In the modern-day world of operational technology (OT) and cyber-physical systems (CPS), one thing is certain: Things are a lot more interconnected than they used to be. Not long ago, industrial control systems (ICS) were often airgapped and isolated, completely disconnected from the internet—and subsequently, safe from the reach of threat actors.
As OT and CPS assets are being brought online for the first time, it’s a double-edged sword. While accessing and managing systems such as programmable logic controllers (PLCs) and human-machine interfaces (HMIs) on the internet might mean added convenience, such as real-time monitoring and in-depth analysis, it also exposes them to cyberattacks. The moment these systems are assigned an IP address, they can put a target on your organization’s back if they’re not properly protected. To make matters worse, cunning threat actors often only need to gain access to one piece of equipment to gain lateral movement through the network of connected devices.
So, if OT and/or CPS infrastructure gets hit, how can organizations take steps to reduce the blast radius?
Understanding Network Segmentation in OT
At its core, network segmentation is the process of dividing a network into smaller, isolated subnets or zones that can be managed and secured separately. Effective segmentation creates barriers that an attacker has to overcome. This practice can significantly limit the damage they can do, should they successfully gain access to a connected device. As the methods of attackers continue to evolve and become more persistent, network segmentation is a critical strategy for keeping key assets out of harm’s way—even if it can come with some challenges.
While security is the chief benefit of segmentation, that’s not the end of it. The benefits of network segmentation go far beyond threat containment.
Key Benefits of OT Network Segmentation
Network segmentation for OT and CPS assets can benefit your organization in several ways. It can reduce risk, enhance control, and grant more visibility. Beyond enhanced security, as previously mentioned, here’s a quick rundown of the benefits of segmenting your organization’s network.
Keep threats bottlenecked
Think of your OT or CPS network like a house. If it's all one big open space, a burglar who gets in the living room has free run of the whole place. Segmenting each room in the house, however, is like adding locked doors between rooms. If a bad actor sneaks into one part, they're then much less likely to get to the really critical parts of your infrastructure, like the control systems that keep all your cyber-physical processes running smoothly.
Simplified compliance
Many regulatory frameworks that govern critical infrastructure (e.g., IEC 62443) require network segmentation as a key security control. Properly segmented networks make it easier to demonstrate compliance by clearly defining security perimeters and access controls around regulated assets. This can streamline audits and reduce the complexity of meeting regulatory requirements.
Improved network performance
By containing network traffic within specific subnets, segmentation can reduce congestion and improve overall network performance. This is particularly important in OT and CPS environments where real-time communication and low latency are often critical for operational efficiency and worker safety.
Enhanced management and troubleshooting
Segmented networks can be easier to manage and troubleshoot. Isolating problems to specific segments simplifies diagnostics and reduces the effects of other issues throughout the network. Security policies and access controls can also be applied more granularly and consistently within defined segments.
Implementing Effective OT Network Segmentation
If your OT/CPS environment is a house, then effective network segmentation will turn it into a fortress. But also like a fortress, it might take some time to fully design and build. It’s best to focus on three areas you should consider first when implementing your network segmentation plan: People, policy, and technology. Let's dive into each.
Policy: A segmentation blueprint
Clearly defining a policy is the foundation of the fortress. Ideally, this policy should:
Identify critical assets and zones
Take an inventory of your entire infrastructure and decide what needs to be prioritized. Assets such as PLCs, HMIs, and safety systems should likely get the highest level of protection. From there, group them into logical zones based on factors such as function or criticality.
Establish communication rules
Create a “digital traffic law,” in which you analyze network traffic and determine which devices should be allowed to communicate with one another.
Define access control
Then, based on the above digital traffic law, assign a digital traffic manager by determining the people or devices that can access each zone you’ve created.
People: Assigning architects and gatekeepers
The people your organization chooses to manage and maintain a segmented network are just as important as the devices and zones themselves. Keep these factors in mind during this step of the process:
Collaboration
OT and IT teams don’t typically work together, but it’s important to choose employees from both areas. This ensures that both the technology and the operational side of segmenting a network is covered, and both groups can contribute their expertise. .
Responsibility
Clearly define all roles and responsibilities for the segmented network. Communicate this plan through the organization so that everyone can do their part in building and protecting the fortress.
Training
Fill in any knowledge gaps that might exist throughout the team. It’s important to get all employees up to speed on network segmentation policies on both the OT and IT side of the business.
Awareness
No matter where the employee works in the organization, foster a security-conscious mindset. This includes every team member throughout, whether they’re actively working on the network segmentation project or not.
Technology
Finally, the solutions, hardware, and software your team implements will complete the fortification of your fortress. Prioritize the most important elements first. Those should include:
Virtual LANs (VLANs)
Virtual LANs enable segmentation of devices that are physically connected. Think of them as a sort of virtual wiring to separate devices.The benefits to VLANs are actually twofold: They enhance security by isolating access to sensitive resources, and they improve the flow of network traffic by segmenting it into smaller, more manageable groups. They can also be tailored for engineering and industrial processes.
Next-generation firewalls (NGFWs)
Traditional firewall setups have long since been a fundamental part of cyberdefense, but next-generation firewalls take this a step further. They provide deeper security and intrusion detection, functioning as a more proactive component of your overall strategy. On a more specific level for OT environments, NGFWs can also be used to detect anomalous behavior and use rules to shut down or isolate segments if a problem materializes.
Routers
Configuring routers to control traffic flows and segments is a must. Additionally, the use of access control lists (ACLs) can more granularly control each network segment based on port, protocol, and source/destination IP addresses.
Network Segmentation with Claroty
No matter what point in a segmentation journey your organization is on, it’s crucial to have all your bases covered. Building a fortress takes time, and in today’s threat landscape, there simply isn’t any room for vulnerabilities or weaknesses in your infrastructure.
With industry-leading solutions for healthcare, industrial, commercial, and public sector, Claroty has all the tools, people, and processes in place to help your organization build the best possible result.
