Monday, October 30, 2023

Can we have a hybrid cloud strategy for OT ?

Let's give you directly the answer. It's yes, but! 

Moving Operational Technology (OT) applications to the cloud while implementing a hybrid cloud strategy involves careful planning, a focus on security and compliance, and a phased approach to minimize disruptions. Here's a step-by-step guide on how to do it:

  • Assessment and Planning:

Inventory and Prioritization: Identify and categorize your existing OT applications. Determine which applications are suitable for cloud migration based on factors like data sensitivity, security requirements, and performance considerations.

  • Design Your Hybrid Cloud Architecture:

Select a Cloud Service Model: Decide whether you'll use Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or a combination of both. The choice depends on your application requirements and expertise. Choose Cloud Providers: Select cloud providers that align with your specific needs. Consider factors like regional data centers, compliance certifications, and pricing.

Network Connectivity: Ensure you have a reliable, secure, and low-latency connection between your on-premises OT environment and the cloud.

  • Security and Compliance:

Data Security: Implement encryption for data at rest and in transit. Utilize Identity and Access Management (IAM) and role-based access control to manage user permissions.

Compliance: Ensure your cloud solution complies with industry-specific regulations (e.g., NIST, IEC 62443) and follows best practices for OT security.

  • Application Migration:

Rehost, Refactor, or Redesign: Choose the migration approach that best fits your applications. Rehosting (lift and shift) is the quickest but may not be the most efficient. Refactoring or redesigning for cloud-native services can lead to better performance and cost optimization.

Testing: Extensively test applications in the cloud to ensure they perform as expected. Consider using staging environments to minimize potential downtime.

  • Monitoring and Optimization:

Cloud Monitoring Tools: Implement cloud monitoring tools and services to keep an eye on the performance, security, and cost of your cloud-based OT applications.

Cost Management: Regularly review and optimize your cloud costs, adjusting resources as needed to avoid unnecessary expenses.

  • Training and Documentation:

Train your OT staff on cloud technologies and best practices. Document your cloud setup, configurations, and procedures for future reference.


Remember that moving OT applications to the cloud is a complex process, and it should be done with the utmost care due to the critical nature of many OT systems. 

Thursday, March 30, 2023

How to apply Zero trust to a Legacy OT system ?

Applying zero trust to a legacy OT (Operational Technology) system can be challenging, but it is still possible. Here are some steps that can be taken to apply zero trust principles to a legacy OT system:

  1. Identify the assets: The first step is to identify all the assets in the legacy OT system. This includes hardware, software, and data.

  2. Map the data flows: Map the data flows within the legacy OT system to understand how data is exchanged between different assets.

  3. Define the security perimeter: Once the assets and data flows have been identified, define the security perimeter for the legacy OT system. This involves defining the boundaries of the system and what assets and data are considered part of the system.

  4. Implement access controls: Implement access controls based on the principle of least privilege. This involves granting users and devices access only to the specific assets and data they need to perform their job functions.

  5. Monitor and log all activities: Implement monitoring and logging of all activities within the legacy OT system. This will help detect and respond to any security incidents.

  6. Implement security controls: Implement security controls such as firewalls, intrusion detection systems, and data encryption to secure the legacy OT system.

  7. Update and patch legacy systems: If possible, update and patch the legacy OT system to improve its security posture. This may involve replacing or upgrading legacy hardware and software components.

  8. Conduct regular security assessments: Conduct regular security assessments of the legacy OT system to identify and address any vulnerabilities

Applying zero trust to a legacy OT system may require a phased approach and a combination of technical and organizational measures. It is important to involve all stakeholders, including IT and OT teams, in the planning and implementation of zero trust measures to ensure their success.

Wednesday, January 25, 2023

IT/OT Convergence - Not only a technical challenge!

The convergence of IT (Information Technology) and OT (Operational Technology) can present several challenges:

  • Management: in most of the company, IT and OT systems were managed by different teams, with different skills and expertise. It can be difficult to ensure that the two teams are being managed effectively and that the IT and OT engineers are working together effectively.
  • Compliance and regulation: IT and OT have different compliance and regulatory requirements. It can be difficult to ensure that both systems are meeting all relevant standards.
  • Understanding and process: both teams are talking different languages and have different expectations. There is long a learning curve to take in consideration if you start this journe. IT must understand OT and the other way around. This understanding must not be limited to technical aspects. The process must also be taken in consideration. For example, ITIL processes are not well known by most of the OT Teams.

For the reasons listed above, it's important to build a strong governance. You should have a dedicated team in charge of the convergence process, with clear roles and responsibilities and the right level of expertise in IT and OT.
And maybe the most important. A trust must be created between both teams.

 


Thursday, January 5, 2023

How to use the Ansible Vault ?




 If your are using a clear password in your YAML file, you can encrypt the file via Ansible-vault.


  • How to encrypt the credentials ?

#ansible-vault encrypt MyCredentials.yml

New Vault password: <Enter the password and stored in a safe place>
Confirm New Vault password: <Enter the same password>
 Encryption successful

  • How to view the encrypted credentials ?

