Network Segmentation for

Industrial Control Environments

Introduction
In 2015, there were 10 billion connected Internet of Things
(IoT) devices. By 2020, the number is expected to skyrocket
to 34 billion.1

For industrial devices, this level of connectivity means an

expanded use of advanced analytic techniques to boost
productivity and efficiency, lower cost and downtime, and
increase profitability. Unfortunately, this also means an
expanded attack surface and greater risk of successful
cyber attacks within critical infrastructure environments.

No doubt, cyber security is a must. But where to start?

Start with network zone segmentation, a foundational

building block of any modern industrial cybersecurity
practice. That is, so long as it’s applied in a manner that
befits the specific needs of industrial control system (ICS)
and operational technology (OT) environments. Otherwise,
as connectivity continues to increase, the risk of successful
attacks will continue to rise while the efficiency and
profitability advantages of digital industrial investments
slowly wane.
Segmentation 101: Origins
The roots of network segmentation run deep in enterprise IT environments. What began as a way to improve network
performance and bandwidth (through better management of the broadcast and collision domains of shared network devices
and better containment of network traffic on respective sub-networks for each workgroup) has today evolved to significantly
support a proactive network security practice.

This evolution is important because perimeter defense—which only accounts for traffic going in and out of the network—is no
longer enough. Once an attacker or malware penetrates the perimeter and gains a foothold, consequent lateral movement
within the network is usually a foregone conclusion.

The takeaway: More protection is needed inside the network, precisely where segmentation and its zone-specific policies
play a crucial role; e.g., an accounting system zone might have one set of policies; an engineering zone, a different set.

According to ISACA, a common technique to implement network security is to segment an organization’s network into
separate zones that can be separately controlled, monitored, and protected.2

Control Monitor Protect

Limit the spread of an attack Alert an IT team to the threat and Stop attacks from spreading and further
or mitigate the damage to a specific anatomy of the attack. harming the broader network, critical
particular network segment. assets, and the organization at large.

Proper segmentation enhances an organization’s security posture and helps harden the controls network. Without it, or
without enough of it, successful hacker attacks can result in tremendous loss of data and corporate reputation.

Now that OT networks are becoming increasingly connected, the attack surface is widening, and increased risk is likely. But
unlike in IT, OT environments have much more at stake.
Why OT network segmentation is different than IT network segmentation
Unlike in IT environments, where a
successful hack can result in data loss or
damage to a company's reputation, the
01 Air gaps
are fading 02 Perimeter security
is not enough
Figure 1 illustrates how each level can be a
separate zone, and how a zone can include
a subset of elements from multiple levels.
In the past, when systems were completely Industrial system devices must communicate
stakes are higher in OT. When attackers It also depicts the information flows from
isolated (both physically and virtually), there with one another and with other sub-system
target steel mills, power plants, pipelines, level to level (or zone to zone) via conduits
was air gapping for security. Today, with the devices. As this creates multiple perimeters
rail yards, or hospitals, defense is about (i.e., connectivity between zones).
evolution of industrial systems, mobility, within OT environments, it shows how traditional
multi-million-dollar critical infrastructures,
cloud technologies, and multi-vendor perimeter security (one protective shell around Step one is to establish the proper
critical assets, the environment, and, most
environments, everything’s changed; air the entire system) is insufficient. A better plan zones with clearly defined and enforced
importantly, human safety.
gapping is no longer enough. is to give each group of systems (each with its security policies. Step two is to properly
own unique set of security requirements) its own secure the conduits with granular
Still, while we know network segmentation In GE Digital's experience conducting industrial
unique set of granular protections. network traffic inspection.
is a fundamental component of cyber and OT site assessments, we’ve found that
security, the problem remains that it’s nearly every site thought to be air gapped was,
difficult to implement in an industrial in fact, connected to the Internet. In short, air
control environment. gaps are a security measure myth.
Level 5 Router Enterprise network
Another myth is that all insiders are
Depending on the situation, there are Level 4 Email, Internet, etc. Site business planning and logistics network
trustworthy and competent. According to a
impactful people, process, and technology
SANS 2015 survey of industrial cyber security
actions that can be instituted. Fire wall
practitioners, insiders were the largest Terminal Patch AV
services management server
identified source of infiltration/infection, at 25
percent. Unidentified sources were the only Historian Web services Application
mirror operations server
higher grouping, at 44 percent.3 A high insider
threat and lack of visibility into other incident Production Optimizing Process Domain Fire wall
sources should lead any organization to control control history controller
Level 3 Site manufacturing
operation and control
question relying on an air gap that may or may
not be intact. Supervisory Operator Supervisory Enfineering Operator
Area
Fire wall
control interface control workstation interface
Level 2 supervisory
control

