The Network Gatekeepers: Guarding Our Large Network’s Security with Cisco ISE

Cisco

You might not have heard of California Steel Industries, but you undoubtedly know many companies that use our products. And chances are you’ve used our products yourselves. We are the only steel mill on the West Coast of the United States. The majority of the steel found on the West Coast comes directly from our plant.


Interestingly enough, a company’s IT systems network is a lot like the products we provide our customers: it’s mission critical, but often not thought about. Despite the IT network not getting much widespread attention, it’s a crucial part of a company’s productivity and, ultimately, its outputs. 


But reliability on its own isn’t enough—the network must be secure as well. There are so many industry secrets and competitive advantages that we need to protect. The way we make our products is almost like the Coca-Cola secret recipe. You don't give that information to just anybody—you have to protect it.

Small City, Lean Ops, Big Outputs

Our networking team maintains our physical infrastructure and the connectivity to our manufacturing equipment. This is no small task. Our facility covers 440 acres and each mill is individually unique in the vast size and height. These aren't like your typical downtown office buildings—these mills extend to a mile long. 


We manufacture steel 24 hours a day, seven days a week, 365 days a year. But our IT department doesn't have a 24-hour shift. We only work our day shift, which covers from 7 a.m. to 6 p.m. This entire network is maintained by my junior administrator and me. It’s a lean operation. 


Despite our small team, there are thousands of employees we oversee, and roughly a thousand contractors on top of that. Managing everything is difficult enough, but securing that environment was getting downright impossible. 


We had a big problem with unauthorized activity on the network. People would bring in their own devices and plug them into the network. Others would effectively try to turn their work PC into a personal one.  Nearly every case consisted of the end user attempting to circumvent the security posture of the network.


This was a major security risk because we didn’t have the necessary visibility into these devices and their contents. Our small team needed complete visibility into what our employees were connecting to, on what device, and where they were located. 

Locking down your entire network is a short-sighted security fix.


At first, we tried to lock everything down and not authorize any outside devices connecting to our network. But that’s an old-school approach, and our people immediately started experiencing problems. Sometimes, people were using other devices for genuine business purposes, and by locking them all out of the system, that ultimately hindered productivity. With that option off the table, we knew that we needed an actual solution for our security needs. 

A Familiar Solution

Thanks to my previous work experience, I already knew a lot about Cisco Identity Service Engine (ISE). I knew it could provide us with full visibility into our network. I didn't know of any other solutions at the time that could handle 802.1x authentication on a network and have full visibility on both the wired and wireless networks.


We were already implementing Cisco switches to support a voice network, so I took the product data sheet right from Cisco's website. I handed it up to management and told them that Cisco ISE would fix our problem. They told me to run with it. They knew we needed insights into our network and trusted my recommendation.


When it came time for implementation, I needed some help. I know a lot about 802.1x authentication, but not enough to comfortably roll this out myself.  So we decided to go with support services from our Cisco third-party provider, Micro Data Systems Incorporated (MDSi). Our solutions architect, Dan Crews, did a phenomenal job with the implementation. The implementation went smoothly and we found no challenges that could not be resolved with ease. 

Gaining Visibility, Reducing Security Risks

Before Cisco ISE, we had no idea what was going on in our network. We thought we knew, but as we began to create the necessary device profiles, we realized that we didn’t know how many different device types we actually had on our network. It was surprising.


But with Cisco ISE, we know exactly which devices are on the network. We know who’s using them and for what purpose. From a network security standpoint, knowing what's going on within our network is critical, especially in our manufacturing facilities. We can’t protect and troubleshoot what we can’t see.

Visibility = security. You can’t protect and troubleshoot what you can’t see.


Cisco ISE also allowed us to react better to security incidents. We're located by a major city street where thousands of people travel every day. People pass by and they see our wireless network, so they’ll try to brute-force attack our network to gain access to free WiFi. 


Who knows who these people are, or what their intentions were? Cisco ISE let us lock down our network through the 802.1x authentication with certificates and multi-factor authentication, which is key to protecting our industry secrets and our information. We’ve implemented this on both the wired and wireless networks. We’re also using Cisco pxGrid so we can have better log correlation and see what’s going on from our entry points. 


Over the past year, we’ve undertaken huge business changes to allow this to happen. Because when you have PLCs that are from the early 90s and cannot be configured with classless routing, what do you do? The old PLCs don’t know what the newer protocols are and they won’t work on modern networks. This has led to a lot of integration issues. Thankfully, we were able to integrate ISE with the older equipment.


Prior to ISE, we used to get dozens of port-security violation notifications a day. People were trying to plug devices in to gain access to the network. Once we implemented ISE, just about all of that went away.  Authentication and authorization is required before gaining access to the network.  Only these device could cause the port security violations.  


Since we've implemented Cisco ISE, we've had approximately a dozen or less port-security violations. And all those violations were legitimate people trying to troubleshoot their system themselves, plugging their device into various ports. If end users connect devices that don’t have the proper certificates, those devices are unauthorized and will not be allowed onto the network.  So in a way, we've done away with the false positives, and now we only get notified for genuine issues.

A Compatible Match: Plan Ahead for Smooth System Integration

If I could do this implementation all over again, there’s one thing I’d do differently. Knowing we were going to implement Cisco ISE, I would have looked at the compatibility matrixes and verified that our equipment would work with ISE. As we're a manufacturing facility, we have Cisco's industrial products: the IE 1000 switches on the production lines. Unfortunately, those switches are not supported by ISE. 


That led us into some huge challenges that we had to overcome to make sure everything on the production line was getting authenticated and could talk on the network. We knew three years ago that Cisco ISE would be a viable solution down the road, and when we started replacing our production line switches with conventional switches, we completely missed that. We should’ve gone for the Cisco 3000 series switches line rather than the 1000 line. So if Cisco ISE is on your horizon, look at those compatibility matrixes

Protecting Our Most Expensive Assets

Despite those temporary setbacks, we now have complete visibility into our network. In the steel industry, our manufacturing equipment is our most expensive and valuable asset, so we need to guard them accordingly. We are now fully protected with Cisco ISE. 


This means my team can be confident knowing we have coverage and will only get after-hours notifications when things actually go wrong. And we can get as granular with security as we need to.


Our employees and contractors don’t even try to bring their own devices into work now, because they know they can’t use them. By being able to customize Cisco ISE to our environment and unique needs, we’ve effectively secured our environment. Our 440-acre, multiple-mill facility is now guarded by our lean IT team with the right tools and the right system. Cisco ISE helps keep our IT network in its optimal state: secure, unseen, and the backbone of our operations.