Adopting strategies for lower-level OT network segmentation to bolster industrial networks against cyber threats

Building network segmentation across OT (operational technology) environments to safeguard industrial control systems (ICS) and critical infrastructure environments plays a pivotal role in mitigating cybersecurity risks. Implementation of lower-layer segmentation effectively places physical barriers further reducing the attack surface and protecting sensitive assets from cyber threats and attacks, thus establishing a secure network architecture stand as the primary line of defense to help ensure the reliability of industrial systems.

The Purdue model serves as a structural framework for safeguarding ICS focusing on the segmentation of physical processes, sensors, supervisory controls, operations, and logistics. Operating as a hierarchical system, it organizes and fortifies industrial networks, categorizing them into levels ranging from 0 to 3, each exhibiting progressively enhanced levels of control and security. By meticulously isolating and securing different layers of the industrial network, this model plays a crucial role in safeguarding critical infrastructure.

Level 3 segmentation involves dividing an OT network into distinct subnetworks to enhance security by isolating different parts of the network. Structuring the architecture to limit the potential impact of cyberattacks or failures helps with managing traffic flow and optimizing network performance. Below Level 3, physical segmentation separates network components physically, such as using separate cables or air gaps to isolate critical devices from less secure areas. 

Level 3 manages the production workflow on the manufacturing floor, handling functions like batch management, data recording, and plant performance management, while Level 2, or control systems, contains ICS with HMI (human-machine interfaces) and SCADA (supervisory control and data acquisition) systems to oversee and control physical processes. Level 1, the basic control level, hosts control devices like sensors, pumps, and actuators, which sense and manipulate physical processes to improve efficiency, while Level 0, the physical process level, houses the actual physical equipment that defines the core physical processes.

Such segmentation can be brought into effect regardless of whether the operational entity operates within the scope of Industry 3.0, Industry 4.0, or anywhere in between. Level 3 security focuses on IP-based communication. It involves implementing access controls, intrusion detection, and encryption at this layer to safeguard data integrity and confidentiality. Additionally, implementing technologies like virtual LANs (VLANs) and subnets ensures that critical devices and processes remain isolated from non-critical ones, reducing the attack surface.

In this two-part feature series, Industrial Cyber reached out to prominent industrial cybersecurity experts to elucidate the importance of network segmentation below Level 3, specifically delving into the implementation of zones and conduits. The approach plays a critical role in bolstering the security stance of industrial systems. In addition, the experts analyze whether evolving strategies have the capability to counter the growing complexity of cybersecurity threats, geopolitical influences, and hardware vulnerabilities.

Unveiling crucial role of network segmentation in industrial cybersecurity

Segmenting IT and OT networks has evolved beyond being a mere standard practice, and stands today as a cornerstone of industrial cybersecurity, Jonathon Gordon, directing analyst at TP Research, told Industrial Cyber. “This emphasis on segmentation is echoed in the IEC-62443 and other international standards which recommend segmentation as a pivotal measure for enhancing OT security. Industrial firewalls and data diodes are among the tools that have been developed to bolster this security framework. Their capabilities, when harnessed correctly, can significantly curtail unnecessary communication between IT and OT, thereby reducing potential vulnerabilities,” he added. 

“Much of the essential knowledge about how systems and processes work together is distributed among various teams. For segmentation to be truly effective, it’s vital to deeply understand the assets, what they do, and the details of control systems,” Gordon observed. “While there are modern tools that help find assets and give advice on segmentation, and even help with setting up virtual segmentation, they can only show the depth of understanding of a plant’s control network, especially when it comes to important assets and processes. Getting segmentation right at the deeper levels is a tough job.”

However, Gordon assessed that a significant hurdle is setting clear criteria to determine the appropriate zone for an asset. “This decision often hinges on the asset’s communication patterns and its interactions with other entities outside its immediate environment.”

“Implementing security controls at the deeper levels of OT and IT networks is a nuanced task. While the overarching concept might seem straightforward, the practical application is layered with complexities. In industrial settings, safety and productivity are paramount,” according to Gordon. “As a result, some OT professionals may perceive preventive tools at deeper levels as a risk they’re unwilling to take. A significant concern is the potential for false positives, which can inadvertently block essential traffic. This can be especially problematic in industrial settings where uninterrupted communication is vital for operations. For instance, a security measure might misinterpret a routine data transfer as a potential threat, leading to unnecessary disruptions.”

