0% found this document useful (0 votes)
110 views8 pages

Network Segmentation For Industrial Control Environments

Uploaded by

Ruchir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
110 views8 pages

Network Segmentation For Industrial Control Environments

Uploaded by

Ruchir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Network Segmentation for

Industrial Control Environments


Introduction
In 2015, there were 10 billion connected Internet of Things
(IoT) devices. By 2020, the number is expected to skyrocket
to 34 billion.1

For industrial devices, this level of connectivity means an


expanded use of advanced analytic techniques to boost
productivity and efficiency, lower cost and downtime, and
increase profitability. Unfortunately, this also means an
expanded attack surface and greater risk of successful
cyber attacks within critical infrastructure environments.

No doubt, cyber security is a must. But where to start?

Start with network zone segmentation, a foundational


building block of any modern industrial cybersecurity
practice. That is, so long as it’s applied in a manner that
befits the specific needs of industrial control system (ICS)
and operational technology (OT) environments. Otherwise,
as connectivity continues to increase, the risk of successful
attacks will continue to rise while the efficiency and
profitability advantages of digital industrial investments
slowly wane.
Segmentation 101: Origins
The roots of network segmentation run deep in enterprise IT environments. What began as a way to improve network
performance and bandwidth (through better management of the broadcast and collision domains of shared network devices
and better containment of network traffic on respective sub-networks for each workgroup) has today evolved to significantly
support a proactive network security practice.

This evolution is important because perimeter defense—which only accounts for traffic going in and out of the network—is no
longer enough. Once an attacker or malware penetrates the perimeter and gains a foothold, consequent lateral movement
within the network is usually a foregone conclusion.

The takeaway: More protection is needed inside the network, precisely where segmentation and its zone-specific policies
play a crucial role; e.g., an accounting system zone might have one set of policies; an engineering zone, a different set.

According to ISACA, a common technique to implement network security is to segment an organization’s network into
separate zones that can be separately controlled, monitored, and protected.2

Control Monitor Protect

Limit the spread of an attack Alert an IT team to the threat and Stop attacks from spreading and further
or mitigate the damage to a specific anatomy of the attack. harming the broader network, critical
particular network segment. assets, and the organization at large.

Proper segmentation enhances an organization’s security posture and helps harden the controls network. Without it, or
without enough of it, successful hacker attacks can result in tremendous loss of data and corporate reputation.

Now that OT networks are becoming increasingly connected, the attack surface is widening, and increased risk is likely. But
unlike in IT, OT environments have much more at stake.
Why OT network segmentation is different than IT network segmentation
Unlike in IT environments, where a
successful hack can result in data loss or
damage to a company's reputation, the
01 Air gaps
are fading 02 Perimeter security
is not enough
Figure 1 illustrates how each level can be a
separate zone, and how a zone can include
a subset of elements from multiple levels.
In the past, when systems were completely Industrial system devices must communicate
stakes are higher in OT. When attackers It also depicts the information flows from
isolated (both physically and virtually), there with one another and with other sub-system
target steel mills, power plants, pipelines, level to level (or zone to zone) via conduits
was air gapping for security. Today, with the devices. As this creates multiple perimeters
rail yards, or hospitals, defense is about (i.e., connectivity between zones).
evolution of industrial systems, mobility, within OT environments, it shows how traditional
multi-million-dollar critical infrastructures,
cloud technologies, and multi-vendor perimeter security (one protective shell around Step one is to establish the proper
critical assets, the environment, and, most
environments, everything’s changed; air the entire system) is insufficient. A better plan zones with clearly defined and enforced
importantly, human safety.
gapping is no longer enough. is to give each group of systems (each with its security policies. Step two is to properly
own unique set of security requirements) its own secure the conduits with granular
Still, while we know network segmentation In GE Digital's experience conducting industrial
unique set of granular protections. network traffic inspection.
is a fundamental component of cyber and OT site assessments, we’ve found that
security, the problem remains that it’s nearly every site thought to be air gapped was,
difficult to implement in an industrial in fact, connected to the Internet. In short, air
control environment. gaps are a security measure myth.
Level 5 Router Enterprise network
Another myth is that all insiders are
Depending on the situation, there are Level 4 Email, Internet, etc. Site business planning and logistics network
trustworthy and competent. According to a
impactful people, process, and technology
SANS 2015 survey of industrial cyber security
actions that can be instituted. Fire wall
practitioners, insiders were the largest Terminal Patch AV
services management server
identified source of infiltration/infection, at 25
percent. Unidentified sources were the only Historian Web services Application
mirror operations server
higher grouping, at 44 percent.3 A high insider
threat and lack of visibility into other incident Production Optimizing Process Domain Fire wall
sources should lead any organization to control control history controller
Level 3 Site manufacturing
operation and control
question relying on an air gap that may or may
not be intact. Supervisory Operator Supervisory Enfineering Operator
Area
Fire wall
control interface control workstation interface
Level 2 supervisory
control

