How to Set Up Segmentation for Better OT Security

Summary

Many of the operational technology (OT) networks still in use today were constructed in the “air gap” era when security was adequate due to isolation from other company systems. Consequently, many OT devices are considered insecure by design–it’s assumed they’ll work on secure or private networks where trusted access is enabled by default. But bad actors know this and are continuing to take advantage of vulnerabilities in OT products as IT and OT networks converge.
 
They are converging because of digital transformation activities, creating a network where anything might conceivably link to anything else. In a world where 93% of OT organizations have suffered an intrusion in the past year, with 78% reporting more than three, that level of connectivity presents significant security risk.
 
Attacks show no sign of slowing down–in fact, quite the contrary. FortiGuard Labs researchers identified almost 100% more new ransomware variants in the first half of 2022 than in the previous six-month period. Network segmentation is one approach organizations should consider to help address the ransomware threat.

How segmentation can help

Network segmentation benefits enterprises in a variety of ways. This approach enhances security by stopping attacks from propagating throughout a network and penetrating vulnerable devices. Segmentation prevents malware from spreading into other corporate systems in the event of an attack. Network segmentation also lessens congestion, which frequently causes a drop-off in performance. This is crucial for resource-intensive services like factories, power plants, water treatment facilities, oil rigs and other industrial settings.

Due to the possibility of unintentionally affecting a production process during the segmentation process, network segmentation can be particularly challenging in an OT context. Temporarily losing a device may not always have much of an effect on company operations in an IT context, but going offline can have serious negative effects in an OT setting. And if you’re trying to segment an environment with devices from many vendors, the difficulties can multiply.

But with the right tools and processes in place, you can successfully segment your network.

The next level: Microsegmentation

In order to provide lateral visibility of all assets in the same broadcast domain, security architects can further segment an environment using the network security approach known as microsegmentation. Granularity is attained by logically segmenting the network environment into unique security areas, all the way down to the level of a single workload. Microsegmentation inhibits a hacker’s ability to migrate between compromised applications in the event of a breach, since policies are applied to specific workloads, increasing attack resistance.

This offers a practical approach to minimizing and mitigating security threats.

OT administrators can divide and isolate the OT attack surface into distinct control zones by deploying this method, which uses the Purdue Model, one of the earliest models to define the framework and foundation of industrial reference architectures. They can also regulate what data flows through those zones using specified conduits. By confining any attack to a restricted portion of the OT network rather than providing it broad access to the entire environment, this strategy enables enterprises to proactively manage the growing threat to the OT environment. Additionally, microsegmentation can restrict east-west traffic to reduce the likelihood of a malicious actor moving laterally via the network.
 

Starting the journey

Network and endpoint discovery, followed by endpoint classification, forms the basis of segmentation. The first part of your process should be identifying what you have in your network, because it is almost impossible to manage what you are unaware of in your environment.
 
Use a network access control solution (NAC) to conduct the three steps that enable the segmentation process. It can discover all your unique wired, wireless and VPN products. Endpoint discovery comes next, using the infrastructure that was discovered during network discovery to now show you what is plugged in. The third step in this process is the classification and profiling of endpoints. You must correctly identify each device before attempting to segment anything by adding it to a VLAN. This classification step mainly makes use of active and passing profiling rules.
 
Use a tool that offers passive techniques of device profiling because OT environments often cannot afford the risk of device failure that comes with active scanning. Following the successful classification of all endpoints, you can start segmentation and microsegmentation.

Segmentation is stronger security

With digital transformation being a top goal for industrial enterprises, it is getting more difficult to build and sustain 360° visibility due to the convergence of IT applications and OT environments. Highly motivated cybercriminals can take advantage of the weaknesses of your infrastructure thanks to porous perimeters, dispersed applications and security flaws. Microsegmentation is an important strategy in the fight to secure converged IT and OT. Use the steps noted above to establish a strong foundation of visibility that will enable you to segment your network at the micro level and strengthen your security posture.