Micro Segmentation: What is it and How to Implement
Operational Technology (OT) networks are becoming increasingly important for organizations to manage and control their critical infrastructure. These networks include systems that control everything from power plants and water treatment facilities to manufacturing plants and transportation systems. As a result, OT networks are often seen as a prime target for cyber-attacks.
One way to protect OT networks is through network segmentation. Network segmentation involves dividing the network into smaller subnetworks, or segments, and restricting access between them. This can be accomplished by implementing firewalls, access control lists, and other security measures to control traffic flow between segments. By leveraging the Principle of Least Privilege, or Network Segmentation, utilities can achieve a faster time to value and protection over longer traffic analysis solutions. Network Segmentation enables organizations to understand the criticality of assets and to separate dependencies to avoid catastrophic failure.
The benefits of network segmentation are numerous. First, it limits the scope of a cyber-attack. If a hacker gains access to one segment, they are prevented from moving laterally to other parts of the network. Second, it allows for more granular control of security policies. Different segments can have different security policies depending on their level of criticality. Third, it can simplify compliance with regulations and standards. Segmentation can be used to isolate systems that are not subject to regulatory requirements, making it easier to demonstrate compliance with standards such as NERC CIP.
Segmenting a network is the most efficient way to prevent attackers from extending their reach through lateral movement. Unfortunately, network segmentation is easier said than done. Complex network environments going through frequent changes are prone to become more porous over time.
“Segmentation is hard to instrument, but easy to talk about.” .. Stephen Gallagher VP of Sales, Network Perception
When implementing network segmentation, it is important to follow best practices to ensure that it is effective. Network Perception recommends adopting a 3-step network access policy hardening approach:
- Deny all access by default
- Define network zones
- Enable connectivity among zones on a strict need-to-know basis
If starting from a clean slate is not possible, then one should at least verify rulesets to identify overly permissive rules (e.g., “any” source or “any” destination) and reduce their scope. Cyber risk alerts should be designed through collaboration with cybersecurity experts to ensure that any misconfigurations and cyber vulnerabilities are instantly identified.
Each time a change in the network is detected, the cyber risk analysis checkers are automatically running over the modified configuration files to report possible issues.
With Network Segmentation in place, ongoing network risk assessments should include:
- Assessing the correctness of network segmentation
- Identifying risky network connectivity paths and misconfigurations in configuration files
- Understanding exposure of vulnerable assets
- Detecting overly permissive rules
- Reporting unsecured network protocols
- Cleaning up unused rules and object groups
- Importing security advisories to check for vulnerabilities
In conclusion, network segmentation is an effective strategy for protecting operational technology networks from cyber-attacks. By limiting the scope of an attack, it can help to prevent damage to critical infrastructure and reduce the risk of a catastrophic event. However, it is important to follow best practices when implementing segmentation to ensure that it is effective and achieves the desired security outcomes
– Reach out to one of our OT/ICS Specialists and hear more on the importance of micro segmentation –