Blog
Industrial, healthcare, and enterprise environments in critical sectors increasingly depend on cyber-physical systems (CPS) that are interconnected. This will only accelerate as our reliance on online access to physical systems for greater automation, control, efficiency, and convenience continues to grow. Consider operational technology (OT) equipment to support critical manufacturing processes, building automation systems and medical imaging equipment, along with all the Internet of Things (IoT), Industrial IoT (IIoT) and Internet of Medical Things (IoMT) devices they connect to. In this ever-expanding universe which we refer to holistically as the XIoT, new attack vectors emerge because many of these systems were not designed to co-exist seamlessly.
There are many business processes and applications that need to communicate across these environments, so we need to ensure this is done in a secure way. More often than not, ineffective or simply nonexistent segmentation between equipment and systems is the root cause of cyber threats that permeate these organizations. Myriad connected devices compound the problem and raise the stakes. Think about the attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure that put our lives and livelihoods at risk. Proper network segmentation is a key component of critical infrastructure cybersecurity and can be the difference between an operationally crippling breach and a minor nuisance for security operations center (SOC) personnel.
The concept of physical network segmentation is not new, but it can be a drawn out and costly endeavor. After identifying what a network actually looks like and how it behaves, understanding which pathways are critical is another major challenge that requires intimate architectural knowledge of the specific network being monitored and the assets within it. This is generally followed by investing in additional hardware for the network such as switches, routers, and access points. Despite the challenges, segmentation provides an invaluable defense to devastating network breaches by preventing attackers from gaining unfettered access to the network from a single point of entry.
To provide organizations with a cost-effective, efficient alternative to physical network segmentation efforts, Claroty Continuous Threat Detection (CTD) includes a unique feature called Virtual Zones. Mapping out network communications to provide behavioral baselines, it also uses these baselines and leverages AI to segment your entire network into Virtual Zones, which are policy-defined groups of assets that communicate with one another under normal circumstances. This can include micro segmentation for XIoT, creating even smaller groups of assets with which these devices can communicate.
CTD's Virtual Zones feature will alert you right away to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. Or it will identify operational issues with the way the process is set up, which is equally important in achieving the goal of uptime and availability. In certain levels of the network, you can't really block traffic because doing so also stops the physical process and may create safety issues. However, this type of segmentation can improve network monitoring and access control and greatly accelerate response time, saving cost and reducing downtime in the event an attacker does establish a foothold. What's more, Virtual Zones provides visibility across the network that can inform your physical segmentation project. So, not only are you significantly reducing risk today, but you're also accelerating and improving the outcome of longer-term physical segmentation efforts.
The acceleration of XIoT requires us to act quickly to ensure our cyber and physical worlds can safely connect and communicate, and segmentation plays a key role. Fortunately, taking the first step does not have to be a costly and time-consuming endeavor and can help strengthen resilience today and build a case for further segmentation efforts down the road.