Batch Discrete Sequence Hybrid Basic

Level 1 control control control control control Cell/area zone
Level 0 Sensors Drivers Actuators Robots Process

Figure 1. Purdue Reference Model for Computer Integrated Manufacturing (CIM)

03 IT segmentation technologies
do not fit OT environments
Whether it's an entire level or a collection of cross-level
elements, each zone has its own perimeter. While this might,
at first blush, make typical IT segmentation seem like a good
strategy, we know it’s not. Why? Because we also know IT
technologies simply weren’t built to work in OT environments.
VLANs and Routing
Traditional segmentation mechanisms using VLANs or routing
can become very complex, very fast. In order to configure
new IP addresses and ports that accommodate VLANs and
IP subnetting, an OT environment must be brought down
or configuration must be scheduled during a maintenance
window. From a cost perspective, the required downtime
and/or equipment reorganization makes this an impractical
option. What’s more, the complexity increases the risk of
misconfiguration and employee error while the necessary
overhead could overwhelm an operations team already
strapped for OT security skills and resources.
If these issues weren’t enough, it’s also important to consider
how automation vendors may dictate specific layer-2 and
layer-3 designs. Any new network segmentation can fall
outside the supported reference architecture and, thus, be
disallowed. Bottom line: Traditional IT-style segmentation is
not feasible for deep zoning of industrial systems.
Even if VLANs and routing were to work in OT environments,
they still fall short in terms of security efficacy. While effective
in directing network traffic and containing it within designated
zones, these technologies do not provide insight or enforce
security policy for network traffic. Specifically, they can’t answer:
• Does the traffic contain malware?
• Does the network traffic use a legitimate command for an
unauthorized, malicious, or otherwise dangerous purpose?
• Is a command issued to leverage a device vulnerability to
launch an attack?
IT Firewalls
To secure and segment network traffic, many would recommend
IT firewalls. Though IT firewalls may offer network security and
segmentation capabilities, they’ve been designed to inspect IT
protocols, not OT protocols. Essentially, this means IT firewalls
cannot see what’s happening on an OT network and can
neither act on commands or payloads nor interpret context to
understand whether a packet or set of packets is authorized.
At best, a limited number of next-generation firewalls might be
able to identify a few OT protocols associated with a data flow,
but that’s about it. This level of visibility cannot detect wrongful
commands or harmful payloads. Simply detecting that there
is an OT protocol doesn’t make anything actionable from a
security perspective.
Ideal segmentation for ICS environments
Easy virtual zoning without OT network reengineering
For OT environments, a network segmentation solution must enable easy zone-level
separation in a centralized manner. Any requirement to physically move equipment for proper
segmentation is not only impractical, but out of the question. Critical devices are bulky and/or
remotely located. A solution must instead be able to segment a network virtually or logically,
even in instances where equipment resides at different sites.
Additionally, a solution needs to feature an intuitive graphical user interface (UI) such that
segmentation can be completed, as necessary, remotely. The UI should include a simple
drag-and-drop feature that easily enables OT personnel of any skill level—and without
extensive IT security training—to accomplish zoning objectives.
Lastly, the segmentation process cannot require OT network re-engineering or
reconfiguration. Any changes that would take the network offline or cause disruptions to
production are unacceptable.
Figure 2. Zoning example
Zoning with deep OT protocol inspection
To properly filter and inspect network traffic across zones, a solution must understand the
communication languages of industrial environments, namely the relevant OT protocols
(Modbus, DNP3, OPC, and others). That’s step one: protocol recognition.
