It seems like we’ve been hearing about the virtues of network segmentation, whether for corporate IT networks or for classically “flat” plant/operations technology (OT) networks for a very, very long time. Every month, however, we find ourselves at sites where their implementation of the technique is no better than ‘partial’. It’s not a question of failing to understand the goal, or not seeking to harvest the benefits; instead, it’s a problem of bridging the gap between where they are today, and what’s required to implement a thorough and sustainable segmented network in the future. It is, as the saying goes, a bridge too far for most. The reasons are well understood, and often directly anticipated by other white papers on the subject.
Most companies think of it in a “whole-network approach” and the work is typically led by corporate IT unless OT leadership can beat that initiative down and keep their flat network architecture in favor of avoiding disruption and keeping production meeting their goals. The common solution – virtual segments and zones – has been adopted by a number of different network and security vendors as well as recommended by numerous cybersecurity standards and frameworks – NIST, IEC, ISO, etc. The idea is simple: define assets into logical groups, regardless of their real locations, and apply traffic-permission and content-enforcement rules per group.
If you want to define a list of devices and ensure that they will only communicate via EtherNet/IP, you can do that so long as all the control points respond to the grouping policies. Such approaches, however, do still depend on a whole-network scope of visibility. Somewhere there must be a device that physically inspects all the traffic and makes the determination of access and execution. Dealing with exceptions and corner cases is therefore dependent on managing that central control, potentially upending your hard work if you get it wrong and don’t notice. What if companies accepted that their existing production, ICS, and critical infrastructure networks are essentially flat and unsegmented, and likely to remain largely that way for a time?
Companies could then examine the cyber risks present and which assets need the highest level of protection that secure zones and segments can provide. Then they could prioritize a carve out of individual segments at will, and apply very rigorous controls against activity which could somehow reach or disrupt those sensitive assets? At Bayshore we’ve decided that it’s short-sighted to focus solely on segmenting the whole network at once, particularly since that inevitably becomes a much longer-term project, with all the attendant cost and complexity of such an initiative. Our full whitepaper explores the concept of taking a more granular approach.
We’ll evaluate the comparison of whole-network virtual segmentation versus per-asset micro-segmentation, and offer some data points on relative cost, relative strength of security controls, and ease of implementation.
Find out more in our whitepaper, available below.