Navigating challenges, lessons, future-proofing strategies for cybersecurity with industrial network segmentation

Escalating threat landscape across the operational sector has elevated the importance of industrial network segmentation as a critical cornerstone for security. Given the level of complexity and sophistication surrounding these environments, demands for innovative and robust defense mechanisms, as industrial facilities have repeatedly become prime targets for cyberattacks. Oftentimes, the motivation behind these attacks varies from economic gain to espionage, disruption of operations, and even potential threats to national security.

To counteract these threats effectively, industrial organizations are turning to industrial network segmentation as a pivotal strategy. At its core, industrial network segmentation involves dividing a large, interconnected network into smaller, isolated segments or zones. Each segment is rigorously controlled and monitored to limit unauthorized access and contain potential threats. This approach significantly enhances the overall security posture of the industrial environment.

Future-proofing, in the context of industrial network segmentation, involves anticipating and adapting to evolving threats and technologies. Cyberattacks are constantly evolving, with threat actors developing new tactics, techniques, and procedures (TTPs). To stay ahead of these threats, industrial organizations are increasingly forced to implement robust segmentation, as well as adopt a clear roadmap when it comes to emerging technologies and methodologies.

In the first part of this industrial network segmentation series, industrial cybersecurity experts join Industrial Cyber to address the intricacies of IT/OT network segmentation and explore the potential of AI and machine learning in enhancing industrial network segmentation. Moving forward, the executives tackle industrial network segmentation challenges and work their way toward future-proofing industrial network segmentation.

Tackling industrial network segmentation challenges

The executives provide instances of companies or sectors that have successfully implemented robust industrial network segmentation. They shed light on the valuable lessons that can be drawn from their achievements, while also examining whether certain industries are more prone to neglecting network segmentation. Furthermore, they explore strategies for raising awareness within these domains.

“The more critical the industry, the more levels of segmentation it needs to have,” Roman Arutyunov, co-founder and senior vice president of products at Xage Security, told Industrial Cyber. “In a standard office environment, segmentation may be minimal, but at the opposite end of the spectrum, facilities like oil refineries must leverage multiple segmentation layers to safeguard their operations effectively.” 

He added that industries such as energy, transportation, and manufacturing fall somewhere in between. “They recognize the importance of segmentation to protect their assets and operations but must tailor their approach to their specific needs and risk profiles.”

Andrew Ginter, vice president for industrial security at Waterfall Security Solutions, told Industrial Cyber that the recent TSA security directives for pipelines and rail systems are not this strong, but they have some intriguing language about segmentation, pointing out that an important goal of an OT security program is to keep the pipeline/rail system running, even if the IT network is compromised. “To do this, the OT network has to be able to work independently of IT – ideally be physically disconnected from IT during IT security incidents. This lets you do a quick check of the OT network and if it is clean, bring the physical process back up again.”

He added, “And to do this, you cannot have minute-by-minute OT operations depending on IT servers and services that might have been impaired or crippled by the ransomware – you really have to dig into these dependencies and do something about them. Furthermore, the directives point out that it is a bad idea to have shared trusts across the IT/OT boundary. It is these shared trusts (i.e.: Active Directory) that attackers use more often than not to pivot through firewalls.

Jason Weber, vice president of product at Veracity Industrial Networks, told Industrial Cyber that ​​highly regulated industries such as nuclear and pharmaceutical have been the most successful at implementing and maintaining network segmentation. “This is primarily due to government overwatch of the entire plant and strict change control policies put in place to adhere to regulatory rules and audits. The challenge with network segmentation is that it is traditionally done with IT-focused tools such as VLANs, firewalls, ACLs, etc., making the maintenance of the network the domain of extensively trained personnel.” 

He added that because of OT priorities and a lack of trained personnel on the plant floor, segmentation is nearly impossible to maintain. 

“The utilization of products utilizing software-defined networking (SDN) has simplified the operation of the OT network as well as the implementation of micro-segmentation. Segmentation generally divides endpoints by either section of the plant (e.g. work cells or lines) or device classification (e.g. SCADA, PLC, or IO),” according to Weber. “Micro-segmentation creates a barrier around every device making it extremely difficult for malware to spread even throughout a work cell. SDN will also present the network to plant floor employees in a similar way to how the control system operates, making the upkeep of the OT network, including micro-segmentation and thus security, natural and easy.”

“Our experience is that in many instances network design is inadequate and inherently insecure,” Zane Blomgren, director for industrial cybersecurity at Belden, told Industrial Cyber. “Industrial verticals that tend to grow and scale over time (Material Handling, Discrete Manufacturing, Intelligent Transportation Systems, and Energy come to mind in particular) often fail to revisit impacts to their network segmentation. Belden has worked with many organizations in these sectors that had poor designs leading to networks that grew too large to easily manage. This, in turn, leaves them susceptible to cybersecurity issues, and even potential violations of regulatory controls.”

He added that things like NERC have been helpful in the energy sector as they help organizations focus on proper network segmentation and risk management of critical assets. Similar policies/procedures across other verticals would be ideal to increase awareness and adoption. 