The next step is deep protocol inspection. It’s critical to consider the fact that legitimate
protocol commands can be used for illegitimate purposes. Indeed, whether a network-
based exploit, denial of service attack, or an insider assault, each uses legitimate traffic
in illegitimate ways. Deeper scrutiny into the full context of each data flow can help give a
glimpse into malicious intent or accidental misconfiguration and, therefore, must extend to
each packet bit (every “0” and “1”) to include the header (source and destination addresses)
and the payload (commands such as read, write, reset, power on, power off, etc.).
Purposeful or not, incorrect execution of control commands can lead to dire consequences and
cause physical damage to a network’s critical assets. Therefore, a solution must be able to make
decisions to allow, alert, or block OT network traffic based on the full context of the packet.
This includes the protocol, industrial application, command, addressing, sessions, normal vs.
anomalous or malicious traffic, and more.
Zone-specific OT
security policies
Zones must enforce policy specifically created for a particular
OT environment. Each network has its own unique combination
of standard and proprietary protocols, multi-vendor industrial
control systems, and various locales around the world. Security
policy must conform to the network, and not the other way
around. In other words, you can’t afford to make changes to the
network for the sake of zoning when policy should be transparent
and seamless to deploy.
To build a security policy tailored for your OT environment, look
for a solution that includes a baselining capability to record all
OT network traffic and determine what normal traffic should
look like so that each zone can be protected from malicious or
even anomalous behavior (as represented by employee error or
device misconfiguration). In addition, choose a solution that can
automatically create security policies from the baseline.
Ideally, the solution needs to understand the full context of
OT protocols, be able to complete virtual zoning remotely and
centrally, and enforce security policy that’s easily customized for
each unique OT environment.
Take the first step Sources:
toward ICS network 1
http://www.businessinsider.com/34-billion-
devices-will-be-connected-to-the-internet-
resilience by-2020-2016-1
http://www.isaca.org/knowledge-center/
2
Network segmentation is a core building block of a mature documents/glossary/cybersecurity_
cybersecurity profile. In fact, it will do more for reliability and fundamentals_glossary.pdf
safety than almost any other available security measure.
http://www.isaca.org/knowledge-center/
3
With GE Digital technology, system operators and integrators documents/glossary/cybersecurity_
can define and implement segmentation that is specific to fundamentals_glossary.pdf
OT environments. They will be able to isolate systems into
functional groups with similar security requirements and
establish proper zones and conduits. This type of isolation
not only makes unauthorized access and exploitation of
critical devices much more difficult, but it can also help
minimize the impact should a breach occur.
Contact GE Digital for an evaluation of your operational
technology environment, and learn how to best segment
your network to enhance your security posture and promote
safer networking.
About GE
GE (NYSE: GE) is the world’s Digital Industrial Company, transforming industry with software-defined machines
and solutions that are connected, responsive, and predictive. GE is organized around a global exchange of
knowledge, the “GE Store,” through which each business shares and accesses the same technology, markets,
structure, and intellect. Each invention further fuels innovation and application across our industrial sectors.
With people, services, technology, and scale, GE delivers better outcomes for customers by speaking the
language of industry.

Contact Information
Americas: 1-855-YOUR1GE (1-855-968-7143)
[email protected]

www.ge.com/digital

©2017 General Electric. All rights reserved. *Trademark of General Electric. All other brands or names are property of their respective holders.
Specifications are subject to change without notice. 05 2017