Furthermore, he added that the knowledge required to navigate these complexities is often dispersed across the organization. “Different teams might hold pieces of the puzzle, with some information documented in spreadsheets and other insights known only to specific individuals. This fragmented understanding can further complicate the implementation of security controls.”

“One of the core elements of this segmentation strategy is the implementation of secure one-way data transfers,” Sal Morlando, senior director of products at OPSWAT, told Industrial Cyber. “This means that data can only flow in a single direction, typically from a higher security zone (e.g., EWS) to a lower one (e.g., PLC). By enforcing this one-way path for data, it guarantees that data cannot be leaked or accessed from the lower security zone back into the higher one, significantly enhancing security.”

He added that one key improvement involves real-time scanning of data while it’s in transit. “This allows for the detection and immediate mitigation of potential threats. Any malicious activity or unauthorized data transfers can be promptly identified and stopped, bolstering security measures.”

Also, Morlando pointed out that it is “in compliance with IEC 62443, segmentation below layer 3 prevents the propagation of threats released in one zone from infiltrating another operational zone.”

A cornerstone to the protection of industrial systems is the concept and practice of network segmentation below Layer 3, which essentially means breaking up the network into smaller, monitorable, and manageable parts, Richard Robinson, chief executive officer of Cynalytica, told Industrial Cyber. “Think of it as creating compartments in a ship to prevent it from sinking if one section gets flooded. These ‘compartments’ or ‘zones’ in ICS and OT networks help operators group devices with similar roles or sensitivities. Communication paths, known as ‘conduits,’ establish control as to how data flows between zones.” 

When discussing connections like those from Engineering Workstations (EWS) at Layer 3 (L3) to Programmable Logic Controllers (PLC) at Layer 2 (L2) and below Layers 0-1, both standard TCP/IP and non-IP based communications like analog, serial, or proprietary protocols for embedded systems come into play, Robinson identified. “While TCP/IP might be familiar to many as the language of ICS/OT, many ICS components rely on older or specialized communication methods that do not have the built-in monitoring and security features of IP protocols.”

“As cyber threats grow in complexity and sophistication, the way we approach ICS security is also evolving. Geopolitical tensions mean that state-sponsored attacks on critical infrastructures have become a reality,” Robinson highlighted. “These aren’t just typical hackers looking for financial gain; they can be well-funded teams aiming to disrupt a country’s essential services. On top of this, we continue to uncover vulnerabilities in the hardware of many of the core devices running our industrial control systems for critical infrastructure, adding another layer to the security challenge.” 

By employing zones and conduits, security teams can better monitor, manage, and restrict communications, ensuring that even if one part of the system is compromised, the threat is contained, can be monitored, and doesn’t spread, according to Robinson. “This strategy allows for better management of both the familiar TCP/IP communications and the unique challenges posed by non-IP based systems. As threats grow and change, this layered, segmented, and compartmentalized approach will continue to be a cornerstone of ICS security.”

“In ICS, we have much more than a network. We have physical processes, sensors, devices, supervisory controls, multi-operations, and complex logistics that work and interact in real-time,” Nitzan Daube, CTO at NanoLock Security, told Industrial Cyber. “If we use the Purdue model as a reference for ICS cybersecurity, IT systems occupy the upper levels and OT systems occupy the lower levels (Level 2 and 1), connected by DMZ and Level 3 Engineering Work Stations (EWS) in the middle. Network segmentation might be a great idea for Level 3 and above, however, it is less relevant to Level 1, due to the fact that Level 1 devices must be connected to Engineering Workstations, HMI, and other systems in Level 2-3.”

In addition, PLC-to-PLC communication requires high speed, which can be disrupted by network cybersecurity solutions that cause latency, Daube underlined.

“In Level 1, what can be a substitute for network segmentation is the protection of devices. At this level, cybersecurity should act like automated folding bridges to each ‘island,’ giving access only after a strict verification of identity.,” Daube identified. “These bridges should be quick and lightweight, operate on the zero-trust principle for everyone including internal and external actors, with zero tolerance for shared credentials. It should service and protect all islands on an organization’s map, meaning all new and legacy devices used by the plant. True level 1 protection requires enforcement at the device level, ensuring protection even from a direct connection.”

