Dec 20, 2021 | Radiflow team
The incredible pace of development in Information Technology has been matched only by that of the offensive side – hackers and cyber-terrorists. For CISOs and SOC personnel this means that the risk posed by existing OT security deficiencies is increasing rapidly.
Old and outdated cybersecurity systems endanger CPS and SCADA network security, posing not only a financial threat, but in some cases an actual danger to people’s lives. Industrial network security needs to evolve in order to stay ahead of the sophisticated breach attempts made by cyber criminals who are motivated by the possibility of a large payout, or worse, by state-sponsored attack groups.
One of the most important aspects of maintaining a secure OT environment is inner-ICS network segmentation and segregation. This type of network segregation is considered to be an industry best-practice, despite the difficulty and cost involved in segmenting interconnected automation networks, especially in complex OT environments.
[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]
The convergence of IT and OT, besides streamlining processes and saving resources, also introduces a myriad of network vulnerabilities that need to be constantly monitored. Therefore the first step toward OT security is to ensure total ICS network visibility. This can be achieved through digital imaging, in effect creating a virtual map of the OT network.
According to CISA (the Cybersecurity and Infrastructure Security Agency) segmentation plays an important role in preventing the more advanced cyber attacks that we’ve been witnessing in recent years, as they tend to employ lateral trans-network movement and attempts to breach the IT-OT “air-gap”.
Thus, with inadequate segregation, a well-placed insider only has to open a back-door in some obscure part of the network to allow the attacker to move between operational units until they reach the intended target. By segmenting the network, it is possible to stop the breach in its tracks, and minimize the overall damage.
It’s important to note that segmentation will only be effective when combined with properly maintained identity-based access controls. Outdated setups, which rely on static username and password combinations (which are all too easy to share), no longer provide an adequate level of protection and have the added disadvantage of limiting user verification.
A robust authentication system acts as reinforcement for segmentation, and enables full OT network monitoring by the SOC team, as they are able to see who has accessed each element of the network.
Radiflow offers a complete suite of products for enforcing network segmentation and user authentication, including the iSEG line of secure gateways, which not only offer a segmentation solution complete with APA (authentication proxy access), but were especially designed for the often-harsh environment of manufacturing and infrastructure sites.
Radiflow’s CIARA industrial risk assessment & management platform ensures ongoing network risk analysis and presents a prioritized list of mitigation measures, providing you with the highest level of threat protection. CIARA enables users to perform regular, automated security assessments utilizing its unique non-invasive breach and attack simulation (OT-BAS) algorithm.
CIARA’s simulations, custom-tailored to each user’s network’s unique device mix and specific properties, test the effectiveness of numerous attack techniques iterations, based on threat intelligence derived from MITRE ATT&CK and other sources. This enables prioritizing the most impactful threats and providing real time risk, threat & mitigation control indicators, toward producing an ROI-optimized actionable OT security plan.
Radiflow has been recognized by Gartner as “Sole vendor in both the OT network monitoring and visibility and the cyber-physical systems (CPS) risk-management categories”.
Contact us to find out more about Radiflow’s ICS security products, and to assess your level of network segmentation.
Inner-ICS network segmentation and segregation helps to prevent lateral trans-network movement and attempts to breach the IT-OT “air-gap”.
