Microsegmentation of industrial networks

In this article, it will be explored the advances that the industrial sector is adopting when it comes to implementing the principle of defense in depth in its industrial networks.

This principle refers to the advantages of protecting critical equipment by positioning it behind several layers of defense. In this way, there are several opportunities to detect or stop an attack before it hits the critical elements of a system.

The main tool for this is network segmentation, or in advanced cases, microsegmentation. Segmentation is understood as the set of techniques and equipment used to separate a single network into multiple segments (zones) that communicate only through identified and protected channels (conduits).

Segmentation makes it possible to reduce the attackable perimeter of each zone, since inbound and outbound communications are limited to defended perimeter points. With greater control over network traffic, it is possible to create more complex architectures by means of:

• Vertical segmentation: separation between zones with different levels of privilege. Generally, an upper zone is created with more general access for users or external connections, and a lower zone with more restricted access.
• Horizontal segmentation: separation between zones with the same level of privileges, but different levels of access. Generally, zones are separated by functionality.

These building blocks are the basis for the cybersecure industrial network architectures that have become popular to date and the new models that are being adopted in more advanced ones.

Basic industry segmentation model

Currently, as is to be expected, industrial networks present a high degree of variety across different sizes, sectors of activity and countries. However, in those cases where cybersecurity has been taken into account during their design, or retroactively, there is a tendency towards a homogeneous model adapted with the necessary modifications to suit the needs of each case.

This general layered security model can be summarized in a series of general measures that illustrate the defense-in-depth principle:

• The industrial network is separated from the company's corporate network in order to reduce traffic and unnecessary access to the industrial network. The degree of separation varies from one network to another and according to the maturity of the security measures implemented.
• The industrial network is positioned under the corporate network. The industrial network is thus protected by an upstream layer through which an external attacker must pass to reach it.
• An intermediate network, usually called a demilitarized zone (DMZ), is deployed between the two networks. The DMZ serves as a security boundary between the two networks and provides a secure location for systems ancillary to the industrial network and for traffic management between the two environments.

This widely used model is a starting point for industrial segmentation. It is a simple model, easy to adapt to a wide variety of systems, but provides an acceptable level of security.

However, two main factors are motivating the adoption of more sophisticated models in the most advanced or critical networks:

• The incorporation of IIoT equipment, IT technologies, or more recently, AI technologies. This equipment can bring significant gains to the productivity or efficiency of an industrial system, but conflicts with the traditional model. Many rely on constant connections to external networks, wireless networks or access from the corporate network.
• The increase in number and complexity of threats that industrial networks face. As attackers have gained experience with industrial environments, they have become more common and more damaging. And, while the overall model is highly adaptable, adding additional security measures can quickly become inefficient and costly, compared to a change of base architecture.

The new models seek to solve both problems.

Microsegmentation

Microsegmentation, recognized in regulations such as IEC 62443, is the practice of using familiar segmentation methods (horizontal and vertical segmentation) to create independent zones within a classic industrial network.

For effective microsegmentation, it is necessary to start by identifying the possible zones within an industrial network. It is advisable to start this work with a risk analysis of the network: which equipment is critical to the production process, which introduce a higher level of risk, which have special needs for their operation, and which have special requirements for their operation. As these questions are answered, in an organic way, groups of equipment with similar characteristics are identified.

Some examples of areas typically found in networks with microsegmentation include:

