Fortifying IT/OT network segmentation strategies for cyber resilience across critical infrastructure environments

Changing threat landscape has heightened the necessity for enhancing IT/OT network segmentation approaches to enhance cyber resilience within critical infrastructure operations. Moreover, the convergence of IT and OT (operational technology) networks has become a focal point for safeguarding essential systems. By extending segmentation beyond Layer 3, organizations can effectively partition these interconnected networks, limiting lateral movement for potential attackers, and minimizing damage in the event of a breach.

Securing IT/OT networks, especially below Layer 3, necessitates a comprehensive strategy encompassing segmentation, stringent access controls, continuous monitoring, and collaborative vendor partnerships. For organizations to achieve a balance between security and operational efficiency is challenging, oftentimes, necessitating the implementation of robust access control policies, vigilant monitoring, and advanced threat detection measures. In a world where lower-level OT networks harbor vulnerabilities, robust segmentation strategies are a linchpin, promising a more secure and efficient future for critical infrastructure.

In the first part of this series, Industrial Cyber reached out to cybersecurity experts in the field to unveil the crucial role that network segmentation in across the industrial cybersecurity landscape and address network segmentation strategies for industrial systems security amid change. 

Fostering vendor partnerships for seamless network segmentation success

The executives delve into the significance of vendor partnerships and collaboration in achieving effective network segmentation below Layer 3. They also examine the ways organizations can collaborate with technology providers to tackle specific challenges and ensure seamless compatibility across different network layers.

“A major concern with a flat network is the ease of lateral movement for attackers,” Jonathon Gordon, directing analyst at TP Research, told Industrial Cyber. “If they successfully breach a less critical component in the network, they can navigate freely within it. This provides them a chance to aim for and possibly compromise essential control systems or even protective SIS systems.”

Sal Morlando, senior director of products at OPSWAT, told Industrial Cyber that DCS (distributed control systems) and OEM (original equipment manufacturer) cooperation is critical to ensure the success of a secure deployment in an OT environment. “If OT security tools are supported by the vendor, this ensures that they can have additional measures in place.”

He identified that at times when they are not supported, these secure tools, technology, and software often must be temporarily or permanently removed in order to perform maintenance or upgrades. “This lack of cooperation leads to an increased attack surface and more avenues for attackers to leverage in order to impact production equipment.”

Identifying that vendor partnerships and collaboration are paramount, Richard Robinson, chief executive officer of Cynalytica, told Industrial Cyber that these systems are often an amalgamation of various technologies, with different parts hailing from different eras and manufacturers. “Just as a city might have roads built at different times using various materials and techniques, ICS can contain both modern devices communicating through TCP/IP and older machines using non-IP systems, such as analog, serial, or proprietary protocols tailored for embedded systems. This diversity can be a strength, but also a challenge.” 

Robinson detailed that successful network segmentation below Layer 3 is like creating dedicated lanes for different vehicles on the road, depending on deep cooperation between technology providers. “Vendors possess intimate knowledge of their products, and their insights can be crucial in ensuring that these ‘lanes’ effectively segregate and streamline traffic, regardless of whether it’s a modern TCP/IP signal or an older analog message.”

“To navigate this multifaceted environment, organizations must foster a proactive and collaborative relationship with their technology providers,” according to Robinson. “Engaging vendors early in the design and planning phases can preempt potential compatibility issues, ensuring a smoother integration of different network layers. Regular consultations can also help address specific challenges, be it blending old and new technology, managing a transition phase, or optimizing performance in mixed communication environments.” 

He also pointed out that organizations should encourage vendors to provide comprehensive documentation, training, and support, ensuring that in-house teams have the knowledge and resources to manage and troubleshoot their systems. “In essence, by weaving a tapestry of vendor expertise with organizational objectives, companies can craft a robust, flexible, and efficient ICS network, where every component, old or new, finds its optimal place.”

Nitzan Daube, CTO at NanoLock Security observed that an Intrusion Detection System (IDS) is a valuable solution; however, it possesses limitations, particularly related to its post-incident focus. “To achieve the highest level of OT cybersecurity below Level 3, it is imperative to adopt a prevention-based approach that ‘segments’ each device. This approach should combine network visibility with device-level zero-trust protection.”

