Segmentation of OT Networks in Industrial Control Systems with Security in Mind | HCL Technologies

The segmentation of OT networks in industrial control systems with security in mind

The segmentation of OT networks in industrial control systems with security in mind
January 20, 2022

The OT network segmentation is practiced by many organizations with many variants. This blog hopes to provide a simplistic view on segmentation, differentiating the approach in a traditional IT vs. OT environment.

Why is network segmentation important in industrial control systems (ICS) environments?

This blog illustrates the differences in IT vs. OT segmentation and the benefits of using available tools and technologies to protect the critical ICS network.

What are the key differences between a flat network versus a segmented one?

Essentially, a flat network has lateral and vertical visibility to data. The devices attached to the network communicate with each other and are connected upstream to a central point of confluence. This makes data visibility easier to access and provides a quick mechanism of reporting.

A segmented network, on the other hand, provides gates and barriers for data access from a security perspective.

Consider the analogy of a small industrial factory with rooms. Every room has an individual door and is designated for a specific purpose (a process). The visitor in the front door cannot get a view of the other rooms (processes) unless the doors are unlocked and open. The goal of segmentation is to lock these processes from unauthorized access.

Segmentation of a network is essentially meant to provide the following:

  1. Restricted access and visibility to devices downstream.
  2. Greater access control and data security mechanisms.
  3. Controlling and monitoring east-west traffic.
  4. Mitigation and prevention of threats from infiltrating an asset.

Segmenting ICS networks

Network and device segmentation must be part of the defense in depth security approach for all critical ICS environments. Although there are still a few organizations with only perimeter security in place – when an adversary gains access to the network, they can traverse the network unchallenged. However, with a segmented and micro-segmented network, we reduce the possibility of the adversary going unchecked and unbridled. ICS network segmentation, if done right, provides a robust security posture following the defense-in-depth approach, thus keeping checks and taps on every device that transmits and receives data in an industrial environment.

In fact, some industrial environments have simple segmentation between their corporate IT networks and the ICS or operational technology (OT) networks, with the implementation of a firewall, and it stops there. The reasons are as follows;

  • ICS network segmentation can be challenging. It requires deep knowledge of the ICS networks and the various devices – often in hundreds.
  • Implementation can take considerable time and effort, leading to loss of productivity and downtime.
  • Additionally, many organizations lack the expertise and coordination necessary to undertake these projects. ICS networks are managed by operations personnel who typically differ from the IT folks in not having the same level of cybersecurity experience or training. The implementation takes close coordination, trained resources with the know-how, and a failsafe mechanism that must be tested prior to deployment.
  • ICS environments can be harsh, and the devices must be designed to withstand these abnormal temperatures. Thus, a COTS solution typically does not last, and ruggedized firewalls, network switches, and the like are an additional expense.

So how do I begin segmenting an OT security network?

As this blog is based on simplicity and getting the basics right, let’s consider a small organization with few ICS processes and their need to protect their ICS network through segmentation. They typically connect a plant firewall, which connects their OT assets.

A plant firewall isn’t uncommon. For those a little advanced, they would connect that firewall to a switch. The firewall dictates the rules, and the switch regulates the traffic downstream.

Typically, smaller organizations connect their ICS assets up by connecting each one to the switch. Ideally, any redundant traffic trying to come in (ingress) through the firewall gets stopped.

Security risks with this approach

This type of setup is a flat network. The assets are stacked, but literally, they are all hanging off one switch. The downfall is that every asset is on its own subnet, and data traversing these interconnected processes cannot be stopped.

  • The processes downstream from the switch are interconnected. An attack on one can easily propagate to the other, thus causing a significant risk to business operations.
  • Defining firewall policies – The administrator cannot differentiate between the OT processes downstream, thus allowing all permitted traffic to get to all processes. This does not avoid risk but enables it.
  • Outbound traffic – The FW is often an IT-owned asset. For IT networks, port 80 (or HTTP) traffic is critical. Often administrators leave that port open for egress and ingress traffic, thus paving the way for adversaries to creep in and induce vulnerabilities.

So, how should networks in industrial process operations be segmented? The IT answer is to implement segments in smaller increments.