Batch Discrete Sequence Hybrid Basic


Level 1 control control control control control Cell/area zone
Level 0 Sensors Drivers Actuators Robots Process

Figure 1. Purdue Reference Model for Computer Integrated Manufacturing (CIM)


03 IT segmentation technologies
do not fit OT environments
Even if VLANs and routing were to work in OT environments,
they still fall short in terms of security efficacy. While effective
in directing network traffic and containing it within designated
Whether it's an entire level or a collection of cross-level
zones, these technologies do not provide insight or enforce
elements, each zone has its own perimeter. While this might,
security policy for network traffic. Specifically, they can’t answer:
at first blush, make typical IT segmentation seem like a good
strategy, we know it’s not. Why? Because we also know IT • Does the traffic contain malware?
technologies simply weren’t built to work in OT environments.
• Does the network traffic use a legitimate command for an
VLANs and Routing unauthorized, malicious, or otherwise dangerous purpose?

Traditional segmentation mechanisms using VLANs or routing • Is a command issued to leverage a device vulnerability to
can become very complex, very fast. In order to configure launch an attack?
new IP addresses and ports that accommodate VLANs and
IT Firewalls
IP subnetting, an OT environment must be brought down
or configuration must be scheduled during a maintenance To secure and segment network traffic, many would recommend
window. From a cost perspective, the required downtime IT firewalls. Though IT firewalls may offer network security and
and/or equipment reorganization makes this an impractical segmentation capabilities, they’ve been designed to inspect IT
option. What’s more, the complexity increases the risk of protocols, not OT protocols. Essentially, this means IT firewalls
misconfiguration and employee error while the necessary cannot see what’s happening on an OT network and can
overhead could overwhelm an operations team already neither act on commands or payloads nor interpret context to
strapped for OT security skills and resources. understand whether a packet or set of packets is authorized.

