Definition and explanation of OT network segmentation

INTRODUCTION

Industry 4.0 is transforming the way companies manufacture, process and distribute their products, but organizations should be aware that it also comes with risks. There is no question that, in the last years, the attack surface of OT organizations has grown substantially due to increasing interconnectivity and smart automation.

Recent attacks against OT industries have shown how damaging they can get, leading to power outages, supply chain disruptions and other high-impact consequences. At the same time, numerous reports indicate that such attacks are on the rise and have become more targeted and sophisticated.

To protect their systems, a fundamental best practice OT organizations should follow is to implement a defense-in-depth strategy, which is a layer-based approach that leverages different (overlapping) security mechanisms. If attackers get past one layer of protection, they will have to get past the other ones, thus making it more difficult for an attack to succeed.

One of the most important layers in a defense-in-depth architecture is the network which, once secured, will become a strong deterrent against cyber-attacks by managing remote connections and enforcing access controls, controlling communication flows, preventing lateral movement, and containing any potential incidents.

FLAT NETWORKS AND THEIR RISKS

A flat network is a network architecture where all devices are inter-connected and the communication between them is unrestricted. This design is very common because of its simplicity (cheap, easy set-up, fast data flow).

The ideal OT networks were once considered as air-gapped from IT while designed with such flat architecture in mind. However, as ISA Global Cybersecurity Alliance pointed out [1], the OT and IT networks have been constantly converging and a true air gap is no longer practical in such an interconnected world.

“In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network.” [2]

(2011 statement of Sean McGurk the director of the National Cybersecurity and Communications Integration Centre (NCCIC) at the Department of Homeland Security)

Some of the common bad practices when connecting the OT network to the IT/Business network are:

  • Lack of network segmentation
  • Improper configuration of boundary devices (such as a firewalls) and access controls
  • Failure to monitor the network activity
  • Lack of available and fitting services in the OT network (e.g., dedicated time reference)

In the 2015 Ukrainian power grid attack, hackers used the IT network as a pivoting point to detect an open connection to an OT supervision platform, which allowed them to scan the OT network, gather OT hardware information, and develop a custom exploit. [3]

Therefore, having a flat or poorly segmented OT network comes with inherent risks:

  • Increased attack surface. The OT assets and network get exposed to IT-specific threats, but they may lack the usual security controls implemented on an IT network (such as an EDR or IDS/IPS)
  • Easier lateral movement. Attackers can rapidly move through the network, gather important information and, eventually, infect critical systems
  • More difficult detection. Due to the lack of visibility and increased volume of network traffic, detecting threats, containing, and removing them can become challenging.

OT NETWORK SEGMENTATION

DEFINITION

Network segmentation is an approach for protecting assets by grouping them based on both their communication and security requirements.

It is accomplished through creating security zones (e.g., corporate LANs, corporate DMZs, control LANs, control DMZs, Internet, etc.), which are groupings of assets that have similar security requirements, and then applying security controls/conduits to the security zones.

For example, the corporate DMZ is used to protect the corporate LAN by hosting external-facing services to an untrusted network (such as the Internet). Thus, the company’s external resources and services can be accessed without reaching the company’s internal network.

The same logic applies to the control DMZ, but in this case, the untrusted network is usually the corporate LAN. The control DMZ is used to host services like data historians, jump servers, etc., which will interact with both the corporate LAN (business servers and workstations) and the control LAN (HMIs, PLCs, etc.). All communications between these zones should be governed by conduits, defining what is permitted or restricted (e.g., devices in control LAN will be allowed only to push data to the historian and authorized devices in corporate LAN will be permitted only to pull data from the historian).

There are many advantages in designing a DMZ between zones:

  • There is no direct connection between the corporate network and the control network
  • Conduits can be implemented easily for different security zones
  • Unless there is an OT-specific device exposed to the Internet, an attacker will have to infect and pivot through the corporate network in order to get access to the control network.

ADVANTAGES AND DISADVANTAGES OF NETWORK SEGMENTATION

Implementing network segmentation comes with a lot of benefits, some of the most important being:

  1. Increased security. Network segmentation provides a robust security posture by isolating critical zones/assets, reducing the attack surface and containing security breaches or even the effects of non-malicious errors/accidents
  2. Visibility. Understanding the inventory in different zones and dividing the network into separate segments provide visibility over the network traffic and assets, while also making it easier to monitor, detect and respond to suspicious activities and/or incidents
  3. Compliance. Depending on the industry and country, implementing network segmentation can help in achieving “state of the art” regulatory requirements and industry standards (e.g., meeting KRITIS requirements in Germany)

While network segmentation brings a lot of advantages, it should not be overlooked that if it is not defined properly and implemented according to the organization needs and resources, it could lead to major drawbacks as:

  1. Operational overhead. A complicated network segmentation can lead to increased complexity in managing and monitoring the network (too many segments, multiple firewalls, numerous rules, and policies). If you would like to read more about why over-segmentation can become counter-productive, check our article here
  2. Risk of misconfigurations. Complexity, lack of resources and planning can lead to security misconfigurations and/or operational issues
  3. Costs. Implementing and maintaining such a secure network architecture will require additional resources in terms of people, processes, and technologies

BEST PRACTICES FOR OT NETWORK SEGMENTATION

When implementing OT network segmentation, it is recommended to follow the best practices in the industry in order to achieve a successful implementation. The list below is not exhaustive, but comprises some of the most important best practices to be considered:

  1. Identify all assets in the OT environment, document network and information flow diagrams and rank their criticality to operations
  2. Establish a plan of implementation, have clear segmentation principles, and communicate them to every stakeholder (the plan should include zones, assets, communication matrix, dependencies, conduits, etc.)
  3. When defining conduits, the key word is trust. Always consider the trust relationship between zones and the degree of control your organization has over a specific zone (e.g., another zone in the same organization, the Internet, etc.)
  4. Implement demilitarized zones (DMZs) and firewalls between the OT network and IT network. There should be no direct connections between the OT network and the IT network. The firewalls should be properly configured (remove “any-to-any”, constantly review rulesets and policies, monitor system performance and resources etc.)
  5. Document and manage remote connections, no matter if it is an internal employee or a vendor
  6. A well-segmented network should find inspiration in the Purdue Enterprise Reference Architecture, but the implementation should be realistic based on the organization needs and resources. If you would like to read BxC’s perspective on the Purdue Model, check our article here.

BXC TAKEAWAY

We, at BxC, believe that network segmentation done right is a powerful instrument for protecting OT networks. Organizations should be aware that carefully planning the network with security in mind requires time and effort. Every stakeholder should be aware of the advantages and the purpose of securing the network. Thus, communication is key before, during and after implementing network segmentation. Also, following the best practices in the industry and avoiding under or over-segmentation by finding the right balance will contribute substantially to the success of such a project.

SOURCES

[1] https://gca.isa.org/blog/common-ics-cybersecurity-myth-1-the-air-gap

[2] https://www.youtube.com/watch?v=x1URPa1jG60 (min. 58:30)

[3] https://blog.isa.org/lessons-learned-forensic-analysis-ukrainian-power-grid-cyberattack-malware