Industry 4.0 has dissolved the air gap isolating industrial control systems (ICS) and operational technology (OT) from traditional enterprise IT. Still, network segmentation is crucial to protecting assets in industrial environments.
Network segmentation is the division of a network into smaller, isolated sections. Every segment functions as an independent system with unique access and controls. The data flow between these subnets is controlled based on policies established by administrators. It’s possible, for example, to stop traffic from one segment to another.
There are different types of network segmentation:
Network segmentation has been around for decades. A classic example is the Purdue Enterprise Reference Architecture (PERA), widely employed in industrial environments. This model divides the network into six levels (0-5) with separated boundaries. An air gap is a form of network segmentation that typically occurs between operations (levels 0-3) and the IT network (levels 4-5), as shown below.
However, air-gapped networks are becoming a thing of the past due to the modernization of industrial facilities, the proliferation of the Internet of Things (IoT), and the need to integrate IT and ICS/OT to get real-time access to data and improve operational efficiency and reduce costs. According to the 2021 OT/ICS Cybersecurity Survey by the SANS Institute, only 8.2% of the respondents reported having 100% isolated systems.
Think of strong network architecture as the foundation of your cybersecurity strategy. As noted by the National Institute of Standards and Technology’s Guide to Industrial Control Systems (NIST 800-82), network segmentation is one of the most effective ways to protect ICS environments from cyberattacks.
Benefits of network segmentation include not only increased network security but also better network performance. This method helps to:
When bad actors infiltrate a network perimeter, they try to hide evidence of their entry and begin to move around to steal credentials to gain deeper access into the network. That’s lateral movement.
Segmentation is key to preventing attackers from moving laterally inside a network and spreading the attack. After all, the initial breach is rarely what causes the most damage.
When dealing with OT environments, traditional methods for enforcing network boundaries – such as firewalls and network access control (NAC) – present some gaps. For example:
OT and IoT devices represent unique security challenges because they are unmanaged, which means that they cannot accommodate traditional security agents. According to a study commissioned by Armis, 90% of the devices in industrial environments are unmanaged.
For effective OT network segmentation, organizations need first to focus on having a cybersecurity solution that offers:
That’s the case with the Armis Agentless Device Security Platform, which does not require the installation of security agents and can discover, identify and classify all assets – managed and unmanaged – connected to your network or in your airspace. The Armis platform performs a risk assessment to identify all vulnerabilities and threats. This information is critical to developing policy enforcement as part of a mitigation plan.
The Armis solution can automatically generate segmentation policies based on the needs of each device. These policies ensure that devices have access only to the resources they need, reducing risk exposure. For example, it’s possible to create a policy to prevent engineering workstations from connecting to the internet.
The Armis platform can understand what is expected from each device because of our Device Knowledgebase. But it doesn’t stop there.
Through passive monitoring, the Armis platform continuously listens to network traffic and, if an anomaly is detected, it can orchestrate automated responses, from sending an alert to blocking or quarantining certain assets. As seen in the diagram below, this type of enforcement is possible by integrating the Armis platform with your existing infrastructure components, such as firewalls, NAC systems and even Wireless LAN Controllers (WLCs).
Findings from the 2021 SANS ICS/OT survey indicate that industrial organizations need to improve their ICS and OT segmentation efforts, as remote access services accounted for 36.7% of initial attack vectors involved in incidents.
Here are a few steps to shield your defenses:
In order to protect industrial environments from cyberattacks, organizations need to know what they have in their network. Asset discovery and inventory can give the visibility necessary to safeguard manufacturing operations. The Armis platform, for example, can identify what data, applications and network resources each device needs to access, in addition to the type of risks or vulnerabilities it has. This type of data is crucial to creating effective segmentation policies.
Real-time passive monitoring enables the detection of external threats or if a device or user is behaving abnormally. Scans are dangerous in industrial environments because they can cause sensitive OT devices and systems to crash.
Restricting access or quarantining suspicious devices can prevent bad actors from spreading the infection throughout the network. The Armis solution can orchestrate automated actions to stop attacks due to its integration with security enforcement points like firewalls and NAC systems.
Organizations such as CISA, FBI and NSA have all emphasized the value of cybersecurity best practices, especially given the increased wave of attacks against critical infrastructure. Network segmentation and Zero Trust architecture are among the measures that Armis can help your organization to implement.
Book a demo to see what the Armis Agentless Device Security Platform can do to strengthen your cyberdefenses.
Discover more of the IT OT Convergence Playbook:
Sign up to receive the latest news