Industrial IoT is ushering the era of IT and OT convergence. However, making traditional OT assets smarter with IT technologies also means a larger cyber threat surface and, hence, more exposure to cyberattacks which are growing smarter as well.
Unlike in IT, a breach in OT security means not just data and identity loss, but possible breakdown of critical infrastructure and even human safety.
Industrial equipment like turbine engine or industrial control systems was never built to evolve as cybersecurity-savvy IT products. But now these very OT assets are getting connected to open data networks. Lack of evolved cybersecurity stack in these “live” assets calls for immediate security countermeasures.
That’s when the spotlight turns on segmentation and DMZ (also known as perimeter network) for plausible rescue.
Network segmentation started in enterprise IT networks using shared media/Ethernet as a means to improve performance and bandwidth. Over time, however, it proved itself as a proactive security tool. Segmentation of a network into separate zones or subnetworks (such as HR, operations and engineering) reduces traffic collision and improves throughput. However, a side and more compelling benefit is that it allows the containment of network traffic within a specific zone. That in itself is a very effective way to prevent malicious traffic from spreading across the enterprise network.
According to ISACA, “a common technique to implement network security is to segment an organization’s network into separate zones that can be separately controlled, monitored and protected.”
DMZ, until now, was selectively used in industries by defining few broad perimeter networks. However with increased sophistication of cyberattacks and as traditional factory assets become intelligent and connected, just one line of defense isn’t enough.
In case of an intrusion, a countermeasure is critical to prevent lateral movement of the malware. As a result, zoning inside corporate IT networks, and even between IT and OT networks, is important.
Now the question is: Are conventional segmentation principles good enough to secure industrial OT assets?
OT and IT segmentation: The dynamics differ
Zoning industrial networks to create multiple perimeters is a promising way to secure OT assets. However, to implement it we just can’t replicate IT segmentation techniques such as VLANS, routing and firewalls as is. VLANs and routing can become complex very quickly. Implementing IP address and subnet configurations often run into complexity, require reconfigurations and demand specific technical skills. This may not be easy to get around in OT environments.
Most IoT devices are either too low in computing resources to integrate robust security stacks or not designed (think of turbine engines, industrial belts) to integrate security stacks prevalent in IT.
Easy virtual zoning
In the case of large industrial systems, they are too large to move around. In many cases the devices are located in remote locations and not easily accessible to maneuver physically. Besides, in OT, well-defined software upgrade cycles to integrate patches, etc., are missing. And most importantly, these systems must run uninterrupted. Industrial equipment downtime translates to disruptions which are mostly unacceptable.
That’s why when planning segmentation in OT environments, we must think differently.
A zoning solution needs to be easy and done in a centralized manner without having to move around bulky industrial gear or reengineer existing systems.
Instead of physical segmentation as in the case of IT, in OT environments we need to think of virtual or logical zones, without any physical dependency and simpler user interface through which these zones can be centrally configured and controlled.
Deep packet inspection
DMZ defines the periphery of a zone and uses firewalls, either standalone or cascaded. Firewalls are used for deep packet inspection and traffic filtering. Deep packet inspection and intrusion detection provide the needed information to process incoming traffic.
However, IT firewalls are designed to read IP protocols and as such cannot serve the purpose for many industrial protocols such as Modbus, MTConnect and OPC. To secure OT networks, we need firewalls which in addition to IP can also inspect the packets and extract contextual information to monitor, protect and control OT zones.
As security technologies in industrial IoT steadily evolve, segmentation can provide considerable relief to security concerns in OT environments — so long as we develop and use the right tools and methodology specific to OT. Simply replicating IT legacy may not help that far.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.