#ansible-vault view MyCredentials.yml

Vault password: <Enter the password previously chosen>



  • How to change data in your file (for example your credentials) ?

decrypt the file MyCredentials.yml

User@Ansible-Host:~/> ansible-vault decrypt MyCredentials.yml
Vault password: <known_key>
Decryption successful


Edit the file with your preferred editor (vim/nano) by changing the data.

Then encrypt the file again

User@Ansible-Host:~/> ansible-vault encrypt MyCredentials.yml
New Vault password: <known_key>
Confirm New Vault password: <known_key>
Encryption successful

2023 - New Posts - I'm back

 After a big pause, I have decided to share again my experience. I will publish more articles on several topics and no more just the network. The following areas will be covered:

  • IT/OT Convergence. For this specific area, I would like to cover the technical challenges but also the organization changes which brings this convergence.
  • IoT 4.0 and cybersecurity.
  • Advanced firewalling.
  • Ansible and Automation.


Friday, June 10, 2016

BGP Conditional Advertisement

This BGP feature is able to filter a subnet advertisement based on a certain match (AS-PATH, subnet in the routing table...). In our example below, we can image that AS100 is an ISP1 and AS200 is an ISP2. In most of the case, we monitor only the status of the interface which is directly connected. But in our case, we will monitor the presence of the subnet 20.20.20.0/24 which is advertised by the ISP1.
By default, we only advertise the subnet 50.50.50.0/24 to ISP1 and if the subnet 20.20.20.0/24 disappears, we announce it also to ISP2. We can typically use this feature when ISP2 is more expensive than ISP1.



  • Configuration:

R1:
interface Loopback50
 ip address 50.50.50.50 255.255.255.0
!
interface Ethernet0/0
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.150.1 255.255.255.0
!
router bgp 50
 network 50.50.50.0 mask 255.255.255.0
 neighbor 192.168.50.2 remote-as 100
 neighbor 192.168.150.3 remote-as 200
 neighbor 192.168.150.3 advertise-map NOT_ANNOUNCE_R3 non-exist-map ADVERTISE
!
ip prefix-list LO20 seq 5 permit 20.20.20.0/24
!
ip prefix-list LO50 seq 5 permit 50.50.50.0/24
!
route-map NOT_ANNOUNCE_R3 permit 10
 match ip address prefix-list LO50
!
route-map ADVERTISE permit 10
 match ip address prefix-list LO20
R2:
interface Loopback20
 ip address 20.20.20.20 255.255.255.0
!
interface Ethernet0/0
 ip address 192.168.50.2 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.100.2 255.255.255.0
!
router bgp 100
 network 20.20.20.0 mask 255.255.255.0
 neighbor 192.168.50.1 remote-as 50
 neighbor 192.168.100.3 remote-as 200
R3:
interface Ethernet0/0
 ip address 192.168.100.3 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.200.3 255.255.255.0
!
interface Ethernet0/2
 ip address 192.168.150.3 255.255.255.0
!
router bgp 200
 neighbor 192.168.100.2 remote-as 100
 neighbor 192.168.150.1 remote-as 50


  • Initial behavior:

R3 sees subnet 50.50.50.0/24 only from R3
R3#sho ip bgp
     Network          Next Hop            Metric LocPrf Weight Path
 *   20.20.20.0/24    192.168.150.1                          0 50 100 i
 *>                   192.168.100.2            0             0 100 i
 *>  50.50.50.0/24    192.168.100.2                          0 100 50 i
We can check that R1 is not advertising the subnet to R3:
R1#sho ip bgp neighbors 192.168.150.3 advertised-routes
     Network          Next Hop            Metric LocPrf Weight Path
 *>  20.20.20.0/24    192.168.50.2             0             0 100 i
R1#sho ip bgp neighbors 192.168.50.2 advertised-routes
     Network          Next Hop            Metric LocPrf Weight Path
 *>  50.50.50.0/24    0.0.0.0                  0         32768 i
R1#sho ip bgp neighbors 192.168.150.3 | in Conditio
  Condition-map ADVERTISE, Advertise-map NOT_ANNOUNCE_R3, status: Withdraw

  • Now the subnet 20.20.20.0/24 is removed from the routing table:

R2#int lo20
shut

We can check that R1 is now advertising the subnet to R3:
R1#sho ip bgp neighbors 192.168.150.3 | in Conditio
  Condition-map ADVERTISE, Advertise-map NOT_ANNOUNCE_R3, status: Advertise
R1#sho ip bgp neighbors 192.168.150.3 advertised-routes
     Network          Next Hop            Metric LocPrf Weight Path
 *>  50.50.50.0/24    0.0.0.0                  0         32768 i

R3#sho ip bgp
BGP table version is 18, local router ID is 192.168.200.3
 *>  50.50.50.0/24    192.168.150.1            0             0 50 i
 *                    192.168.100.2                          0 100 50 i

Monday, May 9, 2016

Simple regular expression Cisco CLI (AND)

This small memo explains just how to use a show command pipe command to get a AND regular expression. For example :
show interface status | inculde textA AND textB

In order to perform this action, you can use this expression:
show  interfaces status | in textA.*textB

Example, show all interface Gi1/2/ which are connected:
show  interfaces status | in Gi1/2/.*connected