Be the Packet: The Challenge for Architecting IEC 62443 Zones and Conduits

Early in my networking career, I met a network engineer who taught me the most valuable networking lesson I have ever received. We were troubleshooting a complex problem in a lab configuration for a customer, and he said, “We got this; just be the packet!” 

It was a simple phrase, but that simple sentence's impact on me at the time was profound. Troubleshooting is all about figuring out what could cause a packet to be stopped at any step in its networking journey. In the cybersecurity world, this involves thinking through all the policies a packet has to pass through to reach its destination. Anytime I am confronted with a networking problem or presented with a new architecture, I try to “Be the Packet” to walk myself through how things work.

When I was introduced to IEC 62443’s concept of Zones and Conduits, I approached it the same way. “Ok, I am coming in from the internet; how do I get to the OT network, and what systems do I need to traverse to get there?” In a Defense in Depth model, the more systems you pass through, the better because each system theoretically makes it harder for hackers to find their way through the security perimeter.  In reality, that is not true. 

Did you like mazes when you were a kid? Remember how you felt when you got stuck and gave up? What did you do? You might have just quit and left the maze the easy way:

Interestingly, the same thing still happens in IT/OT environments today. One of the stories I often hear from our SEs when BlastWave deploys in a proof-of-concept trial is: “They were having trouble with the firewall policies, so they put a temporary any/any rule in to let our traffic through.” Any customers who had attempted to implement zones and conduits ran into this problem.

The image above immediately makes me think of a hacker breaking through the zones and conduits in IEC 62443 (Ok, it makes me think about this problem because I am currently focused on IEX 62443, but you get the point!).

To progress from the internet (or even the IT network) to get “deep into” the OT network, the network administrator has to think through all of the users, systems, and protocols that need to get from point A to point B in the network and create policies that allow these (and only these) things through to meet the goal of what Zones and Conduits are supposed to deliver. Any programmer who has struggled with if-else loops can testify to this challenge (fun image below!) to try and walk through all of the conditions to determine if traffic will be allowed to pass.

It took me a long time to get to the conclusion, but there is good news. There is a better way to meet the challenge of architecting Zones and Conduits in a simple, powerful, and secure way, which still meets the goals of IEC 62443.

Interested? Join us at our webinar on January 15th: Registration link