Accelerate OT Industrial Network Segmentation

From Claroty

Industrial organizations perform critical functions that can impact public safety, the economy and society. As digital transformation accelerates, the cyber-physical systems (CPSs) that underpin industrial organizations have become increasingly interconnected with information technology (IT) and operational technology (OT) networks.

These advancements have made it more difficult for organizations to enhance security, reduce cyber risk, comply with industry regulations and standards, and improve their overall operations. By implementing OT industrial network segmentation, organizations can begin to safeguard the security, resilience and continuity of these operations — and safeguard uninterrupted functioning of society and the economy.

What is OT Network Segmentation?

OT network segmentation is the process of dividing networks into smaller isolated segments or zones. This practice allows network administrators to manage the flow of traffic in these subnets based on granular network policies.

Organizations that implement network segmentation can achieve enhanced security and improve overall network management while boosting performance and localizing any technical issues.

Network segmentation is especially important for OT environments due to the critical infrastructure and essential devices used to control and monitor physical processes, such as power plants, manufacturing facilities and transportation systems. OT segmentation includes segmentation within secluded OT environments, as well as OT networks from IT networks, the cloud and other CPSs. This helps organizations monitor all network traffic throughout their extended Internet of Things (XIoT).

Why is OT Network Segmentation Important?

Organizations can prevent the spread of cyberattacks by restricting their lateral movement through the network with proper OT network segmentation. If a breach occurs in one subnet, it becomes more difficult for an attacker to access other subnets, reducing the attack surface. This principle is also true for attacks originating in IT networks. If a breach were to occur, proper segmentation would prevent the spread from moving laterally throughout the XIoT.

By separating these critical systems and processes, organizations can also enforce risk mitigation, reducing the impact of failures or disruptions. If an incident occurs, it’ll be less likely to spread through the entire network, limiting any operational downtime and minimizing risk to safety and productivity.

Many critical industries, including oil and gas, transportation, food and beverage, and manufacturing, have very specific regulatory requirements for securing OT networks — such as NERC CIP, IEC 62443 or ISO 27001.

Network segmentation also is essential to an infrastructure's technical needs. It implements the appropriate security controls and isolates critical assets.

Finally, OT network segmentation is key to improving an organization's network management and optimization. Separating networks into smaller subsets allows organizations to be more manageable and helps allocate resources more efficiently by reducing traffic and improving network performance.

5 Challenges to OT Network Segmentation

The concept of network segmentation is not new, but it can be a drawn-out and costly endeavor, particularly in industrial environments. A few of the major challenges organizations face when segmenting their OT networks include:

1. Legacy systems. Unlike IT environments, where systems rarely last more than five years, industrial OT environments are comprised of legacy devices and systems that have life cycles spanning decades. Legacy industrial control systems (ICSs) typically are not built with security in mind, and may lack the necessary features to support network segmentation or compatibility with new security controls.

Podcast

Lessons from the Colonial Pipeline Cyberattack & Steps to Take

The ransomware attack that shut down the Colonial Pipeline on May 7, 2021, is considered the most impactful cyberattack against U.S. critical infrastructure. In this “Automation Chat” podcast, Executive Editor Theresa Houck talks with Grant Geyer, Chief Product Officer at Claroty, to examine how the Colonial Pipeline cyberattack happened and its impact.

Also learn about the asset operator’s role as the first line of defense; how converged IT/OT networks are vital for ICS efficiency, but also increase the attack surface available — and what to do about it; the technical and organizational features of a well-thought-out cyber defense; lessons learned that are useful for every industrial firm and critical infrastructure facility. And more.

Listen on your favorite podcast app or on the web, or watch their conversation on YouTube.

Listen Now Watch Now

2. Integration with IT systems. IT and OT networks often need to interact with one another to exchange data and information; however, proper communication between segmented OT networks and an organization's IT infrastructure can be challenging. This process requires collaboration between IT and OT teams, who have rarely worked together, leading to oversights that can cause complexity and duplication of efforts, an increase in operations costs, or exposure to security flaws.

