The customer’s primary challenge was a flat network across organization, absence of dedicated OT backbone, zones and segmentation, no OT-IT integration making it an extremely vulnerable infrastructure. With Hindalco’s increasing push on digitalization, it was even more important to secure the Industrial Cybersecurity through a defense-in-depth concept. A reliable, flexible and scalable OT infrastructure was need of the hour. Another important aspects were lack of central management and transparency of OT network and a holistic approach towards OT security to achieve business continuity.

Siemens service experts presented Hindalco a consultative approach and conducted a risk assessment to understand the existing security posture. The findings revealed a pressing need for driving OT security in a holistic way addressing all the layers of defense-in-depth concept viz. governance model, network layer security and asset level security. A detailed implementation roadmap was developed and Siemens service experts went ahead as a preferred partner for implementation of these topics.The implementation started with defining a secured reference architecture based on IEC62443. As an outcome, following solutions were implemented:

• Building OT Network backbone   

20+ kilometers of OFC based network was laid and scalance range of products was used to create OT backbone / zones. An MRP (Media Redundancy Protocol) ring was created including 28 zones and aggregation at Layer 3 (OT Core level switches). High availability with MRP and VRRP protocol was established. Infrastructure for managing AV and Patch Management through Windows Server Update Services were installed.

• Secure OT-IT integration and Industrial Demilitarized Zone (DMZ)

A Palo Alto PA445 with active-passive redundancy was configured and installed between IT and OT. A threat prevention subscription was also configured to achieve highest security level at OT perimeter.The demilitarized zone was configured, and servers needing exchange between IT and OT. This included the Syslog server, SRA Site server, Backup, NMS, and other operational servers from the plant were shifted too.

• Secure Remote Access

A secure remote access solution from claroty was configured with claroty Secure Remote Access SAC, installed at the customers IT, and Secure Remote Access Site, installed inside the OT DMZ. 

• Continuous threat detcetion

Continuous threat detection from claroty was implemented to identify real time threats, vulnerabilities and asset inventory.

• Backup management solution

Acronis Cyber Protect was deployed across OT environment to achieve central backup management.

• Log collection and Network time protocol (NTP)

Sinec INS software was installed and configured to collect syslogs from the windows machines and network devices. Further integrating collected logs from Sinec INS server with SIEM solution enterprise level. This achieved highest level of alerting mechanism in case of any abnormal events.

• Network Management 

Sinec NMS software was deployed for monitoring and management of network devices centrally. Customized network topology along with policies configured inside Sinec NMS for the central management of scalance devices.

Hindalco is one of India's biggest aluminium manufacturing company and the world's largest flat-rolled products player and recycler of aluminium.