Are SDNs All Hype? An Opinion Piece From Harry Thomas
Are SDNs All Hype?
Veracity CEO, Jim Crowley, recently connected with OT Security Advisor, Harry Thomas, and the topic of network segmentation and SDN quickly came up. This article was written by Harry and
published on LinkedIn in August 2023. The contents of the following represent Harry’s viewpoints.
Harry Thomas, OT Security Advisor and ICS/OT Cybersecurity Expert
I was asked to look at Veracity’s solution and give honest insights. I interviewed staff at Veracity and their customers to fully understand their offering. Below are my thoughts.
With the publications of the TSA Directive and other standards, there’s been more scrutiny on how to protect our critical infrastructure. The electric grid, oil refineries, and cheese manufacturers have one thing in common; they use industrial control systems (ICS) or operational technology (OT). These control systems have been built for availability but generally without security in mind. Most recently, with ransomware and hackers gaining access to these systems, country leaders worldwide are noticing how easy it is to disrupt civilization. For example, MANDIANT reported the following:
- In 2022, 67% of organizations were notified through adversaries of fully executed ransomware
operations and the remaining was due to external partner notification.
- The global dwell time of threats went from 21 days in 2021 to 16 days in 2022.
- Yet ransomware dwell time went from 5 to 9 days from 2021 to 2022, showing these threats’ evolving landscape and capabilities.
Traditional ICS/OT network architecture wasn’t built with security in mind. Networks have the
necessities, firewalls, routers, and switches. The point of these devices is to connect to the internet: and nothing else.
With these numbers, it’s not if the network is breached: It’s when.
Network Segmentation & Firewalls
One of the most significant risks I’ve noticed is a lack of segmentation in our industrial networks. So, let’s talk about firewalls. If you understand them, skip ahead; if not, stay with me. Firewalls were built to halt connectivity to the internet to protect the perimeter. Computers have 65536 ports that many applications utilize to interact with other devices. A firewall was built to limit exposure to the internet. Some would say that this is a form of security, and many would agree. I think of firewalls differently; It’s barely a security control, and many organizations implement these devices without proper configurations leaving the operational network exposed and vulnerable.
Additional problems with legacy firewalls are that they provide 0% visibility in East-West traffic. This is the traffic between two egress points that the firewall doesn’t have visibility of. 60% of security experts interviewed during my research project with UNC Charlotte state that firewalls do not prevent cyberattacks against critical business and cloud-based applications. Firewalls are also expensive. Their only purpose is to manage the perimeter of zones and nothing else. Firewalls are also hard to maintain. With networks containing multiple vendors through the advancement of technology or site acquisitions, it’s hard to know the appropriate IP, ports, and protocols needed to troubleshoot problems. Firewalls also require scheduled downtime. In critical infrastructure, downtime equals loss of revenue.
Software Defined Networking (SDN)
With the advancement of many technologies like intrusion detection systems, security and event
information management systems, and protection systems, network technologies seemed to have always stayed the same; then, Software Defined Networking (SDN) emerged. This is a huge
advancement in network technologies. SDN allows industrial organizations to have granular controls of communication paths. What’s the difference between SDN devices and firewalls?
Think about SDN devices as building a road between two cities when needed, then breaking it down when you don’t. Firewalls are just walls on roads, you can’t get through them, but you can drive around. With SDN, there are no roads, tunnels, or ways to bypass the security control. This is a valid security control. The beauty of SDN devices is that they advance network security and provide easy integrations with legacy network architecture. Legacy architecture is the archaic conglomeration of firewalls, switches, and routers. By adding a singular SDN device at the core switches, an industrial organization can receive benefits without performing an entire deployment.
Aside from modernizing industrial architecture, SDN increases cybersecurity resilience. Veracity’s OT Network Controller uses technology to identify and provide insights into the industrial network. Their OT-optimized solution combines things like control system availability and SDN into one platform. Veracity’s controller uses SDN to monitor communication paths and provides a way to define policies to allow or disallow communication. Remember, SDN builds roads as needed. If the policy disallows communication, the road is never built, and there is no way to bypass this control.
Additionally, Veracity identifies communication paths before implementing policies, allowing
customers to review what is happening in the OT network. Cyber resilience ensures the availability and uptime of the network and operations. In a customer use case, they identified a network broadcast storm reducing the network's overall bandwidth. I found that with Veracity, they could locate the endpoints causing the issues and resolve the problem. The network’s bandwidth went from 90% utilized to just under 15%. This allowed the customer to defer network upgrades and focus on other priorities.
It can take a full project plan and multi-phase approach to roll out firewalls that only segment North-South traffic. Then the plan must include implementing the Virtual LANs (VLANs) to have East-West segmentation. See, the issue with this approach is that it’s not automatic and requires a vast amount of time to implement correctly, and maintaining firewall rules and VLANs is a full-time job for network administrators. Technology is moving towards more automation and doing more with less. Legacy devices like firewalls and switches provide nothing more than connectivity from site to site or intra-site.
Let’s talk about some myths of segmentation
1. Segmentation projects are too difficult. This is true if you’re using legacy devices to perform
this work. Newer technologies have built-in algorithms to assist with segmentation efforts.
2. Segmentation projects require downtime. This is true in ICS/OT networks if you’re using legacy
devices. The reality is that SDN can be implemented with little to no downtime depending on
3. Segmentation blocks legitimate traffic my network needs to run the industrial process. This can
be true if network segmentation is not routinely analyzed. The benefit of SDN is that it can
notify you when a new communication pattern occurs.
4. Segmentation inhibits user access and introduces unnecessary latency. This is completely
incorrect. Using SDNs instead of firewalls to segment can alleviate unnecessary bandwidth
Crawl, Walk, Run Methodology
SDNs can be implemented in a Crawl, Walk, and Run methodology. The Crawl phase includes having SDN switches are installed as your Core switch. When doing this in the IT/OT DMZ, it automatically creates segmentation beyond what a standard firewall can do. Additionally, it allows asset owners to identify cross-dependencies between IT and OT networks. Once ready, an asset owner can replace a few switches at critical remote sites. Once done, the core SDN switch will communicate with the remote SDN switches at critical sites to coordinate north-south and east-west traffic. That’s the main blind spot when only implementing a core SDN switch. An analyst can only monitor the ingress and egress of the OT network, leaving them blind to remote sites. In the Walk phase, I would assess remote sites to determine which critical sites need additional protection. In the Run phase, an asset owner will replace all site switches with SDN switches. This will be the highest level of segmentation and security for the industrial network.
Here are some final thoughts that I’ll leave with you. Legacy firewalls are necessary. Their sole
responsibility is to segment ingress/egress traffic. Please, do not use them to segment beyond what’s necessary. There are other technologies out there, like Veracity’s OT Network Controller, that can do that job better. When implementing an SDN solution, take your time. Use the Crawl, Walk, Run method to figure out your rollout plan. Start simple and then introduce the complexity once you realize the value. If you start your deployment complexly, you’ll resent any technology you’ve deployed in this manner.
To learn more about the Veracity solution, visit the website at veracity.io.