What is OT network segmentation?

Network segmentation is a layer of physical security that cordons off a network from other networks, separating an OT network from an IT network, a guest network from a corporate network, or one critical manufacturing network from another.

A common segmentation practice is often found within critical infrastructures such as oil and gas, power, utilities, aerospace, transportation, manufacturing, and other critical verticals identified by the US government. Why? Because the escalating attack frequencies and levels of expertise required to gain access to ICS devices and the machines used to monitor and manage them warrants heightened attention.

Although network segmentation of OT and ICS networks is a good practice, it is both costly and complicated. Costly in that it may require considerable time and potential downtime, and complicated in that advanced expertise is required to achieve functional and successful segmentation properly.

But regardless of an organization’s ability to achieve proper segmentation or not, there are ways to safeguard even the simplest of devices, or components, hidden down in the depths of what is known as The Purdue Model, all the way up through the ICS network, or systems, to the machines that monitor their health.

Speaking of systems and components, having visibility into the lowest levels of activities and communications to and from these components throughout the systems solves many potential problems in properly segmented networks and those that are not. Managing to the lowest level of activity can help alleviate malicious intent against components – often found in improperly segmented networks. Still, it can also help to spotlight human error in properly segmented networks.

When a system is down, production halts, safety is in jeopardy, and money is lost. At the end of the day, misconfigured components in a segmented network can be as costly as an infected SCADA server. Monitoring to the lowest levels of activities as commands pass through the system to the components can be an effective way to reduce both scenarios.