I touched on network segmentation in my previous column, You Know You’re at Risk, Now What? and although it is a fairly foundational security practice, at least in the IT realm, I want to give it a little more focus this month because I believe proper network segmentation is one of the most impactful actions industrial asset owners can take to reduce the risk of a major security incident. Implementing proper segmentation is not a trivial endeavor, but some unexpected benefits of network monitoring technology can help you get there more quickly.
With Segmentation, It’s About Threat Containment
Many industrial control system (ICS) networks have been in place for years, evolving slowly with the operational requirements of the enterprise and with little centralized knowledge of all the components. These networks were often built based on a “flat” architectural model – i.e., communication from any host on the network can be routed to any other host on the network – with little consideration for network security best practices. Why? Because it was faster, easier, and the operational technology (OT) environment was not considered to be a significant security risk. Over the last two decades, while the IT environment was being fitted with multiple “defense in depth” layers of security technology and sophisticated, “safe” architectural schemes, investment in the OT environment was driven by the need for greater productivity and lower unit costs.
To be clear, segmentation alone cannot prevent an attack from occurring, but segmenting the ICS network from the business network can prevent attacks from spilling over from one environment to the other – a painful lesson learned by many from the WannaCry and NotPetya attacks last year. In addition, defining discrete zones and segments within the ICS network can greatly reduce cost and potential downtime if an attacker does happen to establish a footprint in the OT environment.
Standards such as ISA 99/IEC 62443 (specifically 62443-3-3) provide a good reference framework for implementing secure network zones and segments within an ICS network. For example, 62443-3-3 SL2 compliance requires segmenting control system networks from non-control system networks. Another example would be the recommended practice of separating distributed control systems (DCS) from safety instrumented systems (SIS) into discrete network zones. This type of separation can improve both network monitoring and access control, and greatly accelerate response time – which could mean the difference between an internal security incident and a headline on the front page.
If It Was Easy, Everyone Would Be Doing It
When network segmentation is implemented properly, an individual host can only communicate with the other hosts within its segment needed to execute its business purpose. This obviously reduces the overall network attack surface, and can raise the time and cost of infiltrating a network such that a would-be attacker moves down the proverbial road to softer targets. On the other hand, poorly implemented segmentation can disrupt day-to-day work functions; this is a cardinal sin in any environment, but particularly in OT.
Moreover, we also know that segmentation projects can be extremely difficult and time-consuming to implement. A recent Fortinet survey found only 29% of IT decision-makers were planning network segmentation projects in 2018. One could argue the number is lower for OT due to the difficulty in scheduling the “planned downtime” that is required to implement these projects in an environment where uptime and production are king. And segmentation is not a one-time exercise; the segmentation scheme must be monitored and maintained based on ever-changing business processes. This is not a pursuit for the faint of heart.
Jump-Starting Your Segmentation Initiative
Part of why good segmentation is so challenging is that it requires a thorough understanding of normal operational process workflows, expected network communication paths, and all the associated endpoints. Based on understaffing, turnover, poor documentation, and a hundred other reasons, many organizations simply don’t have the visibility they need across the network to efficiently build a segmentation plan. This lack of documentation and visibility elongates the planning and designing phases of segmentation projects. And while some amount of network downtime is to be expected for implementing these kinds of architectural changes, that downtime can be greatly reduced if you start with a detailed, and current, network view. This is where network monitoring technology can provide some unexpected benefits.
OT network monitoring may also be called “anomaly detection” as both describe part of what these technologies can do. As the names imply, this class of technologies persistently monitors network traffic, analyzing communication between endpoints, and identifying anomalies to reveal suspicious behavior. There are dozens, if not hundreds, of these network tools available for the IT environment, but comparatively few are specifically designed for monitoring the specialized endpoints and proprietary communication protocols found in OT networks. Obviously, I have a technology bias, but I’m not discussing the virtues of any specific product here. The point is, in order to develop the behavioral baseline these technologies use to monitor network behavior against, they must establish that detailed network visibility that I described above.
These OT tools automatically discover new assets and reveal connections all the way down to the I/O’s that run industrial processes to provide a detailed view of all endpoints and normal communication patterns. This network analysis and mapping helps network engineers to more quickly create an inventory of all network assets and understand the normal communication patterns between them, so they can reduce the risk of disrupting these connections when creating segments. Some solutions also enable administrators to group assets and apply communication policies between the groups. The best of these technologies also provides visualization of the network with detailed filters, enabling network engineers to drill down into granular information on specialized OT network assets rather than just presenting a list of IP addresses. Sophisticated tools can also provide a very granular view of the communications between assets – not just which protocols are being used, but what types of conversations are happening.
Most security professionals understand the benefits of network monitoring/anomaly detection in terms of identifying unusual network behavior. But as I’ve laid out here, these technologies can also provide the unexpected benefit of the detailed network visibility you need to start or improve your segmentation efforts more quickly. And that is certainly a benefit worth having.
Related: Learn More at SecurityWeek’s ICS Cyber Security Conference