Network Segmentation and Micro-Segmentation
Let´s set the scene with some basic definitions. Network Segmentation appeared originally in the IT world when the idea of splitting networks into different network segments highlighted the advantages of performance and security. In the OT world, Network Segmentation protects the production environment from the IT world.
The beauty of Micro-Segmentation is to break the production network into very granular isolated parts. To each of those parts, a specific set of policies can be applied.
While Segmentation is commonly considered a North-South Zoning and can be inspired by the Purdue levels, Micro-Segmentation is then East-West zoning. This zoning can be at the level of application, system, production cell, etc.
Fig.1 Network Segmentation North-South and East-West
Commonly accepted benefits of Micro-Segmentation
The benefits of Micro-Segmentation are often seen from different perspectives in IT, but for the OT world, they can be summarized as:
Reduced attack surface: The granularity of control on the security zones enables more detailed security policies and rules, and therefore, control on the security risks.
Transparent understanding of the environment: It forces increased transparency on the network flows. This visibility increases the understanding of the inventory in the different zones and helps both detection and remediation in case of incidents.
Reduced risk of lateral movements and improved breach containment: Lateral movement is what an attacker does when he gains access to one point in the network and tries to pivot to his next target. Thanks to Micro-Segmentation, the control of these unexpected traffic types is facilitated through the granularity of the policies and firewall rules. Containment, in case of compromise, is made easier as a consequence.
Why can it become counterproductive?
Until now, that all looks extremely positive. However, the devil is in the details. And these details are the source for all sorts of challenges.
We have seen customers who, soon after implementing a well-organized project of Micro-Segmentation in their manufacturing environment, ended up back with a nearly flat network. How could that possibly happen? Was their organization so bad? Not really.
The above-mentioned classic VLAN-based Segmentation and Micro-Segmentation requires extremely well thoughts and refined VLAN types and grouping, FW rules, ACLs, policies. But the more micro-segment you implement, the more difficult it becomes to operate and maintain. In addition, the more chances of implementing systems in the wrong zones for the future.
From this “over implementation” of network segmentation comes a long list of difficulties:
bottlenecks in the network,
increased complexity in operation, prone to mistakes from the operations teams,
lack of understanding from the engineering teams leading to de-segmentation,
uncertainty in the implementation leading to maturity regression,
lack of trust in the overall model leading to doubt in the team’s mind.
How to find the balance?
How can a good method end up in such a bad result? Like most times in life, success is in the balanced and well-thought implementation of the method. Micro-Segmentation is good. But do not aim at an extreme segmentation. Some advice from our experience:
Defined risk-based zones: In your East-West segmentation, do not try to increase the number and the type of zones. Target a risk-based approach based on the production type, the criticality of the devices, or the legacy status of systems.
Fight the over-segmentation: Do not let the ideas, the potential sources of zoning, and the fear of “not doing enough” make you create more types of zones than required. Always think of the engineers who will have to decide where to place a system or the network engineers who will have to operate the environment. Provide clear guidance and documented principles.
Train your operational teams: The training is essential for the network operation teams and the project management of major infrastructure changes at your sites. For Network Segmentation, like for all cybersecurity, there is never too much awareness.
Look into other technologies: Network segmentation at VLAN level is not the only way. If you want to implement a more granular level of segmentation or achieve other objectives, look into other technologies.
Some hints into technology
Several of the major network vendors and new players have been developing technologies that facilitate Micro-Segmentation in OT. For example, Software Definition Frameworks leverages the native firewall functionality and, thanks to agent-based solutions, provides a more manageable Micro-Segmentation environment. The drawback, of course, is the installation of the agent.
As you already imagine, like for an out-of-the-box solution, we would highly recommend planning some adaptation to the environment. However, it will bring some advantages in the future of micro-segmentation in OT.