If we were to go back to my previous analogy of the small factory where the visitor has visibility to all rooms (processes in an OT environment). The IT approach must be to lock every room (process) with a separate key. However, this approach, does not prohibit an adversary from gaining access, as all he has to do is get access to that key. Pardon the simplicity here, but this approach is not uncommon.

Now, in security terms, that key is a firewall. Is that secure? No – because very often IT firewalls do not understand the language (protocols) the OT devices communicate with (ProfiNet, Ethernet/IP, DNP3, Modbus, etc.), thus leaving the firewall as protected as Swiss cheese, permitting egress traffic to the infiltrator. Yes, organizations may implement a switch inside these rooms connecting upstream to the firewall. But a switch is nothing but a device regulating traffic – it does not define rules and accessibility between ports and connected ICS devices.

So now, the firewall is burdened with “Natting”. Natting, or network address translation, means each firewall can provide the ICS group (in our analogy – rooms) with a different IP address range. With this setup, operations can create a separate firewall policy for each process (room). Typical IT segmentation follows this approach.

IT segmentation in OT environments – the pitfalls

  • Practically, if operations were to implement the IT approach, then that would be expensive. Reconfiguring each device in the OT network – changing IP addresses for hundreds of devices – in OT terms this relates to downtime and effort.
  • Detailed diagrams must be verified and/or updated, which is a nightmare. Segmentation is only appropriate in ICS if it achieves both practicality and security at the same time.
  • How often is the IT team going to keep the OT firewall rules updated? - not very often
  • What happens if an ICS device (Human Machine Interface (HMI) for example) is sitting outside the firewall outside these zones (rooms)?

So, if IT can manage the OT firewalls and the assets downstream, this may work. However, that is not the case. IT does not (typically) understand the traffic flowing between these devices due to the various protocols. They too often get sidetracked and lose intent and focus. In contrast, the operations team must focus on availability, safety, and reliability. They cannot be held accountable for firewall rules and firewall management.

Achieving ICS segmentation

Key tenet: Implement an approach that is not only easier to manage and implement but is also an enabler in securing traffic for each of their independent processes, maintaining full control.

With the significance of keeping OT networks secure, ICS security appliances play a key part in OT security within these processes (rooms). They replace the traditional firewall in ICS zones (aka islands).

The ICS security appliance can monitor the ICS network, remove all unauthorized traffic, alert anomalous traffic, and allow the authorized traffic to pass through. There is also no requirement to reset or resubmit any devices or assign new IP addresses.

Alternatively, organizations have deployed industrial zone firewalls regulating the flow of data both vertically and laterally between their automation processes (aka automation islands)

This must have simplified the understanding of segmentation, but in the real world, all these processes (the ICS network) sit behind an IT firewall. With proper segmentation and due diligence, these steps give much greater operational control and security and cost far less in terms of financial resources, labor, and potential downtime than the traditional IT segmentation approach.

Summary

Just like every aspect of Security – in OT segmentation - there is no one size fits all. This blog illustrates the differences in IT vs. OT segmentation and the benefits of using available tools and technologies to protect the critical ICS network.

My thoughts from a user perspective: keep it simple and achievable.

1. Segment – but don’t over segment

  • Understand the essence of segmenting a particular piece of the network. Is it for access prevention, data security, easier data gathering, or simply isolating the traffic for easier troubleshooting? Know the purpose of segmentation.
  • Use existing technologies available such as logical segmentation (e.g, VLAN’s) and/or physical segmentation (redundant rings, automation cell firewalls, unidirectional traffic control, etc.) Utilize inbuilt features and functionalities offered by the vendor technologies – implement NAC, leverage the threat detection capabilities if integrated with a threat detection engine, and disable open ports logically, etc.

2. Think like an adversary who knows your network. Fortify weakest links, deploy zero-trust mechanisms where appropriate, mitigate vulnerabilities with a low average mean time to repair, have a DRP in place that is understood, rehearsed, and is malleable to change in response and recovery, adaptive to the existing threat at that point in time.

Organizations rely on managed service providers for not only consultative services but also to seek advice on what’s best, keeping productivity, safety, and availability in mind for OT environments. MSSP’s also implement, execute, manage, and run the daily security tasks while allowing the organization to scale and focus on productivity.