Bradford Networks’ Network Sentry Provides Security for Distributed Industrial Control Systems
As critical infrastructure and utilities continue to evolve with the demands of their ever-changing marketplace, these organizations are also tasked with hardening their systems to ensure that delivery is never disrupted by security threats that take advantage of out-of-compliance endpoints. This can be a special challenge for energy providers, whose industrial control systems (ICS) are often highly distributed. Requisitioning IT staff to personally maintain and update wide-ranging systems is not practical. Yet visibility, control, and response over these systems is crucial.
A leading oil and gas company with 5,000 endpoints across 200 locations in North America chose Bradford Networks to help them secure their distributed endpoints and legacy equipment. Using Network Sentry by Bradford Networks, this customer ensured uptime and reliability of service while gaining security and visibility across the entire network infrastructure. Network Sentry provided for master control over disperse locations without difficult hardware installations or complex legacy equipment upgrades.
Primarily Cisco Industrial Infrastructure, some HP Switching
Industrial IoT and ICS endpoints throughout
Secure large distributed environment of more than 200 locations with legacy Cisco and HP equipment and over 5,000 concurrent endpoints
Remotely secure and manage critical infrastructure at remote locations with limited network bandwidth
Implement simple, scalable network access policies on legacy equipment that could not support 802.1x
Network Sentry, Bradford Networks’ network access control solution
Full visibility into all managed and unmanaged IoT devices, endpoints, and users
Zero-trust network architecture, where all endpoints are validated and authenticated prior to gaining access to any corporate production networks
Automated detection and isolation of unknown/rogue endpoints
Comprehensive live inventory of network connections to share with IDS/IPS, SIEM and CMDB solutions
This oil and gas customer had a difficult requirement: no unknown or non-compliant endpoints were to access the corporate production network. A non-compliant endpoint needed to be instantly quarantined from the rest of the corporate network until the issue was resolved (e.g. the endpoint was patched to a required level).
This requirement was hard to enforce since their network profile included both large corporate office locations tied to employee users, as well as extremely distributed, remote switches that rarely had any human interaction. For example, one switch was located in a remote oil field. Some of the company’s remote ICS infrastructure consisted of legacy equipment that could not support 802.1x authentication, so a creative means of implementing network access control without using a RADIUS server or 802.1x was needed.
In addition, many of the company’s remotely-located endpoints had limited bandwidth, so being able to maintain network performance and integrity during NAC setup or maintenance was another key concern. In the past, when redirecting traffic to setup port mirroring, the customer had experienced cost prohibitive performance degradation. Understandably, they wanted to avoid this when implementing any future NAC protocols.
Selecting the Best Network Access Control Solution
After extensive evaluations of three other “market leading” network access control solutions, this customer chose Network Sentry by Bradford Networks. In their evaluations, they determined that Network Sentry would definitively meet their requirements, effectively addressing their organization’s unique challenges. Plus, it would enable them to scale easily, taking advantage of additional, more advanced features in the future.
The customer successfully navigated their limited bandwidth concerns without appliance installations at remote sites, as Network Sentry is centralized and has no bandwidth allocation requirement.
Fast, effective endpoint control was implemented with little ramp-up time. By deploying the vendor-agnostic Network Sentry, the customer’s network security plans covered all new and legacy Cisco and HP switches and endpoints, without lengthy setups or upgrades. Network Sentry supports legacy equipment so the customer had powerful network access control without using 802.1x protocols.
The robust security also came at a cost-effective price point — hundreds of thousands of dollars less than competitors’ network access control solutions.
With Network Sentry, the customer was able to achieve complete visibility across their entire corporate network with a live inventory of all connections — including those highly-distributed, remote switches — as well as endpoints and users at all 200 locations. This arsenal of comprehensive data proved invaluable in providing greater context and deriving increased value from their existing SIEM, IDS/IPS and CMDB solutions.
The customer easily implemented and enforced robust network access control policies within the first year of Network Sentry deployment. They were able to validate all endpoints connecting to the corporate network and automatically deny access to any rogue device that had fallen out of compliance.
Thanks to the unparalleled visibility and control with Network Sentry, this customer plans to expand their deployment to cover their SCADA network as soon as their corporate network reaches a fully-managed state.