“In addition, we have seen segmentation done at the IT/OT line of demarcation; but how do they know that it maintains successful protection over time?  Also, while many begin segmentation, many fall short of taking it to process and control networks where they could provide even stronger protection to spillover events within the OT parts of the network,” according to Blomgren. “This additional segmentation would help avoid plant-wide shutdowns for precautionary measures. However, to implement correctly, this approach requires deeper, more intimate knowledge of the organization’s communication patterns between automation assets.”

Working towards future-proofing industrial network segmentation

The executives examine essential factors for future industrial network segmentation strategies amid evolving threats. They also provide insights on their anticipations regarding the incorporation of emerging technologies and methodologies in industrial cybersecurity, particularly concerning network segmentation, and assess its transformative potential for OT cybersecurity.

Arutyunov said that many organizations are transitioning from traditional perimeter-based security to an identity-centric approach. “In essence, zero trust empowers an architectural shift that must be strategically embraced organization-wide. Zero trust isn’t just a framework; it requires garnering organizational support and commitment.” 

“The majority of current cyber threats abuse stolen valid credentials obtained either through phishing or bought on the dark web,” according to Arutyunov. “When the attacker can be assumed to have legitimate credentials, you have to embrace the zero-trust principle of least privilege. By limiting every identity to the minimum necessary access rights to fulfill its role, you prevent lateral movement and living off the land techniques that attackers are using to compromise critical systems.”

Ginter observes “that network engineering is being used increasingly at criticality boundaries – connections between networks whose worst-case consequences of compromise are unacceptable, and networks with acceptable consequences.” 

“The most common such boundaries are the IT/OT interface, and the OT/Internet interface (for cloud systems). The EPRI IIoT methodology, hardware I/O interface is the DoD’s UFT-4-010-06 criteria and unidirectional gateways are examples of engineering-grade tools to prevent the propagation of attack code from external networks into critical OT networks,” according to Ginter. “Safety engineering can be used to deploy engineering-grade overpressure valves, centrifugal clutches, and other analog/mechanical safety systems, but if we want to avoid critical infrastructure outages, we need to prevent the attacks from getting into the OT systems in the first place and forcing shutdowns of operations.”

“There will always be new threats emerging. The first thing any company should evaluate is its risk tolerance. The tolerance will set the baseline for what they can handle from a loss perspective and that will define what the priorities will be for security spend and strategy,” Weber said. “I always recommend that the most basic segmentation is that the IT and OT networks should be separated. There are a lot of companies that still have flat networks and they should start there. Beyond that, the use of software-defined networking on the plant floor can dramatically simplify initial network segmentation projects and help maintain segmentation in the long term.”

Blomgren said that while network segmentation can be an overwhelming exercise for organizations, “I encourage teams to start by choosing a framework if they haven’t already. IEC 62443 is a good choice as it outlines in detail many of the best practices organizations should follow for successful shop floor security, including network segmentation. A solid framework will help organizations balance agility to react quickly and effectively to new threats against business efficiency. A best practice is to prioritize assets based on their business criticality. Use a risk-based approach to help.”

Actionable steps for network segmentation

Given the acquired insights, the executives analyze the fundamental lessons to be drawn concerning the significance of industrial network segmentation and its capacity to strengthen cybersecurity within the industrial sector. They also provide immediate actions that organizations and experts can undertake to confront the issues emphasized in this article and reinforce their cybersecurity measures. 

Arutyunov listed adapting approaches, zero trust adoption, government support and guidance, and regulatory compliance. “Further, organizations must thoroughly assess existing cybersecurity measures and create a roadmap for implementing industrial network segmentation, emphasizing zero trust principles. They must also invest in the latest zero trust identity management solutions, develop robust incident response plans, etc.” 

He added that by taking proactive steps, organizations and experts can bolster their defenses, enhance their cybersecurity measures, and navigate the ever-changing industrial cybersecurity landscape with greater resilience.

“With the threat report showing that ransomware threats are causing OT shutdowns at a rate that is more than doubling annually, and increasingly using the same TTPs as nation-state threats, today’s due care demands engineering-grade network segmentation (network engineering) at criticality boundaries,” Ginter said. “If the worst case consequences of compromise on a control network are acceptable – e.g.: clean up costs + overtime costs to make up lost production – then whether to use network engineering or not becomes a simple ROI decision.” 

But when worst-case consequences are unacceptable, “due care demands that we put strong preventive protections in place to prevent those unacceptable outcomes,” he added.

Weber outlined that best practices for cyber security start with a defense-in-depth strategy. “This strategy has three main components 1 – training people, 2 – hardening the system, 3 – detection and remediation. Network segmentation is critical for #2 but can be impacted by both 1 and 3. As a company looks to implement a segmentation plan, first they should identify risk tolerance and then look at their teams’ skill sets to determine gaps that may require training. If there is a lack of OT networking skills, then companies need to evaluate new tools and technology, such as SDN, to simplify network management,” he added.

“It’s important for organizations to remember that they are working to keep things out and in. Other future considerations for industrial organizations to consider include a growing use of cloud services – especially to service digital twins – which means that there are even more assets to manage and secure,” according to Blomgren. “Above all else: we recommend that organizations have realistic expectations and an incremental plan. Organizations that try to boil the ocean are likely to suffer from analysis paralysis. Start with assets most important to the business and incrementally develop the project from there, building on success at each stage.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.