So here we are, it’s 2023 and I think we can all agree that cybersecurity is and will continue to be top of mind across most industries. In the last two weeks, rumors flew about the potential hack of Southwest Airlines’ systems following their failure of getting holiday travelers from point A to point B. While emotions were high, no one batted an eye at the idea that someone may have hacked them. In this instance, Southwest Airlines was not a victim of cybercrime – albeit a great use case for operational improvements – but the point is that as a society this idea of cybersecurity hitting us on all sides has become commonplace. Businesses have choices to make when it comes to defending themselves and their customers, and network segmentation should be a central part of that strategy.
What is network segmentation and why is it important?
There are typically three major pillars to a defense in depth cyber security strategy, including:
1 – Prevent a breach by hardening your attack surface
2 – Detect when you have breach so that you can remove it
3 – Prevent a breach from spreading
Segmentation focuses on components 1 and 3 and therefore is a foundational piece of any cyber security plan. So, what is network segmentation? A segmented network is broken into logically or physically separated sections. Equipment that needs to communicate on the network can but stops devices and computers from accessing critical information from other parts of the network. This is important when preventing the spread of a cyber attack by limiting the damage that can be caused once an intruder, malware, or an APT has gained access.
Let’s look at an analogy using the bulkheads of an ocean liner. If there were not separate sections internally, then a breach of the hull would cause the entire ship to flood.
By simply closing the bulkhead doors, the flooding is limited to only a portion of the ship, creating the opportunity for the ship to get back to the dock and be repaired before widespread damage occurs.
Leaving our ocean liner example and going back to the plant floor, network segmentation is traditionally accomplished using VLANS, firewalls, subnetting, and other tools available in a managed switch network. With the ability to harden your attack surface combined with preventing a data breach from spreading, it’s safe to assume you’ll find segmentation high on the recommendations list in any cyber security audit that is performed.
Challenges with traditional network segmentation in the OT environment
The biggest challenge to maintaining a segmented network is what I like to call network entropy. Imagine that production goes down at 3 am and the available maintenance and controls engineers are struggling to get the asset or facility online again. For an OT team, the top priority is to produce their product and to put everything else as secondary, including the way the network is segmented. Another fairly common example is there is a new machine being commissioned and it’s behind schedule. We’re all familiar with the phrase ‘time is money’ and thus hitting the commissioning date will almost always trump worrying about the network configuration. Industrial control projects are multi-faceted and tend to focus on things like the cost of configuring firewalls and maintaining the network structure. However, over time the risk of accidentally plugging a device into the wrong segment or preventing communication with the part of the network it needs to tends to fall by the wayside. Traditional network segmentation projects will always degrade over time. Cybercriminals are patient and meticulous and will find a way in as soon as that chance is given. Because of these unique OT traits, implementing the right security strategy is critical to maintaining operations.
How is micro-segmentation different?
A micro-segmented network treats each endpoint like an island. The device is only allowed to communicate with known devices that it has a need to communicate with. Back to the ocean liner analogy, if there is a breach of the hull, the damage is contained to a very small portion of the boat, so the blast surface of the cyber-attack is minimized. You can see from the images that the micro-segmented ship experienced the least amount of impact from their incident.
In the operations environment, here are two examples of micro-segmentation during a cyber-attack:
- If a SCADA system gets infected by a bad thumb drive it may have the ability to infect the PLC it is directly communicating with, but it will stop there.
- How about a user in the finance department that falls for the classic phishing email and whose laptop is now infected but the virus cannot access the OT network?
Micro-segmentation is the only way to lock down your network and minimize the damage of a network breach. In addition, it will not deteriorate over time as devices are moved or added to the system. With each asset placed into its own micro-segment, operations leaders can prevent the shortcuts that are common when production is down. To learn more about Veracity Industrial Networks provides a micro-segmented that is easy to manage, please visit www.veracity.io.