Why is Micro-Segmentation Important?
There are many reasons that industrial automation companies are actively considering segmenting their networks. Migrating from a flat network infrastructure can make the network a target for a cyber attack. At the highest level, segmentation supports defense in depth strategies by helping to prevent a breach and limiting it from spreading. Once you have a network segmentation project approved, it’s time to find the best solution for your application. The good news is you have options!
What is network segmentation?
Plain and simple, a segmented network is broken into logically and physically separated sections. Network segmentation is a security best practice that involves dividing a network into smaller, isolated segments. Each segment functions as an independent network, enhancing security and improving performance by controlling traffic and restricting access. If a bad actor breaches part of the network, then the segmentation can limit their reach and prevent the attack from spreading beyond the segment.
Network segmentation vs network micro-segmentation
Micro-segmentation is similar to network segmentation in that you create sections within the network which are very difficult to break through, however the segments in a micro-segmented network are around every device instead of groups of related devices. Micro-segmentation even more greatly limits the “blast radius” of an attack than traditional segmentation and can be easier to maintain over time.
The primary ways that industrial companies address network segmentation are with firewalls, virtual local area networks (VLANs), and software defined networking (SDN).
Firewalls
Firewalls are hardware solutions that control the flow of network traffic through them. Firewalls have comprehensive sets of rules that need to be created, deployed, and managed. These rules will restrict traffic only to known allowed sources. In industrial applications, there are two common firewall types – perimeter and industrial.
- Perimeter – This is the first line of defense for networks as it typically sits between a public and private network. A perimeter firewall monitors and controls incoming and outgoing traffic based on a predetermined set of rules.
- Industrial – These devices are specialized for use in industrial control systems and SCADA systems. Often managed by OT personnel, these firewalls restrict traffic flow through the ICS network.
Industrial firewalls can also be used as perimeter firewalls, but it is not recommended to use IT perimeter firewalls inside of your industrial network. A firewall designed specifically for OT network usage is a much better choice.
VLANs
It’s common for segmented networks to use VLANs to create smaller subnetworks. This is a virtual connection between multiple devices from different LANs. Only devices within the same VLAN can communicate with each other. These devices are typically not physically near each other so using a VLAN can be an efficient way to connect.
SDN
Software-defined networking (SDN) is not a new concept in the IT space, it has been used to manage clouds and server farms for over a decade. By applying SDN to the industrial environment, OT teams can take a plant that has hundreds of switches deployed across the facility that are traditionally individually configured and use a consolidated network management tool to give real-time network monitoring and management. Ultimately OT-SDN hardens the network reducing cybersecurity threats. One of the primary benefits of SDN is its ability to reduce the attack surface through micro-segmentation, in which areas of the network are compartmentalized. In the event of a security breach, the targeted area is isolated limiting how much an attack can spread.
There are two primary ways to apply OT-SDN to the industrial automation environment today. They are:
- OT Network Controller – a software solution that can added to the virtualization stack and is compatible with any OpenFlow-enabled switch.
- OT Network Security Appliance – combines the OT Network Controller software with a 7-port industrial switch to streamline the application of OT-SDN.
Benefits of segmentation
The benefits of network segmentation and micro-segmentation are clear. When it comes to a defense in depth security strategy, the more segmentation a network has, the harder it will be to penetrate. The key to a comprehensive security plan starts with segmentation because of its ability to control the spread of a cyber attack. With better access control for internal teams, too, segmentation makes it easier for network traffic monitoring and detection.
Next steps
If you’re considering micro-segmentation for your network, you have options! Using OT-SDN allows you to take control of your network in a simple, easy to manage way. Want to learn more? Attend the next monthly OT-SDN demo.