• Control areas: these contain the essential equipment to control the production process. It has the highest possible security level and the most restricted access.
  • When possible, it is advisable to define multiple independent control zones. For example, in the case of a manufacturing plant with multiple independent production lines in parallel, separating the control systems of different lines, can make the difference when an incident interrupts the total or partial production of the plant. 
• Monitoring zones: where the equipment that collects data from the industrial process is located but does not have control capacity. Their criticality depends on the data they process and who, or what, is going to access them. 
  • Special care must be taken with equipment that sends industrial process data outside the industrial network. These devices inherently introduce confidentiality risks and potential intrusion vectors, so separating them from more important devices and controlling the direction and content of their communication channels is essential.
• Safety zones: intended for physical incident prevention and protection equipment. Normally this equipment can work completely isolated from the external network, but its availability is critical. Therefore, by being located in a general industrial network, it is exposed to an unnecessary level of risk without offering any advantage (beyond having a network that is easier to deploy and maintain).
• Compliance zones: Regulatory and business compliance requirements depend on the industry, size and culture of each company. 
  • In general, it is common to require equipment to monitor data such as: gas emissions, liquid discharges, production and stock performance indicators, machine status and energy consumption. This equipment is usually subject to strict requirements for availability and communications with corporate and external networks. 
• Additional zones: 
  • Data hosting zones: servers, memory drives and databases that can range from constantly accessed data for production, to cold storage for backups.
  • Ancillary services zones: typically, central servers for services that cut across multiple zones: mail, anti-virus, asset discovery, permissions management, etc.
  • Testing zones: secure environments in which to validate changes before applying them in real production environments.
  • Redundancy zones: intended for equipment that does not usually participate in the production process but offers an alternative way of operating the network in case the primary equipment is disabled.

The combination possibilities of these zones are practically infinite and adaptable to the reality of each industrial environment. A can be as small as a single isolated piece of equipment, or as large as needed. necessary. Likewise, typologies can be combined, for example, by deploying a specific monitoring zone within a control zone, creating a data channel without directly accessing the data channel without directly accessing the control zone.

However, deploying such architectures using the more classical technologies quickly becomes impractical. technologies quickly become impractical. Multiplying the number of zones multiplying the number of zones means multiplying the number of network equipment and borders that must be purchased, deployed and maintained. and borders that need to be purchased, deployed and maintained. It is therefore essential to be familiar with the technologies that enable this type of advanced segmentation.

Microsegmentation technologies

There are several families of network technologies that have evolved to adapt to microsegmentation, the most notable of which include:

• OT firewalls: traditionally designed to be installed in server racks and support many connections, the latest ranges of firewalls include miniaturized versions prepared for deployment in electrical cabinets, small spaces or under demanding conditions. On the other hand, the number of available ports is much smaller (up to firewalls with only a couple of ports). These devices usually allow centralized management from a central console. In this way, multiple border points can be controlled with granular rules for each case.
• Managed switches: although managed switch technologies, switches with capabilities for the creation of segmented networks and traffic control between them, the adoption of microsegmentation models has led to the emergence of more flexible models, in terms of size, capabilities and security measures.
• EDR (Endopoint Detection and Response): usually similar to OT Firewalls, but incorporating additional security functions. An EDR can include antivirus capabilities, white listing, protection against denial of service and/or buffer overflow, IDS and/or HIDS capabilities... The objective of these devices is to serve as an all-in-one solution for equipment where the deployment of traditional security measures is not possible or is impractical. This makes them ideal solutions for small areas with industrial equipment not compatible with traditional solutions.
• IoT Gateways: similar to traditional gateways, these devices centralize and distribute IIoT protocol traffic (among others), facilitating its management and segmentation. Models designed for industry, in addition, usually provide security capabilities such as encryption, access control, load balancing or designs prepared for deployment in more demanding conditions.

As can be seen, most of the new technologies for microsegmentation consist of variants or updated versions of devices currently used for classical segmentation. These new versions are aimed at facilitating network management, while being better adapted to the particularities of industrial networks.

Conclusions

Currently, microsegmentation represents mainly an additional goal for industrial systems with a more advanced level of cybersecurity maturity. However, as the complexity and number of risks increases, it is gradually becoming an essential tool for the protection of industrial control systems. This is due to several factors:

• New technologies make it easier to implement.
•  Easier management of a network provided it is designed with defense in depth from the beginning.
• The increase in the variety of equipment and technologies in industrial networks, which introduces multiple needs and types of connectivity.
• Increased interconnectivity between industrial systems, increasing traffic and users to be managed.

All these factors make microsegmentation increasingly recommended for all types of industrial networks. However, there are multiple use cases for small or less advanced networks that nevertheless provide cybersecurity advantages, such as:

• The traffic control of vulnerable or specific equipment behind separate firewalls.
• Separation of vendor and externally accessible equipment from the rest of the network with two independent control networks.
• Isolation of safety equipment by means of air gaps.

As a consequence, it is recommended to consider the possibility and advantages of implementing microsegmentation practices during the design of new industrial networks or when applying changes or introducing new equipment in existing networks.