Proper segmentation of an industrial network can be the difference between an operationally crippling breach and a minor nuisance for security operations center (SOC) personnel. Claroty, like nearly every other security provider, agrees that this practice ranks among the most crucial elements of a strong industrial cybersecurity posture. To that end, Claroty Continuous Threat Detection (CTD) includes a unique feature that helps solve the issue of a flat, open network without the drawn out and costly process of physical network segmentation. This feature is called Virtual Zones.
The concept of physical network segmentation is not new, and it's certainly easy for a cybersecurity firm to tout its benefits when the amount of effort and cost generally associated with these projects are not the responsibility of the cybersecurity firm. After identifying what a network actually looks like and how it behaves, understanding which pathways are critical is another major challenge that requires intimate architectural knowledge of the specific network being monitored and the industrial assets within it. This is generally followed by investing in additional hardware for the network such as switches, routers, and access points.
Claroty's visibility into industrial networks goes beyond asset discovery and maps out network communications to provide behavioral baselines. Aside from driving Claroty's multiple threat detection engines, Attack Vector Mapping, and other aspects of The Claroty Platform, these baselines are also used to virtually segment the network into Virtual Zones, which are logical groups of assets that communicate with each other under normal circumstances.
The behavioral patterns that characterize each Virtual Zone are used to create a granular set of rules and policies for how these assets communicate. For example, when the system picks up communication between a group of PLCs and a group of HMIs, it will identify things like the communication protocol that is being used or the fact that they are only performing read-only actions between the two of them. If the communication pattern between these assets were to change, an alert would be raised within the system.
Claroty Virtual Zones layered topology view
As briefly mentioned above, physical segmentation can be a drawn out and costly endeavor, as enterprises are required to maintain a clear and accurate map of the physical network. This also requires the creation of new infrastructure, such as wiring and connections and the implementation of new systems, such as firewalls. These challenges can be made worse from within. Many organizations have neglected network maintenance or have unintentionally created black-box parts of their network through the acquisition of equipment, poor documentation, and third-party maintenance design.
Despite the challenges, segmentation provides an invaluable defense to devastating network breaches by preventing attackers from gaining unfettered access to the network from a single point of entry. Operationally, segmentation allows an organization to place Purdue Model Level 0 (Physical Process) access behind multiple layers of externally facing assets, shielding critical processes from potential spillover events.
The risks of having no segmentation require an alternative to facing the challenges of physical segmentation efforts. Claroty Virtual Zones provide:
Segmentation where there is otherwise none: Virtual Zones are a cost-effective alternative to achieve the security benefits of segmentation. Virtual Zones can also be used as a blueprint for future physical segmentation efforts.
Enhanced alerts with cross-zone behavioral baselines: If assets across groups that normally do not communicate begin to do so, this will yield an alert to notify security personnel of a potential threat.
Integration with existing firewall and NAC tools: By integrating with a firewall or network access control (NAC) tool, Virtual Zones will automatically identify all real and critical communication within the network. This information can be used to create micro-segmentation rules to segment an organization's OT network.
Taking the first step towards networking segmentation does not have to be a costly and time consuming endeavor and doing so can help build the case for further segmentation efforts down the road.