3. Segmentation policies. Implementing effective network segmentation policies in industrial environments can be difficult, error-prone, and expensive to manage and maintain. The process often entails constantly tuning network policies to your unique environment, which leaves room for oversight.

4. Compliance enforcement inconsistencies. Critical infrastructure organizations are subject to multiple complex industry regulations and standards. Many times, monitoring and complying with these regulations requires granular, properly tuned policies that some organizations lack. This can lead to variations in approaches to segmentation and inconsistent enforcement across different organizations.

5. Widespread unsecured remote access. All industrial environments rely on remote access to enable both internal and third-party personnel to maintain assets, but common practices are risky and inefficient. If not managed properly, remote access has the potential to bypass network segmentation measures. It also causes an expanded attack surface, introducing new potential entry points for cyber threats.

5 Tips to Accelerate Network Segmentation

Attacks on ICSs can have devastating impacts beyond reputational damage and financial losses, including public safety and the economy. Successfully protecting these devices poses unique challenges that require a CPS protection platform dedicated to securing critical infrastructure environments.

Here are five tips to properly implement OT network segmentation.

1. Gain visibility. It’s impossible to segment assets you haven’t yet identified. So, the number one step in accelerating network segmentation is to identify all connected devices in your environment, along with their configuration, location and owners. Claroty can help improve visibility by automatically discovering new assets, monitoring communication patterns, and revealing connections including the input/ouputs (I/Os) that run industrial processes.

2. Define the policy and enforcement strategy. Once you achieve full-spectrum visibility, you can start to figure out how to protect it. There are several ways to segment your network, including via existing network access control (NAC), firewalls, switches or other parts of your infrastructure. It’s important to assess your objectives and environment and pick a strategy that will work for both.

3. Classify and group devices. Creating a unique policy for every device is impractical, but segmentation can be effective and scalable by creating policies for device types, or groups of devices, based on how they communicate with one another under normal circumstances. Claroty can assist your security team in defining specific policies for each group of assets and communications between them by creating a smart grouping of related assets in a logical view.

4. Design, test and refine policies. Industrial organizations need to protect their environment without disrupting it. This means designing network policies that align with the communication baselines of the device groups you classified in the previous step. Also, make sure those policies, once enforced, won’t negatively impact operations.

5. Enforce policies. As noted in the previous step, enforcing new policies for OT network segmentation can be a delicate process that, if not done correctly, can risk disrupting operations.

An extensive ecosystem of ready-made integrations with existing NACs, firewalls, switches and more can support one-click enforcement that helps streamline and optimize segmentation for complex OT networks.

Given that segmentation is an ongoing journey — not a tactical activity — it’s essential to continuously monitor and optimize network segmentation as an organization’s OT environment, OT security maturity and priorities evolve over time.

Jumpstart Your OT Network Segmentation

The attack surface for cyber criminals continues to expand as society accelerates its reliance on cyber-physical systems for greater automation, control, efficiency and convenience. As these new attack vectors emerge, we see a stronger need for OT industrial network segmentation.

Although critical infrastructure organizations often have network segmentation initiatives on their ‘to-do’ list, they tend to lack the time, resources, visibility and awareness required to implement them.

Organizations can jumpstart segmentation initiatives by implementing policies that can be easily and automatically enforced via your existing infrastructure. This can accelerate initiatives and enhance cyber and operational resilience.

Based in New York City, Claroty is a Rockwell Automation Technology Partner. The company provides comprehensive cybersecurity solutions for industrial control systems (ICSs) that, combined with Rockwell Automation services, help users reveal, protect and manage their OT, IoT and IIoT assets.

Like this article? Sign up for the digital magazine (4X/year) and e-newsletter from The Journal From Rockwell Automation and Our PartnerNetwork.

^{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Endeavor Business Media.}