Daube identified that strategies to counter the growing complexity of cybersecurity threats, geopolitical influences, and hardware vulnerabilities have evolved in several key ways. “In OT cybersecurity, the trends and approaches that are currently dominant include zero-trust architecture, MFA, regulation compliance, supply chain and third-party risk management, and user training and awareness.”

He added that firewalls aren’t on the list because while firewalls have been a common security control to inspect traffic across different layers, they often fail to understand OT protocols and introduce latency in the communication pathway. “This is important because in Level 1, PLC-to-PLC communication might require high speed, and a latency can cause disruptions.”

Network segmentation strategies for industrial systems security amid change

Considering the dynamic nature of industrial systems, the executives explore how network segmentation at lower levels can effectively adapt to changes such as system updates, expansions, or the integration of new devices. They also shed light on the strategies employed to ensure ongoing security and stability, as well as how organizations are kept informed about these changes and upgrades.

Gordon pinpointed that even though segmentation isn’t a new concept, “it’s a topic we frequently receive customer inquiries about because it’s challenging. There’s a common perception that industrial systems are static, given their longstanding presence. However, in many sectors, this is far from the truth. These networks are dynamic, continuously evolving, and incredibly intricate.”

“It’s a catch-22 situation – while a mistake in segmentation can have dire outcomes, its complexity often pushes practitioners to emphasize detection below level 3,” Gordon recognized. “Yet, the dilemma with focusing on visibility and detection is that they don’t provide immediate advantages in diminishing risks, in contrast to segmentation.”

The focus of OT network segmentation is to segment the OT network into operational zones, Morlando said. “If segmented correctly, infrastructure within a zone can be updated, expanded, or equipped with new devices without altering the segmentation strategy. Asset discovery and inventory management systems will be able to detect asset updates and new assets, and the patch management process should support delivering updates across network segments.”

“Network segmentation, especially at lower layers Levels 3 -0, offers a compartmentalized approach to managing these changes,” Robinson determined. “In technical terms, whether devices communicate using the ubiquitous TCP/IP protocols, which many of us know as the backbone of the internet, or they rely on non-IP based methods like analog, serial, or specialized protocols for embedded systems, segmentation allows for flexibility. New devices or updated systems can be added to designated zones without having to overhaul the entire network. Adjustments can be made to the ‘conduits’ or controlled communication pathways between zones to ensure smooth and secure data transfer.”

Robinson identified that to guarantee ongoing security and stability, especially with the blend of TCP/IP and non-IP communications, continuous monitoring and regular system evaluations and audits are essential. “Network tools can keep an eye on traffic, quickly detecting unusual patterns that might indicate a security breach or malfunction. Periodic audits can reaffirm that the segmentation is still effective, especially after introducing new components or updates.” 

As for keeping organizations in the loop, Robinson put forward a blend of real-time alerts for critical issues, along with regular reports detailing system health and changes, ensuring everyone is informed. “When significant changes or upgrades are made, especially if they involve introducing unfamiliar communication methods, workshops and education/training sessions can be invaluable. This multifaceted approach ensures that as the ICS landscape evolves, the strategies to protect and manage it remain robust and transparent,” he added.

In terms of ICS lower-level cybersecurity, Daube said that the best way to adapt to system updates, expansions, or new device integrations is to protect each individual device that makes up Level 1. “To do so, what you need is a vendor-agnostic cybersecurity solution that works with all types of device models, including legacy equipment, applying a strict zero-trust approach. Trust is never assumed, and access is granted only to authorized users. For instance, when it comes to patching, only authorized users will possess the capability to update an imperfect Programmable Logic Controller (PLC) at a given time.”

“When it comes to staying in the know, organizations benefit from the information-sharing initiatives of agencies like the Cybersecurity and Infrastructure Security Agency (CISA), which disseminates vital information regarding vulnerabilities and patches,” Daube recognized. “Moreover, most PLC vendors provide timely changes and updates to their customers, to render industrial systems more resilient against emerging threats and vulnerabilities.”

Be sure to tune in on Monday for the second part of this series. The experts will explore the significance of cultivating vendor partnerships for seamless network segmentation, conduct an in-depth examination of network segmentation beyond Layer 3, and offer insights into anticipating trends in lower-layer OT network segmentation amidst evolving cybersecurity threats.