In industrial organizations, the OT and IT networks make up two separate environments that serve different purposes. The OT network is used for controlling and monitoring the physical processes that make up the core activity of the industrial facility, while the IT network is used for communication and data processing.
This type of network segregation is considered to be an industry best-practice, despite the difficulty and cost involved in segmenting interconnected automation networks, especially in complex OT environments.
According to CISA (the Cybersecurity and Infrastructure Security Agency) segmentation plays an important role in preventing the more advanced cyber attacks that we’ve been witnessing in recent years, as they tend to employ lateral trans-network movement and attempts to breach the IT-OT “air-gap”.
Benefits of Network Segmentation
The reason for segmenting the OT and IT networks (network segmentation strategy) is to prevent the unauthorized access of OT networks from the IT side by cyber-criminals, the consequences of which can range from data loss to catastrophic system failures (this mode of entering the OT network was made famous by the Stuxnet worm, which was designed to target industrial control systems, and had caused significant damage to the Iranian nuclear program). Segmentation, thus, limits the OT network’s potential attack surface.
Attackers can use several methods to gain unauthorized access to a network, including phishing, malware, and social engineering. By separating the two networks, the attack surface is reduced since it becomes more challenging for an attacker to move from one network to the other. In a segmented network, an attacker who has gained access to the IT network would still need to find a way to access the OT network to cause damage.
Network Segmentation Best Practices
Proper IT-OT network segmentation techniques also bring a number of additional benefits:
- Network segmentation makes it easier to detect and isolate cyber-attacks. Since the OT network is a closed system, any communication between the OT and IT networks should be minimal, and any unexpected communication can be flagged and investigated. Additionally, if a cyber-attack occurs, network segmentation makes it easier to isolate the affected parts of the network, limiting the potential damage caused.
- Network segmentation significantly enhances administration and visibility of the network, and makes things much easier to maintain and keep track of, with clear ownership division lines when different teams are involved.
- Segmentation allows for the implementation of different security measures for each network. For example, the OT network may require a high degree of physical security (e.g. biometric) to prevent unauthorized access vs. more robust firewalls and antivirus software on the IT side.
- Segmentation allows for the implementation of access controls for each network. The IT network may have different levels of access for different users, such as administrators, managers, and regular employees. Similarly, the OT network may require different levels of access for different roles, such as operators and maintenance personnel. By segmenting the networks, access controls can be implemented to restrict access to specific parts of the network, preventing unauthorized access.
- Utilizing zone (a business unit or a collection of similar business units, as defined in the IEC 62443 standard) and boundary segmentation, the traffic flow in the OT network is further limited, which allows faster identification of any unauthorized or unexpected network administrator behaviors (changes/mistakes/insider threat), as well as identification of new or suspicious traffic.
- The network segmentation process itself often results in discovering unknown or unused devices that might not have been detected if not for the process.
It’s important to note that segmentation will only be effective when combined with properly maintained identity-based access controls. Outdated setups, which rely on static username and password combinations (which are all too easy to share), no longer provide an adequate level of protection and have the added disadvantage of limiting user verification.
A robust authentication system acts as reinforcement for segmentation, and enables full OT network monitoring by the SOC team, as they are able to see who has accessed each element of the network.
In conclusion, network segmentation is a valuable tool can easily provide additional layers of security and protection by monitoring ingress/egress of each network segment, toward protecting ICS SCADA operations from cyber-attacks. Segmentation reduces the attack surface, makes it easier to detect and isolate attacks, allows for the implementation of different security measures for each network, and enables access controls to be implemented. These measures reduce the likelihood of a cyber-attack causing damage to an industrial facility.