In industrial organizations, the OT and IT networks make up two separate environments that serve different purposes. The OT network is used for controlling and monitoring the physical processes that make up the core activity of the industrial facility, while the IT network is used for communication and data processing.
This type of network segregation is considered to be an industry best-practice, despite the difficulty and cost involved in segmenting interconnected automation networks, especially in complex OT environments.
According to CISA (the Cybersecurity and Infrastructure Security Agency) segmentation plays an important role in preventing the more advanced cyber attacks that we’ve been witnessing in recent years, as they tend to employ lateral trans-network movement and attempts to breach the IT-OT “air-gap”.
Benefits of Network Segmentation
The reason for segmenting the OT and IT networks (network segmentation strategy) is to prevent the unauthorized access of OT networks from the IT side by cyber-criminals, the consequences of which can range from data loss to catastrophic system failures (this mode of entering the OT network was made famous by the Stuxnet worm, which was designed to target industrial control systems, and had caused significant damage to the Iranian nuclear program). Segmentation, thus, limits the OT network’s potential attack surface.
Attackers can use several methods to gain unauthorized access to a network, including phishing, malware, and social engineering. By separating the two networks, the attack surface is reduced since it becomes more challenging for an attacker to move from one network to the other. In a segmented network, an attacker who has gained access to the IT network would still need to find a way to access the OT network to cause damage.
Network Segmentation Best Practices
Proper IT-OT network segmentation techniques also bring a number of additional benefits:
It’s important to note that segmentation will only be effective when combined with properly maintained identity-based access controls. Outdated setups, which rely on static username and password combinations (which are all too easy to share), no longer provide an adequate level of protection and have the added disadvantage of limiting user verification.
A robust authentication system acts as reinforcement for segmentation, and enables full OT network monitoring by the SOC team, as they are able to see who has accessed each element of the network.
Conclusion
In conclusion, network segmentation is a valuable tool can easily provide additional layers of security and protection by monitoring ingress/egress of each network segment, toward protecting ICS SCADA operations from cyber-attacks. Segmentation reduces the attack surface, makes it easier to detect and isolate attacks, allows for the implementation of different security measures for each network, and enables access controls to be implemented. These measures reduce the likelihood of a cyber-attack causing damage to an industrial facility.
One of the common techniques used in recent year by hackers to breach organizations’ OT networks is moving a malicious payload from the IT to the OT side of the corporate network. In addition to increasing security, IT-OT network segmentation offers a number of benefits, including easier detection of cyber-threats, better network visibility and administration, optimized use of security and administration tools for the different types of networks, and more.
Cybersecurity e Safety: le sfide della Transizione 5.0 | 15 novembre 2024
Cybersecurity e Safety: le sfide della Transizione 5.0 | 30 ottobre 2024
NIS2 for OT Systems