Blog / 6 min read
One security best practice for OT environments is of course network segmentation. This can be true for securing FRCS as well, with attention to limiting operational impact to mission critical operations. An OT-specific approach to network segmentation is the only approach that works in these environments.
Unfortunately, some common challenges often arise when segmenting OT and other critical infrastructure:
Integration with IT systems
Error-prone segmentation policies
Inconsistent compliance enforcement
Unsecured remote access
OT network segmentation is the process of isolating parts of a network into smaller isolated segments or zones using granular network policies. In addition to enhanced security, you can improve overall network management. The practice can apply to segments within the OT network as well as isolating OT networks from IT networks, the cloud, and other cyber physical systems (CPS), helping to monitor the network traffic within each individual network segments.
With proper OT network segmentation, organizations can restrict the impact of cyber attacks by restricting lateral movement from one subnet to the next within the network. If you look at all of the operations on a base and their inter-dependencies, you can use segmentation to isolate key functions across the base, limiting options to disrupt your operations. For example, you can eliminate a nation state’s ability to use a building’s physical security controls to jump onto the fueling systems for aircraft, airfield lighting, or other less obvious but mission critical functions,. Ultimately by doing so, you can continue to reduce the attack surface across the base.
This principle is also true to isolate an attack in the IT network from reaching the OT functions.
And it can reduce the trickle-down effect or impact from a failure or disruption in one part of the OT network from another. In this way, you can limit operational downtime, minimize risk to safety and ensure the continuance of the mission.
Network segmentation can seem daunting but if you pay attention to potential issues by considering them upfront, you can prepare appropriately. We note 5 key areas requiring attention, followed by appropriate steps to help in your network segmentation planning.
1. Legacy systems
Some of your legacy OT systems will simply lack necessary features to support network segmentation. As you know by now, they weren’t built with security in mind, given that these systems were traditionally isolated, had limited communication, used proprietary protocols, and were not a target of interest.
2. Integration with IT systems
IT and OT networks many times need to interact with one another in order to exchange data and information; however, ensuring that communication between segmented OT networks and other parts of an organization's IT infrastructure can be challenging. This process requires collaboration between IT and OT teams, working together often for the first time. It’s a time for patience as each team gets to understand the other’s perspectives, professional experience, and finds common ground. This will help ensure against oversights that can cause complexity and duplication of efforts, operations cost increases, and/or exposure to security flaws.
3. Segmentation policy iteration
Implementing effective network segmentation policies in OT environments can be difficult, and as a result, can be error-prone when first starting out. Know going in that it will require regular tuning for your own unique environments.
4. Unsecured Remote Access
Most OT environments – whether airborne, afield, afloat or within a mission building, rugged or predictable conditions - rely on remote access to enable both internal and third-party contractors to maintain assets. If this access is not managed properly, it can be used to bypass network segmentation measures, expands your attack surface, and therefore can introduce new potential entry points for cyber threats.
OT protection platforms, like those of Claroty, can help the Service Branches accelerate their network segmentation efforts and secure their entire base infrastructure and FRCS.
1. Gain visibility
It is impossible to segment assets that aren’t yet identified. The first step is to identify all connected devices in your environment, their configurations, locations, and owners. Claroty assists - with deep visibility, our platform automatically discovers OT assets – across ICS/SCADA, BMS, and xIOT. It monitors their communication patterns, and reveals connections all the way down to the I/Os that run industrial processes. This is fundamental to making decisions of how and where to segment.
2. Define Policy and enforcement strategy
With full-spectrum visibility, you can start to figure out how to protect it. There are a number of ways to segment your network — including via your existing network access control (NAC), firewalls, switches, and/or other parts of your infrastructure — so it’s important to assess your objectives and environment and pick a strategy that will work for both. Claroty can help by evaluating your environment and recommending the best way to establish a segmentation strategy that fits your needs.
3. Classify and group devices
Creating a unique policy for every device is impractical, but creating policies for device types, or groups of devices, based on how they communicate with one another under normal circumstances makes segmentation both effective and scalable. By creating a smart grouping of related assets in a logical view, Claroty can help your team define specific policies for each group of assets and communications between them.
4. Design, test, and refine policies
It’s possible to establish network segmentation and protect your network without disrupting your mission critical systems. In the context of OT network segmentation, this means not only designing network policies that align with the communication baselines of the device groups you classified in the previous step — but also ensuring that those policies, once enforced, will not negatively impact operations. Claroty eases this process by automatically recommending expert-defined policies for each asset group in accordance with their communication baselines and then enabling you to test, monitor, and further refine those policies before enforcement. As a result, your OT network policies fully account for the unique requirements and potential limitations of your environment — allowing you to confidently implement segmentation without introducing additional risk.
5. Enforce policies
As noted in the previous step, enforcing new policies for OT network segmentation can be a delicate process that, if not done correctly, can risk disrupting operations. Claroty has the experience and knowledge to enable policies to only be enforced once they’ve undergone the proper testing and monitoring. Once that happens, enforcement can be simple. Through our extensive ecosystem of ready-made integrations with your existing NACs, firewalls, switches, and other security functions, we can support “one click” enforcement to vastly streamline and optimize segmentation for even the most complex OT networks. And given that segmentation is an ongoing journey — not a tactical activity — we also enable continuous monitoring and optimization of your network segmentation as your OT environment, OT security maturity, and/or priorities evolve over time.
Although you may have network segmentation on your ‘to-do’ list, we know you often lack the time, resources, visibility, and awareness required to implement. With the above capabilities, you can jumpstart segmentation initiatives. Leverage our OT domain expertise to recommend segmentation policies that can ease the process and automatically enforce the policies via your existing infrastructure — accelerating your real-time initiatives and enhancing cyber and operational resilience at a time when the next cyber adversary may be minutes away.