If these issues weren’t enough, it’s also important to consider At best, a limited number of next-generation firewalls might be
how automation vendors may dictate specific layer-2 and able to identify a few OT protocols associated with a data flow,
layer-3 designs. Any new network segmentation can fall but that’s about it. This level of visibility cannot detect wrongful
outside the supported reference architecture and, thus, be commands or harmful payloads. Simply detecting that there
disallowed. Bottom line: Traditional IT-style segmentation is is an OT protocol doesn’t make anything actionable from a
not feasible for deep zoning of industrial systems. security perspective.
Ideal segmentation for ICS environments
Easy virtual zoning without OT network reengineering Zoning with deep OT protocol inspection
For OT environments, a network segmentation solution must enable easy zone-level To properly filter and inspect network traffic across zones, a solution must understand the
separation in a centralized manner. Any requirement to physically move equipment for proper communication languages of industrial environments, namely the relevant OT protocols
segmentation is not only impractical, but out of the question. Critical devices are bulky and/or (Modbus, DNP3, OPC, and others). That’s step one: protocol recognition.
remotely located. A solution must instead be able to segment a network virtually or logically,
The next step is deep protocol inspection. It’s critical to consider the fact that legitimate
even in instances where equipment resides at different sites.
protocol commands can be used for illegitimate purposes. Indeed, whether a network-
Additionally, a solution needs to feature an intuitive graphical user interface (UI) such that based exploit, denial of service attack, or an insider assault, each uses legitimate traffic
segmentation can be completed, as necessary, remotely. The UI should include a simple in illegitimate ways. Deeper scrutiny into the full context of each data flow can help give a
drag-and-drop feature that easily enables OT personnel of any skill level—and without glimpse into malicious intent or accidental misconfiguration and, therefore, must extend to
extensive IT security training—to accomplish zoning objectives. each packet bit (every “0” and “1”) to include the header (source and destination addresses)
and the payload (commands such as read, write, reset, power on, power off, etc.).
Lastly, the segmentation process cannot require OT network re-engineering or
reconfiguration. Any changes that would take the network offline or cause disruptions to Purposeful or not, incorrect execution of control commands can lead to dire consequences and
production are unacceptable. cause physical damage to a network’s critical assets. Therefore, a solution must be able to make
decisions to allow, alert, or block OT network traffic based on the full context of the packet.
This includes the protocol, industrial application, command, addressing, sessions, normal vs.
anomalous or malicious traffic, and more.

Figure 2. Zoning example


Zone-specific OT Take the first step Sources:
security policies toward ICS network 1
http://www.businessinsider.com/34-billion-
devices-will-be-connected-to-the-internet-
Zones must enforce policy specifically created for a particular
OT environment. Each network has its own unique combination
resilience by-2020-2016-1
http://www.isaca.org/knowledge-center/
2

of standard and proprietary protocols, multi-vendor industrial Network segmentation is a core building block of a mature documents/glossary/cybersecurity_
control systems, and various locales around the world. Security cybersecurity profile. In fact, it will do more for reliability and fundamentals_glossary.pdf
policy must conform to the network, and not the other way safety than almost any other available security measure.
http://www.isaca.org/knowledge-center/
3
around. In other words, you can’t afford to make changes to the
With GE Digital technology, system operators and integrators documents/glossary/cybersecurity_
network for the sake of zoning when policy should be transparent
can define and implement segmentation that is specific to fundamentals_glossary.pdf
and seamless to deploy.
OT environments. They will be able to isolate systems into
To build a security policy tailored for your OT environment, look functional groups with similar security requirements and
for a solution that includes a baselining capability to record all establish proper zones and conduits. This type of isolation
OT network traffic and determine what normal traffic should not only makes unauthorized access and exploitation of
look like so that each zone can be protected from malicious or critical devices much more difficult, but it can also help
even anomalous behavior (as represented by employee error or minimize the impact should a breach occur.
device misconfiguration). In addition, choose a solution that can
automatically create security policies from the baseline. Contact GE Digital for an evaluation of your operational
technology environment, and learn how to best segment
Ideally, the solution needs to understand the full context of your network to enhance your security posture and promote
OT protocols, be able to complete virtual zoning remotely and safer networking.
centrally, and enforce security policy that’s easily customized for
each unique OT environment.
About GE
GE (NYSE: GE) is the world’s Digital Industrial Company, transforming industry with software-defined machines
and solutions that are connected, responsive, and predictive. GE is organized around a global exchange of
knowledge, the “GE Store,” through which each business shares and accesses the same technology, markets,
structure, and intellect. Each invention further fuels innovation and application across our industrial sectors.
With people, services, technology, and scale, GE delivers better outcomes for customers by speaking the
language of industry.

Contact Information
Americas: 1-855-YOUR1GE (1-855-968-7143)
[email protected]

www.ge.com/digital

©2017 General Electric. All rights reserved. *Trademark of General Electric. All other brands or names are property of their respective holders.
Specifications are subject to change without notice. 05 2017

You might also like