Segmentation and Segregation in Industrial Cyber Security

Historically, operational technology (OT) networks were often air-gapped, so they were separated from the corporate IT network and the outside world. This technique, however, has grown less practical and, in reality, very few truly air gapped systems exist. OT systems have become more integrated and there is a reliance on communication with other networks. While linking OT systems to the intranet or internet enables new possibilities such as remote monitoring, control, optimisation and access to process data for BI and ERP systems, it also exposes these systems to the risk of intrusions, with cybercriminals taking advantage of attacking IT networks to obtain access to OT systems. Attacks against utilities, shipping lines, industrial plant and other infrastructure are on the rise.

While it is no longer feasible to fully air-gap OT networks, using appropriate segregation and segmentation solutions considerably improves the overall security posture. Organisations may focus their security efforts on each specialised region by splitting the OT network into smaller, more manageable portions or zones, minimising the danger of broad penetration. This method also enables more granular access control, guaranteeing that only authorised people and systems may connect.

When OT and IT networks are not adequately segregated, uncontrolled conduits are created, which attackers may exploit. Because of this lack of segmentation and segregation, hostile actors may quickly transition from the IT network to the more vital OT network and, where the OT network lacks sufficient segmentation, may then gain lateral movement into other OT systems, where they can interrupt operations, steal sensitive data, or even impact safe plant operation.

The ISA/IEC 62443 standard, a comprehensive framework for the cybersecurity of industrial automation and control systems (IACS), emphasises the need for segregation and segmentation in defending OT networks. Segregation entails establishing distinct zones within the OT network to segregate various degrees of criticality and operation. Segmentation takes it a step further by enforcing security restrictions between these zones to prevent unauthorised access and communication.
Key controls to consider to appropriately implement segregation and segmentation may include those listed below: remember, not all zones require the same treatment, with only the most critical requiring the majority. Less critical zones may warrant only minimal protection (assuming they are adequately segmented for other zones)

• Asset Identification and Classification: clearly identify and classify OT assets according to their criticality, function and risk profile.
• Network Segmentation: based on asset classification, function and risk, divide the OT network into logical zones or segments.
• Access Control: Implement strong access control methods to govern communication across zones, and ensure that only authorised people and systems have access to specified resources.
• Boundary Protection: security mechanisms such as firewalls, intrusion detection and intrusion prevention should be used to protect the perimeter of each zone.
• Vulnerability Management: scan and review OT systems for vulnerabilities on a regular basis, prioritising remedial activities based on risk.
• Continuous Monitoring: implement solutions for continuous network monitoring to observe network activity, identify abnormalities and detect potential breaches.
• Incident Response: create detailed incident response protocols to respond to and recover from cybersecurity breaches.

OT network security is vital for securing critical infrastructure and ensuring operational continuity. Organisations may dramatically improve their cybersecurity posture, eliminate the risks associated with unsegmented OT and IT networks, and protect their key assets from cyber threats by using effective segregation and segmentation techniques.

CyberPrism’s Guard is an effective IT and OT network edge and segmentation device. Using primarily open-source code, but containing our proprietary software which allows it to operate safely deep within OT networks, it is a scalable solution that can be deployed on passively cooled DIN rail – mountable industrialised hardware, all the way up to full 19″ rack – mountable power systems suitable for whole enterprise protection. Guards can be used standalone or in high availability (HA) mode and can be supplied on hardware meeting most standards for most industries (including vibration, TEMPEST, IPxx, hardware rail, medical, marine, military, tropicalised, etc), and on hardware with extended lifecycle support.