Perimeter Firewalls Between IT and OT
When prioritizing security technologies, the evaluation process is often daunting. Today we’re taking a deeper look at the reasons someone may want to consider using perimeter firewalls between IT and OT. If you decide to take the next steps, you might want to look at Fortinet, Palo Alto Networks, and Dynics.
For starters, a firewall is a network device that monitors traffic to or from your network and will either allow or block that traffic based on a set of configurable rules. Segmenting the IT network from the OT network is one of the most fundamental steps in securing your OT network. If your network is completely flat and IT and OT assets are running across both networks, this is the best place to start.
Perimeter firewalls are the most fundamental piece of secure traffic management and yet many companies do not have this in place today. Deploying IT/OT firewalls, or the more sophisticated approach using a UTM (unified threat monitoring) platform, is a high value for the investment and will provide notable benefits and challenges.
Deployment Effort | Risk Reduction | Deployment Cost | Business Value | Best For |
Low | High | $$ | High | Everyone |
Benefits
Enhanced Security: Segmenting the IT and OT networks can prevent unauthorized access between IT and OT networks, which can help mitigate the risk of cyber-attacks and data breaches. By implementing a perimeter firewall, organizations can create a secure boundary that allows only authorized traffic to flow between IT and OT networks, effectively isolating critical operational systems from potential threats that may originate from the IT network
Improved Operational Reliability: Operational systems in OT networks, such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, are often critical for the operation of industrial processes, manufacturing plants, and other critical infrastructure. By deploying firewalls to segment IT and OT networks, organizations can reduce the risk of IT-related issues, such as malware infections or system misconfigurations, impacting OT systems. This helps ensure the reliability and availability of OT networks, reducing the potential for operational disruptions and downtime.
Compliance and Regulatory Requirements: Many industries, including energy, utilities, and manufacturing, are subject to strict regulations and compliance requirements, such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards or the IEC 62443 standard for industrial automation and control systems security. Segmenting IT and OT networks with a perimeter firewall can help organizations meet these regulatory requirements by implementing proper access controls, monitoring, and auditing mechanisms between IT and OT networks.
Simplified Network Management: Segmentation can help organizations achieve a clear separation of roles and responsibilities between IT and OT teams. IT teams can focus on managing the IT network, while OT teams can focus on managing the OT network, resulting in streamlined network management processes. This can help improve operational efficiency and reduce the complexity of managing a unified network infrastructure.
Rapid Incident Response: In the event of a security incident or breach, segmenting IT and OT networks can help contain the impact and prevent lateral movement of threats. By isolating the affected network segment, organizations can limit the potential damage and quickly respond to incidents, mitigating the risk of further compromise or data exfiltration.
Flexibility and Scalability: Segmenting IT and OT networks with a perimeter firewall provides organizations with the flexibility to adapt to changing business needs and requirements. As the IT and OT environments evolve, organizations can easily modify the access controls and policies in the firewall to accommodate changes, without disrupting the entire network infrastructure. This allows for scalability and agility in managing the IT and OT networks separately, while ensuring the necessary security controls are in place.
Challenges
Change Management: As changes occur within the network, firewall rules will need to be maintained and audited. Users may try and shortcut rules in favor of things such as system up time. As a result, organizations may end up with security holes.
Software and Firmware Updates: A firewall should always be on the latest software from the manufacturer. A process will need to be implemented to ensure all communications from your firewall manufacturer are monitored and firmware is updated regularly.
Time: Most commonly, there will be a perimeter firewall between each line and the OT network. When done properly, initial firewall configuration can take between 10 and 80 hours per firewall. This investment is worth it but needs to be planned for.
While there can be challenges to setting up and maintaining firewalls, segmenting IT and OT networks with a perimeter firewall can significantly improve the security, reliability, compliance, network management, incident response, and flexibility of an organization’s overall network infrastructure.