Reimagining NAC - Part 1

Reimagining NAC
Written By Josh Varghese

In this series I want to talk about NAC in OT environments.

“First thing’s first, what the heck is NAC?”

Network access control (NAC), also known as network admission control, is the process of restricting devices from gaining access to a network. NAC ensures that only devices that are authorized can enter the network.

“Hmm, that sounds like a good enough idea in principle, but it also sounds like some IT/Security thing. You know what I’m talking about - the kind of thing they deploy into our control systems that cause us downtime and headaches. How many people have NAC deployed in OT today?”

I can count on…0 hands how many controls-managed OT networks I have encountered in 15 years that have NAC deployed, and on 1 hand OT networks managed by IT that have some variation.

“Ok so I was right. No one does it because it’s probably a headache.”

I agree that traditional or Enterprise NAC is a very challenging fit for OT. Why?

  1. For starters it requires the network to consist of 100% managed switches.

    That eliminates more than half of the OT networks I encounter.

  2. It requires tight and heavy integration between the NAC platform, the managed switches, and the network hosts. This often requires going all in on the same vendor for NAC and switches or perhaps having a very specific switch vendor (Cisco) that a 3rd party NAC platform has built their solution for. Not to mention most OT hosts don’t support the feature required to fully participate in an enterprise NAC deployment. These solutions were designed for Enterprise IT/Sec, not for OT, require a pretty heavy lift to deploy, and are often not simple to administer.

    And there went the rest 🤣

“Right, so…why are we still talking?”

I’ve often had customers express concern they don’t know when something/someone plugs into the network (sprawling system covering a large area, employees and contractors regularly in and out, etc.). But more significantly even if they had a platform tell them a new device plugged in (several solutions can do this part without too much trouble), they certainly don’t have the ability to CONTROL with the click of a button if that device is allowed or should be given the boot.

[In my best Morpheus voice] What if I told you…it didn’t have to be this way? What if I said that YOU the controls engineer, automation manager, etc. could drop something small into your network and easily and manage basic NAC through a simple Web UI?

Oh and, what if I said it could work on ANY network segment completely independently of any switch integration or host configuration? What if I said it could work even on a network with mixed managed and unmanaged switches or…wait for it…entirely unmanaged switches.

“I would say you’re probably wrong.”

I have seen this work. A while ago I posted about a consumer product I stumbled across that got me thinking about a novel application for basic NAC in OT. I did some bench testing, wiresharking, quick tests with some packet generating software, wrote a small functional spec, and guess what?

Stay tuned!

Josh Varghese
Previous

Reimagining NAC - Part 1 1/2
Next

PoE - Proprietary Features