Once upon a time, in a galaxy far far away, unmanaged devices such as those that lived in OT and IoT networks were of little security concern. Perimeter security and an “air gap” between IT and OT networks were considered more than enough to mitigate any theoretical risk.
Broadly, organizations are coming to the obvious conclusion: in the age of digitization and Industry 4.0, true “air gaps” no longer exist, and it’s naive to think that relying on perimeter security is a viable option for protecting IoT/ICS networks.
Enter “Zero Trust” — a security philosophy stating that nothing outside or inside your networks can be assumed to be “safe” and all connections must be verified continuously. And in the case of IoT/ICS networks, a key part of a Zero Trust initiative is network segmentation.
Network segmentation is the process of setting up firewalls between subnetworks to minimize the havoc an attacker could wreak if they did compromise your network. In a flat, unsegmented network, a threat actor could move laterally unencumbered until they compromise your most critical networks and assets.
In a segmented network, however, firewalls separate groups of assets and subnetworks, drastically limiting the movement of a potential attacker. Even basic network segmentation — for example, separating IT from OT networks via a DMZ, or segmenting OT networks based on the levels of the Purdue Model — massively reduces your attack surface. Plus, a segmented network allows you to enforce stricter control over user privileges, granting them access only to the zones relevant to their work.
There are performance benefits, too. A segmented network gives you more granular control over how you allocate resources to different zones — such as optimizing resources for critical applications, or reducing network traffic in zones with processes that need to avoid latency.
We’ve recently seen a significant increase in organizations undergoing network segmentation projects — which is great news, because as you can clearly see above, it has plenty of benefits! But, it can also be a difficult project if you do it without the right considerations beforehand.
With a little extra planning from the beginning, however, you can save yourself time, labor, and a lot of headaches. Here are a few considerations to take into account as you embark on your network segmentation project:
1.Can I use my existing IT networking tools?
First of all, in order to answer any of the other questions that we’re going to cover in this article, you need to make sure you’re using the right tools. We talk to many people who think that they can conduct network segmentation projects using traditional IT networking tools — like active scanning tools like Nmap or NAC tools — to identify and categorize assets. But, these tools often have serious drawbacks when it comes to discovery of unmanaged assets. Nmap can bring down IoT/ICS devices, while NAC tools have limited understanding of IoT/ICS devices.
Before assuming that your existing toolset will work for these purposes, make sure you verify they really can give you the degree of IoT/ICS asset visibility that you’ll need — and safely, without risking downtime.
2. What devices, exactly, am I segmenting?
This may sound like an obvious question with an obvious answer. Too often, though, it isn’t quite as simple as it seems. We work with many organizations that don’t actually know how many devices are on their networks — sometimes, we discover two or three times as many as they thought they had.
Not only is this generally less-than-ideal from an IoT/ICS security perspective, such a lack of visibility also makes network segmentation particularly challenging. It’s impossible to make informed decisions about how to segment devices without a full understanding of what those devices are and what categories they fall into (HMI, engineering workstation, historian, etc.) — and you can’t assume that you already have the answers, unless you’ve gone through a specific asset discovery and inventory project beforehand.
Keep in mind, too, that you also need to understand the properties of these devices — such as ports, protocols, manufacturers, etc. — in order to group them most effectively.
3. How are these devices really communicating?
This is the natural next step after accurate device discovery. You know what devices you’re dealing with. Now you need to understand how they’re communicating, so that you can decide the most efficient way to group them.
For best results, you need to examine this behavior at both a granular and a broad level — granular, so that you have detailed and accurate information about individual connections, and broad, so that you have a high-level understanding of clusters of asset communications that indicate ideal segmentation zones.
4. Am I certain that nothing is going to break when I configure firewall policies?
One of the main reasons why some administrators avoid network segmentation is out of fear of accidental downtime — say, for example, you accidentally erect an ill-placed firewall that cuts off necessary traffic and breaks a business-critical process.
But while this is certainly an understandable concern, it’s also very much avoidable. If you have the visibility into assets and asset communications that we discussed in the previous two questions, then you already have all the information you need to ensure that your segmentation zones don’t disrupt essential traffic.
5. Which of my devices are contacting the internet, and do they need to be? What other devices are they communicating with?
Answering these questions, with certainty, will achieve two important goals. First of all, it’s important in general to make sure that you are aware of and minimize the number of devices that are communicating directly with the internet. And secondly, having this inventory — and, in turn, understanding which other devices those internet-accessible devices are communicating with — makes it much easier to choose the best locations for DMZs, which act as buffers between the internet and your internal networks, or between your IT and OT networks
6. Is my planned network segmentation topology enough to protect my crown jewels?
This is often a more difficult question to answer for two main reasons.
Firstly, knowing whether your crown jewels are protected requires you to know what your crown jewels actually are. Defining your most critical assets and processes is important for your security posture as a whole — not just for network segmentation — and it requires full cooperation between IT, OT, and the business — groups that too-often don’t interact sufficiently with each other. If you’re looking for a little more information about what criteria you can use when defining your crown jewel processes, it’s one of the many topics covered in our 2020 Global IoT/ICS Risk Report.
Secondly, once you have successfully identified your crown jewels, determining whether you’ve done enough to protect them successfully requires you to think about the theoretical. Put careful consideration into how a threat actor might compromise your networks and whether your segmentation zones would truly protect your most important assets. Automated threat modeling could help with this.
If you’re considering where or how to begin strengthening IoT/OT security, network segmentation is a great place to start. In the over 3,000 IoT/OT networks that we’ve analyzed using passive monitoring, flat networks are a pervasive problem (among, of course, many other security concerns). Even at the most basic level of complexity, network segmentation is an important step in protecting your critical IoT/ICS assets from adversaries. Though these projects can be time-consuming, they’re well worth it — and more importantly, with the right knowledge-based approach, you can minimize the time it takes, the risk of downtime, and manual labor required.
If you’re about to embark on a network segmentation initiative and looking for a little more guidance answering questions like the ones above, we can help. CyberX accelerates network segmentation by automatically discovering and profiling all your assets, showing how they communicate, integrating with firewall platforms, and providing automated threat modeling to test the effectiveness of your segmentation zones. Click here to learn more — or better yet, contact us directly to discuss one-on-one how we can help with your specific project.
Above: A summary of how CyberX can help you with your network segmentation project.