“Notably, international regulations and compliance standards are already recognizing the significance of this approach,” Daube told Industrial Cyber. “For instance, regulatory bodies such as the Cyber Security Agency of Singapore, European Union (NIS2), and the United States’ CISA and NIST are endorsing best practices and guidelines that underscore the importance of the device-level zero-trust approach to Level 1 OT cybersecurity.”

Organizations should look for vendors whose solutions are regulation-compliant or are even ahead of such regulations, Daube mentioned. “These vendors should understand the ICS/OT environment from the ground up, know how the physical machines operate, and understand how the controllers, servers, EWS, and other systems interact with each other and the plant floor.”

He added that organizations should strive to work with vendors who are knowledgeable in the sector that the organization is in. “A food manufacturing multinational will have vastly different needs than a smart metering solutions provider or a water treatment facility. The vendor must be aware of the basic differences, as well as the nuances associated with each.”

In-depth examination of network segmentation at Layer 3 and beyond

The executives scrutinize the key drivers behind the adoption of network segmentation below Layer 3 in OT environments, with a particular emphasis on zones and conduits in alignment with the IEC 62443 standard. Furthermore, they identify how this approach effectively addresses the distinctive requirements of lower-layer network segmentation. 

“Primary motivations behind implementing network segmentation below Layer 3 is to prevent the propagation of threats released in one zone from reaching other zones, as well as more effective access controls,” Morlando identified. “Plant networks that are organized into operational zones are more efficient to manage and security controls can be more effective.”

Ensuring the robustness and security of OT/ICS systems is paramount, according to Robinson. “The primary motivation behind implementing network segmentation below Layer 3 in these settings, as per the IEC 62443 standard, revolves around enhancing security and manageability.” 

He detailed that the concept of ‘zones’ and ‘conduits’ allows OT networks to be divided into distinct segments, or zones, based on their function and criticality. Each zone has its own set of security measures, making it harder for a potential intruder to compromise the entire network. Conduits, on the other hand, define and regulate the communication paths between zones, ensuring only necessary and secure data transfer occurs. This structure is akin to having walled sections in a fortress, with controlled gates in between, allowing for efficient movement while ensuring security.

“Communication protocols in OT environments are very diverse. While TCP/IP is a widely known protocol, often likened to the ‘language’ of the internet, many OT systems also communicate using non-IP based methods, such as embedded system protocols, analog signals, and serial communications,” Robinson commented. “These older or specialized methods may not inherently possess the robust security features that modern TCP/IP systems do.” 

He added that the zones and conduits’ approach of the IEC 62443 standard caters to this diversity. “By segmenting the network, monitoring and managing inter-zone communication, it ensures that even these less secure communication methods are monitored, protected and isolated from potential threats. In this way, regardless of the communication method, each part of the network can function optimally while benefiting from enhanced security and structure.”

The International Society of Automation (ISA) has developed a range of globally accepted standards that focus on enhancing the security of industrial automation and control systems, Daube highlighted. “The ISA/IEC 62 443 is one such series of standards, offering a valuable framework for managing and reducing security risks. But ISA introduced the concept of zones and conduits a long time before the first versions of the standard were published over fifteen years ago. Accordingly, zones are a group of assets that share the same cybersecurity requirements, and conduits are zones that are dedicated exclusively to communications.”

“When we look at ICS cybersecurity through the lens of the Purdue model, we see that a Level 1 PLC can easily connect to various zones, conduits, and networks (upper levels). To protect the PLC device, what we need is ‘segmentation’ in Level 1, meaning treating each PLC like its own segment,” Daube pointed out. “The way we achieve this is through a device-level zero-trust approach that’s designed to prevent all known attacks whether they come from the outside, inside, or third parties. The zero-trust approach is effective in preventing human errors as well. Such an approach must be applicable to each and every device, regardless of the vendor, or whether it’s new or legacy.”

