Industrial organizations perform critical functions that have a significant impact on public safety, the economy, and the well-being of society. As digital transformation accelerates, the cyber-physical systems (CPS) that underpin the environments of industrial organizations have become increasingly interconnected with information technology (IT) and operational technology (OT) networks. These advancements have made it more difficult for organizations to enhance security, reduce cyber risk, comply with industry regulations and standards, and improve their overall operations. By implementing OT industrial network segmentation, organizations can begin to safeguard the security, resilience, and continuity of these operations — and ensure uninterrupted functioning of society and the economy.
OT network segmentation is the process of dividing networks into smaller isolated segments or zones. This practice enables network administrators to manage the flow of traffic in these subnets based on granular network policies. Organizations that implement network segmentation are able to achieve enhanced security and improve overall network management — while boosting performance and localizing any technical issues. Network segmentation is especially important for OT environments due to the critical infrastructure and essential devices that are used to control and monitor physical processes, such as power plants, manufacturing facilities, transportation systems, and more. OT segmentation not only includes segmentation within secluded OT environments, but also references segmentation of OT networks from IT networks, the cloud, and other CPS. This ensures that organizations can monitor all network traffic throughout their extended internet of things (XIoT).
With proper OT network segmentation, organizations can prevent the spread of cyberattacks by restricting their lateral movement through the network. If a breach occurs in one subnet, it becomes more difficult for an attacker to access other subnets, reducing the attack surface. This principle is also true for attacks originating in IT networks, if a breach were to occur proper segmentation will prevent the spread from moving laterally throughout the XIoT. By separating these critical systems and processes, organizations can also enforce risk mitigation, reducing the impact of failures or disruptions. If an incident occurs, it will be less likely to spread through the entire network, limiting any operational downtime and minimizing risk to safety and productivity.
Many critical industries including oil and gas, transportation, food and beverage, manufacturing, and more, have very specific regulatory requirements for securing OT networks — such as NERC CIP, IEC 62443, or ISO 27001. Network segmentation is critical in enabling these critical infrastructure organizations to meet technical requirements, implementing the appropriate security controls and isolating critical assets. Finally, OT network segmentation is key in improving an organization's network management and optimization. Separating networks into smaller subsets allows them to be more manageable, allowing organizations to allocate their resources more efficiently by reducing traffic and improving network performance.
The concept of network segmentation is not new, but it can be a drawn out and costly endeavor, particularly in industrial environments. Here are a few of the major challenges organizations face when ensuring their OT networks are properly segmented:
Unlike IT environments — where systems rarely last more than five years — industrial OT environments are comprised of legacy devices and systems that have life cycles which can span decades. The legacy industrial control systems (ICS) located in these environments are typically not built with security in mind, and may lack the necessary features to support network segmentation or the compatibility with new security controls.
IT and OT networks many times need to interact with one another in order to exchange data and information; however, ensuring that communication between segmented OT networks and other parts of an organization's IT infrastructure can be challenging. This process requires collaboration between IT and OT teams, who have rarely worked together — leading to oversights that can cause complexity and duplication of efforts, an increase in operations costs, or exposure to security flaws.
Implementing effective network segmentation policies in industrial environments can be difficult, error-prone, and expensive to manage and maintain. The process often entails constantly tuning network policies to your unique environment, which leaves room for oversight.
Critical infrastructure organizations are subject to many complex industry regulations and standards. Many times, monitoring and ensuring compliance with these regulations requires granular, properly tuned policies that many organizations lack. This can lead to variations in approaches to segmentation and inconsistent enforcement across different organizations.
All industrial environments rely on remote access to enable both internal and third-party personnel to maintain assets, but common practices are risky and inefficient. If not managed properly, remote access has the potential to bypass network segmentation measures. It also causes an expanded attack surface, introducing new potential entry points for cyber threats.
Attacks on ICS can have devastating impacts beyond reputational damage and financial losses, including impacts to public safety and the economy. Successfully protecting these devices pose unique challenges that require a CPS protection platform dedicated to securing critical infrastructure environments. CPS protection platforms, like Claroty, can help industrial organizations to accelerate their network segmentation efforts and secure their entire XIoT.
It is impossible to segment assets that you haven’t yet identified. That's why the number one step in accelerating network segmentation is to identify all connected devices in your environment, along with their configuration, location, and owners. Claroty assists in achieving deep visibility by automatically discovering new assets, monitoring communication patterns, and revealing connections all the way down to the I/Os that run industrial processes.
Once you achieve full-spectrum visibility, you can start to figure out how to protect it. There are a number of ways to segment your network — including via your existing network access control (NAC), firewalls, switches, and/or other parts of your infrastructure — so it’s important to assess your objectives and environment and pick a strategy that will work for both. Claroty is here to help by evaluating your environment and recommending the best way to establish a segmentation strategy that fits your needs.
Creating a unique policy for each and every device is impractical, but creating policies for device types, or groups of devices, based on how they communicate with one another under normal circumstances makes segmentation both effective and scalable. By creating a smart grouping of related assets in a logical view, Claroty can help your security team define specific policies for each group of assets and communications between them.
Industrial organizations need to ensure they protect their environment without disrupting it. In the context of OT network segmentation, this means not only designing network policies that align with the communication baselines of the device groups you classified in the previous step — but also ensuring that those policies, once enforced, will not negatively impact operations. Claroty makes this process easy by automatically recommending expert-defined policies for each asset group in accordance with their communication baselines and then enabling you to test, monitor, and further refine those policies before enforcement. As a result, you can be sure that your OT network policies fully account for the unique requirements and potential limitations of your environment — allowing you to confidently implement segmentation without introducing additional risk.
As noted in the previous step, enforcing new policies for OT network segmentation can be a delicate process that, if not done correctly, can risk disrupting operations. Claroty has the experience and knowledge to enable policies to only be enforced once they’ve undergone the proper testing and monitoring. Once that happens, enforcement is simple: Claroty’s extensive ecosystem of ready-made integrations with customers’ existing NACs, firewalls, switches, and more support “one click” enforcement that vastly streamlines and optimizes segmentation for even the most complex OT networks. And given that segmentation is an ongoing journey — not a tactical activity — we also enable customers to continuously monitor and optimize their network segmentation as their OT environment, OT security maturity, and/or prioritize evolve over time.
As society accelerates its reliance on cyber-physical systems for greater automation, control, efficiency, and convenience, the attack surface for cyber criminals continues to expand. And, as these new attack vectors emerge, we see a stronger need for OT industrial network segmentation. Although critical infrastructure organizations often have network segmentation initiatives on their ‘to-do’ list, they tend to lack the time, resources, visibility, and awareness required to implement. With Claroty, organizations can jumpstart segmentation initiatives by using our domain expertise to recommend segmentation policies that can be easily and automatically enforced via your existing infrastructure — accelerating your real-time initiatives and enhancing cyber and operational resilience.
How to Accelerate Network Segmentation in DoD Networks
Feature Spotlight: Claroty Virtual Zones
Interested in learning about Claroty's Cybersecurity Solutions?