Industrial networks were not built with threat actors and nefarious cyber incidents in mind. Numerous unpatched systems and insecure protocols have been the status quo as businesses adopted IP-based connectivity to meet new business requirements. Too often “network segmentation” is a phrase tossed around as a “no brainer” guideline, however, it is a complex, multifaceted and ongoing activity.
OT zone segmentation is an effective way to mitigate perimeter breaches, as well as prevent intentional and accidental OT and IoT cyber incidents from spreading. But achieving effective network segmentation requires visibility into your OT network structure, and insight into where vulnerabilities lie.
Recognizing that segmentation is not a monolithic, one-size-fits-all best practice, organizations may seek to review their investments and roadmaps. In this blog we will unpack the principles of segmentation for building defensible architectures, implementing continuous monitoring and detection, and for demonstrating resilience and ensuring business continuity.
Building a Defensible Architecture
The number one reason network segmentation is considered a key and routine best practice is that it helps organizations to build more defensible architectures. By design, network segmentation divides critical parts of networks from other networks. Operational technology (OT), industrial control systems (ICS), or internet of things (IoT) used for critical business processes should be partitioned into distinct security domains.
Networks can also be segmented based on credential access and privileges, policy and rule enforcement or trust, or the amount of traffic a specific network routinely handles. The three main avenues for minimum viable segmentation are subnets, VLANs, and demilitarized zones (DMZs). A DMZ is fundamental for authenticating access and traffic to any OT/ICS networks, either remotely or from enterprise or business networks and functionality.
The ISA/IEC 62443 Standard suggests the use of zones and conduits for more advanced implementations of network segmentation. According to the standard, zones are a grouping of logical or physical asset that share common security requirements based on factors such as criticality and consequence. Conduits on the other hand, are groupings of assets dedicated exclusively to communications and which share the same security requirements. Conduits can also be used to describe tunnels communicating between zones.
Finally, firewall configurations for proper boundary and rule enforcement within and between zones is another critical component of basic network segmentation. Firewall rules can specify that OT and ICS protocols are blocked anywhere outside of specific OT and ICS networks. They can also provide secure alternatives to insecure remote access, establishing a secure shell and cryptographic authorization for accessing critical networks instead. According to the U.S. National Institute of Standards and Technology (NIST), “modern firewalls such as stateful and deep packet inspection devices and devices specifically designed to support OT environments should be considered.”
Implementing Continuous Monitoring and Detection
The main elements for building a defensible architecture do not monitor or analyze communications traffic in real time or at scale. Encryption and secure protocols are caveats to consider for continuous monitoring and detection. While encryption and cryptographic hashes should be applied to OT data storage and communications as often as possible, in reality this functionality is often limited. Many systems may not have the desired features or rely on protocols that are considered insecure.
Intrusion prevention systems and intrusion detection systems are considered robust additions to reinforce network segmentation. However, these solutions do not cover the full visualization of network traffic, known vulnerabilities, and potential threat indicators. Continuous monitoring and detection can visualize traffic to bolster segmentation and can be used as a risk mitigation measure for groups of devices with the same vulnerabilities.
Continuous monitoring and detection provides the agility to navigate, sort, filter, and analyze traffic to, from, and within critical networks based on:
For systems and networks where encryption capabilities are limited and insecure protocols are unavoidable, changes to communications or process activities must be alerted on. If network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not these assets cannot be protected without the necessary visibility into their day-to-day functionality.
Demonstrating Resilience and Ensuring Business Continuity
No organization is immune to cyber-attacks; however, many organizations are focused on limiting the severity of impacts and making their operations less attractive targets. When ransomware gang LockerGoga hit one the largest aluminum producers in the world, the organization was forced to take computer systems offline and switch to manual operations. The malicious phishing attack led to costly outages and unanticipated production slowdowns.
Resilience is demonstrated in strategy development and policy enforcement. One strategy to demonstrate resilience is the implementation of a zero trust strategy as much as possible across OT and ICS networks. According to the U.S. National Security Agency, a zero trust model should seek to limit the amount of inherent and unvalidated trust between systems, networks and users.To improve cybersecurity in this complex, interdependent sector, a zero trust approach is becoming an increasingly attractive component of defensible architectures.
Where zero trust may provide a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems, its maintenance can reduce mean time to repair (MTTR). When access policies enforce the segmentation, traffic rules and boundaries outlined above, diagnostics, troubleshooting, and root cause analysis are optimized to ensure business continuity.
Conclusion
Regardless of whether a cyber incident originates on the IT side of the business or was introduced intentionally or accidentally on the OT side, a single firewall separating the boundary between IT and OT is not doing enough. Organizations require more sophisticated and holistic OT cybersecurity programs that still focus on the basics: defensible architectures, monitoring, and resilience.
Without effective OT network segmentation, ransomware and other cyber threats can easily move laterally through an organization to hold critical assets and networks at risk. Without continuous monitoring and detection, threat actors and criminal groups can establish persistent access to systems and networks to exploit at will. Without impact analysis to build resilience from the crown jewels to the board room, cyber incidents will continue to result in business disruption and downtime.
The Solution
Nozomi Networks platform ensures that you can rapidly identify OT/IoT network risks, assess vulnerabilities, and prioritize responses. You’ll also get automated vulnerability assessment functionality, thanks to more detailed risk information including security alerts, missing patches and more. Additionally, real-time asset information with up-to-date configuration data provides the latest device configuration details.
Nozomi Networks delivers deep knowledge of your environment through monitoring of critical processes, plus the ability to leverage AI/ML techniques to correlate root cause analysis with observed anomalies. This allows you to understand what’s happening, explain why it’s occurring, and recommend the best way to respond.
To learn more about how our solution supports an OT network segmentation strategy, watch the video below.