Predicting lower-layer OT network segmentation trends in evolving threats

Looking ahead, the executives comment on the anticipated trends in OT network segmentation, particularly in lower-layer zones below Layer 3, considering the ever-evolving threat landscape.

As the industry matures, Gordon said, “we expect the emergence of tools that not only gather network and asset data but also harness the knowledge, wisdom, and insights from a diverse group of experts and stakeholders across OT, IT, automation, plant, and cybersecurity will be essential in fine-tuning the segmentation approach.”

“These tools will be central in addressing the intricate task of identifying systems vital to the business and discerning how segmentation can most effectively mitigate risks,” according to Gordon. “It’s imperative for these tools to integrate a consequence-based engineering approach and a risk-centric strategy that aligns with the company’s objectives.”

He added that while the rise of AI in these areas is evident, it’s crucial to understand that while AI can provide support, it cannot replace the deep-rooted knowledge present within the organization. “Nonetheless, AI holds the potential to aid in analysis, propose, and present alternative segmentation tactics to further diminish risks.”

Morlando pointed out that data diodes will increasingly be used to segment zones, and the expansion of OT firewalls, IDS/IPS systems to further segment PLCs, and operational equipment.

Robinson anticipates that given the evolving threat landscape, OT network segmentation, particularly in zones below Layer 3, will see several trends. “First, there’ll be an increased emphasis on granularity. As OT environments incorporate a blend of TCP/IP and non-IP-based communications like embedded system protocols, analog, and serial communications, segmentation will likely evolve to offer finer-grained control, enabling tailored monitoring and security measures for each type of communication. This adaptability ensures that less secure traditional communication methods gain a dedicated protected place within the wider network.” 

“What’s more, frameworks like ‘MITRE EMB3D’ will play a pivotal role,” Robinson said. “This framework, which provides strategies and tactics to counter adversaries in OT, underscores the importance of monitoring all communications in ICS, not just TCP/IP ones. Considering the critical operations that OT oversees, ignoring even a small amount of non-TCP/IP communication can have disastrous consequences.” 

The MITRE EMB3D framework offers insights into both attack patterns and defensive strategies, providing a holistic view of potential vulnerabilities and response tactics across all communication types, Robinson identified. “As we move ahead, there’ll likely be a universal acknowledgment that monitoring all ICS communications, regardless of their nature, is not just good practice but an absolute necessity. This recognition, coupled with adaptive segmentation and frameworks like MITRE EMB3D, will shape a more resilient and secure OT landscape in the face of ever-growing threats.” 

Robinson added that by using the “upcoming MITRE EMB3D (slated January 2024 and lead by Niyo Little Thunder Pearson, MITRE, RBS, and NARF) threat modeling framework focuses on critical infrastructure embedded systems, so OT defenders can understand the attack surface these devices are exposed to while OEM/vendors can use the threat model framework to develop a better security-focused product using leading secure by design software/hardware approaches.”

“OT systems face the same risk of known attacks as IT systems, yet OT systems often lag behind in implementing patches or other protective measures, making them particularly susceptible to such threats,” Daube assessed. “What happens in reality is that attackers don’t attack PLCs directly; they use and leverage the PLCs to attack plants’ physical production processes.”

Citing ransomware, Daube said that, “we often find that it enters an environment through the IT/OT interconnect points, which is why organizations’ post-incident response tends to involve segmenting the IT/OT boundary for containment. This action pauses or halts production, potentially leading to significant financial losses.”

“If instead, we put a zero-trust control mechanism in such points of entry, we are segmenting the PLC devices,” according to Daube. “Then, even in the face of an attack on IT, PLCs continue to be ‘separate’ and write-protected, with operational integrity and production continuing unharmed.”

Daube recalled a statement from years ago by Dr. Eric Cole, a SANS fellow and security consultant, who emphasized, ‘Prevention is ideal, but detection is absolutely essential.’ 

Identifying that times have changed since then, Daube said that the nature, scope, and frequency of OT attacks have changed. “For ICS/OT security today, we need the combination of monitoring for detection and zero trust on the device level for utmost prevention,” he concluded.