (ISE), providing complete transparency and control over the entire production network. CyberVision sensors work together to monitor and share information inside network traffic and potential threats hidden within it. the implementation was rounded out with the deployment of Cisco Catalyst Center, for configuration orchestration and lifecycle monitoring of more than just industrial switches.

The network was designed to be easily expandable to other sites, ensuring future process security and efficiency across all Dormer Pramet production lines and related operations. This universal design ensures that safety standards are maintained regardless of geographic location or the specific requirements of individual manufacturing sites.