How to Protect Your OT Network — Without Disrupting Operations
In this article
The following article was written by William Noto from our partner, Fortinet.
In a network configuration where things go through the switch, a firewall never sees the activity — meaning organizations are unable to monitor the traffic within their OT network. It can be difficult to really understand what is going on within a network or see when things change — which is precisely what bad actors are hoping for when they attack a target.
Traditional firewalls provide some protection but come with drawbacks such as application awareness limitations, issues with network speed, logistical drawbacks, and a lack of evolutionary capabilities. Fortunately, where traditional firewalls fall off, next-generation firewalls (NGFWs) pick up. NGFWs deliver the best in network and data security — including versatility, intelligence port control, simple infrastructure, updated threat protection, and consistent network speed. In addition, rugged NGFWs deliver enterprise security for operational technology environments with full network visibility and threat protection. Organizations can weave security into industrial control system (ICS) architectures and build networks that fit within harsh and industrial environments.
For maximum benefit, however, even these advanced firewalls are best deployed inside an OT network, specifically one that has been well segmented.
The Purdue model talks about devices based on their function and then assigns them a level based on that function. However, the newer standard, IEC 62443, brings in the paradigm of zones and conduits that are important as the OT network becomes more segmented. Levels of network segmentation include:
Flat networks: with no segmentation at all, visibility and control of these networks are extremely limited, and any attack can spread north-south and east-west throughout the network.
L2 segmentation: using a combination of VLANs + switches, this level of segmentation does limit the impact to a compromised asset, with each zone having its own VLAN. However, there is no payload visibility, inter-zone access control is limited, and there is no east-west traffic inspection or segmentation.
L3 segmentation: this type of segmentation also uses VLANs + switches, but at this level, every device has its own VLAN. While it is possible to determine which devices can talk to which, this type of arrangement is very brittle, with changes requiring expensive planning and the very real possibility that an error will lead to downtime.
L7/L3 segmentation: When networks achieve this level of microsegmentation, the amount of achievable granularity enables a deep level of visibility and control. It's possible to identify not only what devices are on the network but also what applications are running such as Ethernet/IP or MODBUS; even the difference between reading a value and sending a command is visible. It also becomes easier to visualize the network's physical and logical topology.
While the benefits of NGFWs on the OT network are clear, there is often real hesitation to act on that knowledge. Unlike IT networks, downtime on OT networks can be incredibly costly — or in the case of critical infrastructure, even life-threatening. The question of how to segment the network without inserting chaos in the environment, introducing downtime, and compromising the safety or quality of the product looms large.
So how can an organization implement microsegmentation without taking down its environment? By having an extensive process that details everyone's responsibility — not just for the initial implementation or installation, but also considering ongoing maintenance.
Best practices to follow — and unsuccessful ones to avoid — include:
- Develop a plan for where you want to be and a reasonable timeline to implement
- Minimize disruption by taking steps that have the least possibility of failure
- Gather data from each step and use it to reassess before implementing the next step
- Forget to identify business needs and risks
- Fail to define your goals and align stakeholder interests
- Shortchange the process of identifying your zones and their priority
- Implement everything as a big-bang approach
The ultimate goal should be to achieve holistic security of the OT environment, which is why it's important to invest in a platform to secure all the layers of the network, including traditional (and non-traditional) network endpoints. That's where Fortinet's expertise can help. Fortinet's FortiGate NGFWs exceed the industry standard in providing superior protection, as recognized for the 12th time in Gartner's Magic Quadrant for Network Firewalls. FortiGate solutions combine all firewall permutations into a single, integrated platform, including new SD-WAN functionality. Its single-pane-of-glass management offers a simplified experience for a broad array of use cases, as well as flexible deployment across all network edges. Fortinet's security-driven approach to networking enables security to be built into every aspect of the network, from the ground level up.
It's easy to be paralyzed by the fear of downtime, the enormity of the entire process, or get caught up in recriminations about what should have already been done. Focus instead on moving forward by asking: What can be done today and tomorrow to consistently improve the network environment? Addressing the security concerns of your business and your network now can pay dividends of time, savings, safety, and privacy in the future. Not only do NGFWs and proper segmentation deliver security, but they also can give you a marketable competitive advantage over competitors that are behind the security curve.