6127

Get a Live Demo

You need to see DPS gear in action. Get a live demo with our engineers.

White Paper Series

Check out our White Paper Series!

A complete library of helpful advice and survival guides for every aspect of system monitoring and control.

DPS is here to help.

1-800-693-0351

Have a specific question? Ask our team of expert engineers and get a specific answer!

Learn the Easy Way

Sign up for the next DPS Factory Training!

DPS Factory Training

Whether you're new to our equipment or you've used it for years, DPS factory training is the best way to get more from your monitoring.

Reserve Your Seat Today

Network Security Upgrade Best Practices for Remote Monitoring Migration

By Andrew Erickson

October 16, 2022

Share: 

Network security is important, but so is the actual service you provide and the remote alarm monitoring that protects it. It's always true that we have to strike a balance between security and convenience.

How do you find the right balance, ensuring that you can work within the security mandates that are handed down to you? Let's walk through some best practices, using one of my recent client visits as a real-world example.

I just visited a client moving alarm monitoring from IT network to OT network for a security upgrade

I just got back from a visit with one of my large, long-time railway clients. We actually talked about several different projects while I was in town.

An upcoming network security enhancement, in particular, gives us a great example of how to properly handle a these inevitable migrations.

In short, this client has a comprehensive initiative to separate OT systems from the IT network. This creates segmentation that can hinder an type of cyber intrusion that might happen in the future. With an extra firewall separating IT and OT, it will be more difficult for intruders on one side to penetrate the other.

Of course, this network segmentation for security purposes also creates difficulties for the staff I work with who is responsible for this railway's remote monitoring systems. They have to understand and properly navigate a migration without any significant system downtime.

Fundamentals of IT networks vs. OT networks

In the world of network security, there are really two different types of systems: OT and IT.

OT networks are operational networks that exist to control physical devices. They often contain machines like Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), or other types of industrial equipment. These days, some OT networks might also contain Internet of Things (IoT) devices.

IT networks, on the other hand, exist to support business applications. They might contain servers, workstations, and other types of office equipment. IT networks might also have some IoT devices, but these are usually secondary to the business applications that the network was designed to support.

OT and IT networks have different security requirements. OT networks, for example, are often subject to regulatory compliance mandates like NERC CIP. These compliance regimes usually have very specific requirements for how network devices should be configured and monitored.

IT networks, on the other hand, are often less regulated. They might still have some compliance requirements, but these are usually less stringent than what you find in the OT world.

The challenge, of course, is that most remote monitoring systems have to support both OT and IT networks. They have to be able to collect data from devices on both types of networks and then send that data back to a central location for analysis.

This can be a difficult balancing act. On the one hand, you want to make sure that your remote monitoring system is secure. On the other hand, you also need to make sure that it's able to support the specific requirements of both OT and IT networks.

Tensions rose between the remote monitoring team and the security team

The natural tension between security and other departments briefly became a factor during this IT-to-OT security migration.

I had been attending a recurring meeting designed to keep the security migration moving forward. I was invited by the people I've worked with for years, while the security team I'd only known in context of this project.

Naturally, I started off having a better appreciation for the concerns of the remote monitoring staff. From their perspective, the specifics of the upcoming cutover were unclear. We were both afraid that, after moving the T/Mon master stations to the OT network, we might be stuck in a situation with no network visibility.

Even so, I still empathized with the dilemma faced by all security and legal teams. When you get no credit for improved functionality but heavily punished for any kind of expensive incident, it's natural that you want to avoid risk entirely.

I made a drawing that resolved the conflict at the next meeting

It was in this context, with the remote monitoring team uncertain about the transition specifics and the security team understandably rigid in its planning, that I was asked to help provide clarity.

Although we already had quite a detailed drawing created by the security team, my assignment was to make a simpler drawing that reflected our understanding of the plan.

I essentially reduced everything to just a handful of numbered steps with connectivity-verification steps to be performed after each one.

After we stepped through this drawing at the next meeting, the security team immediately understood our concerns and reassured us. We would absolutely be in control of our monitoring devices during the migration period. With a staff member at each equipment site, it would be simple to move back and forth as needed to maintain monitoring uptime.

The final transition to the OT network would only be finalized after it was confirmed to work without issue.

Give me a call so I can help you with your project

The best way to find the balance between security and functionality is to work with a remote monitoring vendor who has experience in both OT and IT networks. That way, you can be sure that your system will be secure and that it will be able to support the specific requirements of both types of networks.

If the story above sounds unusual to you, that's probably because you don't expect an equipment vendor like DPS to perform the type of "above and beyond" service that you read about here. I wasn't getting paid to spend an hour making a drawing, but I did it anyway.

Our strategy at DPS is to make sure you're thrilled about every project. That way, we can move forward to future projects together. If I can help by attending recurring meetings, making a drawing, or doing anything else that's reasonable, I'll do that for you.

To get this level of service for your project, give me a call at 1-800-693-0351 or email me at sales@dpstele.com. I'll make sure you're matched with the best possible account manager for your needs.

Share: 
Andrew Erickson

Andrew Erickson

Andrew Erickson is an Application Engineer at DPS Telecom, a manufacturer of semi-custom remote alarm monitoring systems based in Fresno, California. Andrew brings more than 17 years of experience building site monitoring solutions, developing intuitive user interfaces and documentation, and opt...