Microsegmentation of Industrial Networks

In this article, we explore the advancements the industrial sector is adopting to implement the principle of defense-in-depth in its networks.

This principle refers to the advantages of protecting critical equipment by positioning it behind multiple layers of defense, providing several opportunities to detect or stop an attack before it impacts the system’s critical elements.

The primary tool for this is network segmentation or, in more advanced cases, microsegmentation. Segmentation involves the set of techniques and equipment used to separate a single network into multiple segments (zones) that communicate only through identified and protected channels (conduits).

Segmentation helps reduce the attackable perimeter of each zone, as inbound and outbound communications are limited to defended perimeter points. With greater control over network traffic, it’s possible to create more complex architectures through:

• Vertical Segmentation: Separating zones with different privilege levels. Typically, an upper zone is created with more general access for users or external connections, and a lower zone with more restricted access.
• Horizontal Segmentation: Separating zones with the same privilege level but different access levels, generally separating zones by functionality.

These building blocks create the secure industrial network architectures that have become popular and the new models being adopted in more advanced systems.

Basic Industrial Segmentation Model

Currently, industrial networks vary significantly across sizes, sectors, and countries. However, where cybersecurity has been considered in their design, either initially or retroactively, there’s a trend toward a homogeneous model with necessary modifications to suit specific needs.

This general layered security model can be summarized as a series of measures illustrating the defense-in-depth principle:

1. The industrial network is separated from the corporate network to reduce unnecessary traffic and access to the industrial network. The degree of separation varies according to each network and the maturity of security measures.
2. The industrial network is positioned beneath the corporate network. This way, the industrial network is protected by a prior layer, which an external attacker must pass to reach it.
3. An intermediate network, commonly called a Demilitarized Zone (DMZ), is deployed between the two networks. The DMZ serves as a security border between the networks, providing a safe location for auxiliary systems and managing traffic between both environments.

This widely used model serves as a starting point for industrial segmentation. It’s straightforward and adaptable to various systems while providing an acceptable level of security.

However, two main factors drive the adoption of more sophisticated models in advanced or critical networks:

• The Incorporation of IIoT Equipment, IT Technologies, or AI Technologies: These tools can significantly enhance productivity or efficiency but may conflict with traditional models, as many require constant connections with external networks, wireless networks, or access from the corporate network.
• The Increase in Threats’ Volume and Complexity: As attackers gain experience with industrial environments, attacks have become more frequent and damaging. Though adaptable, the general model can quickly become inefficient and costly when adding complementary security measures compared to a base architecture change.

The new models aim to address these issues.

How to implement Microsegmentation

Microsegmentation, recognized in regulations like IEC 62443, involves using known segmentation methods (horizontal and vertical segmentation) to create independent zones within a classic industrial network.

For effective microsegmentation, it’s essential to start by identifying potential zones within an industrial network. This process is best begun with a network risk assessment: What equipment is critical to production? Which introduces a higher level of risk? Which has special operational needs? Answering these questions helps organically identify groups of equipment with similar characteristics.

Examples of common zones in microsegmented networks include:

Control Zones: Contain essential equipment for controlling the production process, with the highest security level and restricted access. It’s advisable to define multiple independent control zones where possible. For example, separating control systems for independent production lines in a manufacturing plant can prevent an incident from disrupting total or partial production.
Monitoring Zones: House equipment that collects industrial process data without control capabilities. Its criticality depends on the data it handles and the intended recipients. Special care is required for equipment transmitting industrial process data outside the network, as they inherently introduce confidentiality risks and potential intrusion vectors.
Safety Zones: Host protection and incident prevention equipment. These systems typically function in isolation from external networks, but their availability is critical. Placing them on a general industrial network exposes them to unnecessary risks without offering operational advantages.
Compliance Zones: Depend on sector, size, and company culture, often monitoring data like emissions, production KPIs, stock, machine status, and energy consumption. These systems typically require high availability and communications with corporate and external networks.
Additional Zones:

• Data Hosting Zones: Servers, storage units, and databases, ranging from constantly accessed production data to cold storage for backups.
• Auxiliary Service Zones: Typically central servers for cross-zone services, such as email, antivirus, asset discovery, and permissions management.
• Testing Zones: Secure environments for validating changes before applying them to live environments.
• Redundancy Zones: For equipment that doesn’t normally participate in production but offers alternative operations if primary systems are disabled.

The combinations of these zones are nearly infinite and can be adapted to each industrial environment. A zone can be as small as a single isolated device or as large as necessary, allowing combinations, such as deploying a specific monitoring zone within a control zone to create a data channel without directly accessing the control zone.

However, deploying such architectures using traditional technologies quickly becomes impractical. Multiplying the number of zones increases the number of network devices and boundaries that need to be purchased, deployed, and maintained. Therefore, it’s essential to understand the technologies that support this advanced segmentation.

Microsegmentation Technologies

Several network technology families have evolved to support microsegmentation, with key examples being:

• OT Firewalls: Typically rack-mounted for many connections, recent firewall models are miniaturized for installation in electrical cabinets, small spaces, or harsh conditions. These devices usually allow centralized management from a main console to control multiple boundary points with granular rules for each case.
• Managed Switches: Though managed switches capable of creating segmented networks and traffic control have been available, microsegmentation has driven the development of more flexible models in terms of size, capabilities, and security features.
• EDR (Endpoint Detection and Response): Similar to OT firewalls but with added security functions. EDRs can include antivirus, whitelisting, DoS protection, and IDS/HIDS capabilities, providing all-in-one solutions for environments where traditional security measures are impractical.
• IoT Gateways: Similar to traditional gateways, these devices centralize and distribute IIoT protocol traffic, simplifying its management and segmentation. Industry-designed models often add security capabilities like encryption, access control, load balancing, and deployment for challenging conditions.

As seen, most new microsegmentation technologies are updated versions of devices currently used for traditional segmentation, designed to simplify network management while adapting to the unique needs of industrial networks.

Conclusions

Microsegmentation is increasingly becoming an essential tool for industrial control system protection due to various factors:

• New technologies facilitate implementation.
• Network management is easier when designed with defense-in-depth principles from the outset.
• The increasing variety of equipment and technologies within industrial networks introduces multiple connectivity needs.
• Greater interconnectivity among industrial systems increases traffic and users to manage.

These factors make microsegmentation increasingly recommended for all types of industrial networks. However, even small or less advanced networks can benefit from its cybersecurity advantages, such as:

• Controlling traffic from vulnerable or specific equipment behind independent firewalls.
• Separating equipment accessible by providers and external entities from the rest of the network with two independent control networks.
• Isolating safety equipment through air gaps.

Thus, it’s advisable to consider implementing microsegmentation practices when designing new industrial networks or when making changes or introducing new equipment in existing networks.

Source: INCIBE (National Cybersecurity Institute of Spain)