Chapter 7 – Network Segmentation: a cybersecurity best practice to protect industrial assets

Industry 4.0 has dissolved the air gap isolating industrial control systems (ICS) and operational technology (OT) from traditional enterprise IT. Still, network segmentation is crucial to protecting assets in industrial environments.

What is network segmentation?

Network segmentation is the division of a network into smaller, isolated sections. Every segment functions as an independent system with unique access and controls. The data flow between these subnets is controlled based on policies established by administrators. It’s possible, for example, to stop traffic from one segment to another. 

There are different types of network segmentation:

• With physical segmentation, each subnet is separated by a firewall that acts as a gateway, controlling which traffic comes in and goes out.
• With virtual segmentation, the separation occurs through a router or switch that directs the network traffic. Approaches such as network micro-segmentation enable control of traffic down to the application or workload level.

Network segmentation has been around for decades. A classic example is the Purdue Enterprise Reference Architecture (PERA), widely employed in industrial environments. This model divides the network into six levels (0-5) with separated boundaries. An air gap is a form of network segmentation that typically occurs between operations (levels 0-3) and the IT network (levels 4-5), as shown below.

However, air-gapped networks are becoming a thing of the past due to the modernization of industrial facilities, the proliferation of the Internet of Things (IoT), and the need to integrate IT and ICS/OT to get real-time access to data and improve operational efficiency and reduce costs. According to the 2021 OT/ICS Cybersecurity Survey by the SANS Institute, only 8.2% of the respondents reported having 100% isolated systems.

Why segment a network

Think of strong network architecture as the foundation of your cybersecurity strategy. As noted by the National Institute of Standards and Technology’s Guide to Industrial Control Systems (NIST 800-82), network segmentation is one of the most effective ways to protect ICS environments from cyberattacks.

Benefits of network segmentation include not only increased network security but also better network performance. This method helps to:

• Secure sensitive data in case the system gets compromised. The breach is limited to a contained area. 
• Improve monitoring, which makes it easier to detect suspicious behavior. In other words, there are more checkpoints.
• Protect devices that cannot protect themselves due to lack of built-in security or inability to accommodate security agents.
• Reduce network congestion because it limits which users have access to a subnet.

What is lateral movement in cybersecurity?

When bad actors infiltrate a network perimeter, they try to hide evidence of their entry and begin to move around to steal credentials to gain deeper access into the network. That’s lateral movement.

Segmentation is key to preventing attackers from moving laterally inside a network and spreading the attack. After all, the initial breach is rarely what causes the most damage.

OT network segmentation challenges

When dealing with OT environments, traditional methods for enforcing network boundaries – such as firewalls and network access control (NAC) – present some gaps. For example:

• Firewalls monitor all incoming traffic with a focus on stopping attacks from outside the system. Once the attacker breaches the perimeter, nothing prevents them from accessing critical systems and sensitive data. 
• NAC systems can discover devices but can’t assess their behaviors or detect threats. They have poor visibility into IoT and OT devices.

OT and IoT devices represent unique security challenges because they are unmanaged, which means that they cannot accommodate traditional security agents. According to a study commissioned by Armis, 90% of the devices in industrial environments are unmanaged.

How to segment a network to improve OT/ICS security

For effective OT network segmentation, organizations need first to focus on having a cybersecurity solution that offers:

• Comprehensive visibility into all assets on the network
• Full context about the behavior of each device

That’s the case with the Armis Agentless Device Security Platform, which does not require the installation of security agents and can discover, identify and classify all assets – managed and unmanaged – connected to your network or in your airspace. The Armis platform performs a risk assessment to identify all vulnerabilities and threats. This information is critical to developing policy enforcement as part of a mitigation plan. 

The Armis solution can automatically generate segmentation policies based on the needs of each device. These policies ensure that devices have access only to the resources they need, reducing risk exposure. For example, it’s possible to create a policy to prevent engineering workstations from connecting to the internet. 

The Armis platform can understand what is expected from each device because of our Device Knowledgebase. But it doesn’t stop there. 

Through passive monitoring, the Armis platform continuously listens to network traffic and, if an anomaly is detected, it can orchestrate automated responses, from sending an alert to blocking or quarantining certain assets. As seen in the diagram below, this type of enforcement is possible by integrating the Armis platform with your existing infrastructure components, such as firewalls, NAC systems and even Wireless LAN Controllers (WLCs).

Roadmap to OT/ICS security mitigation

Findings from the 2021 SANS ICS/OT survey indicate that industrial organizations need to improve their ICS and OT segmentation efforts, as remote access services accounted for 36.7% of initial attack vectors involved in incidents. 

Here are a few steps to shield your defenses:

1. Asset visibility

In order to protect industrial environments from cyberattacks, organizations need to know what they have in their network. Asset discovery and inventory can give the visibility necessary to safeguard manufacturing operations. The Armis platform, for example, can identify what data, applications and network resources each device needs to access, in addition to the type of risks or vulnerabilities it has. This type of data is crucial to creating effective segmentation policies.

2. Threat detection

Real-time passive monitoring enables the detection of external threats or if a device or user is behaving abnormally. Scans are dangerous in industrial environments because they can cause sensitive OT devices and systems to crash.

3. Automated incident response

Restricting access or quarantining suspicious devices can prevent bad actors from spreading the infection throughout the network. The Armis solution can orchestrate automated actions to stop attacks due to its integration with security enforcement points like firewalls and NAC systems.

4. Cybersecurity best practices

Organizations such as CISA, FBI and NSA have all emphasized the value of cybersecurity best practices, especially given the increased wave of attacks against critical infrastructure. Network segmentation and Zero Trust architecture are among the measures that Armis can help your organization to implement.

Book a demo to see what the Armis Agentless Device Security Platform can do to strengthen your cyberdefenses.

Discover more of the IT OT Convergence Playbook:

1. Chapter 1 – Industry 4.0 Challenges on IT/OT Convergence
2. Chapter 2 – Air Gap and Perdue Model
3. Chapter 3 – Ramping Up Infrastructure Protection
4. Chapter 4 – Defending Industrial Environments
5. Chapter 5 – See All Assets on Networks
6. Chapter 6 – The Influence of Passive Security Monitoring in Productivity
7. Chapter 7 – Best Practices to Protect Industrial Assets 👈 you are here
8. Chapter 8 – ICS Cybersecurity Risk Assessment 👉 read next chapter
9. Chapter 9 – Cybersecurity Frameworks to Secure OT assets
10. Chapter 10 – ICS Zero Trust Framework
11. Chapter 11 – Armis CIS Controls
12. Chapter 12 – Comprehensive Coverage for Mitre Att&ck for ICS
13. Chapter 13 – Was 2021 the Year of Ransomware Attacks?
14. Chapter 14 – Cybersecurity Best Practices for IT/OT Convergence