Segmenting Mixed IT/OT Environments: Challenges and Where to Start
In This Article
Consider two cyberattack scenarios.
Scenario #1: Manufacturing Facility
- Employee receives and clicks on phishing email.
- Employee's computer is compromised.
- Employee's credentials are harvested.
- Employee's credentials are used to access employer's Industrial Control System (ICS) network.
- Adversary logs in to the ICS using employee's credentials.
- Adversary moves laterally throughout the ICS network.
- Adversary compromises critical systems by installing malware.
- Malware causes production line disruption and safety systems failure due to malware exploiting unpatched vulnerabilities and subsequently wiping all control stations.
Scenario #2: Utility
- Utility allows vendor to connect a vendor-owned laptop to control system for support.
- Vendor connects to turbine control system to update software version per SLA.
- Vendor's computer contains malware, which spreads to control system.
- Malware-infected control system spreads malware to other vulnerable systems in network.
- Malware causes utility system to go offline, causing a trip.
Each scenario arises from a lack of security controls in environments where IT and the ICS interconnect. While IT and ICS connections make business sense, implementation without understanding and mitigating risks can prove to be catastrophic.
Industrial control systems prioritize safety, availability, reliability and efficiency. As such, they're typically developed to serve a single purpose (which just so happens NOT to be security). In most industrial environments, the ICS is infrequently patched and updated (if at all) to minimize downtime and avoid potential issues.
Most ICSs are operated under the adage, "If it ain't broke, don't fix it." Moreover, ICS requirements for operational uptime introduce risks and make assets highly susceptible to attacks when connected to external devices or networks.
To further complicate matters, there are increasing reasons to integrate ICSs with enterprise systems. These can include:
- Monitoring productivity.
- Performing predictive analysis.
- Coordinating production between sites.
- Meeting compliance requirements.
- Migration from legacy analog control systems to digital control systems.
- Lowering operating costs.
Such integrations add a threat vector outside of the original design parameters of most ICS devices. Failure to properly secure and isolate ICSs from enterprise systems (and from each other) can lead to the spread of malware, compromise or even asset destruction. And disruption of operations to a manufacturing site or to critical infrastructure can have major consequences, ranging from loss of productivity and revenue to loss of life.
So, what can you do?
At a bare minimum, we recommend implementing strong firewall monitoring as the base on which to build a stronger security posture.
Firewall Monitoring and IT/OT Separation
The most effective defensive strategy when integrating industrial control and IT systems is the implementation of an ICS firewall with comprehensive policies. Simply put, all traffic must be accounted for. This will help control the flow of information and prevent traffic from lower security zones (e.g., DMZ, IT networks) from accessing the ICS network. This approach protects the ICS from the enterprise network and vice versa.
In cases where the connection between the ICS and IT is being established, the introduction of a firewall with an explicit deny policy will ensure no traffic passes between networks until specific rules are in place.
In cases where the systems are in a mixed environment, the process involves the introduction of a firewall between the ICS components and the IT components in "monitoring mode." This provides the means to safely monitor and baseline traffic so rules can be implemented while minimizing the impact to operations. This activity should be performed during a preventive maintenance or outage window to avoid any negative impact.
Once all traffic has been baselined and corresponding rules are in place, an explicit deny rule can be added. This will prevent new, unexpected and unaccounted traffic from passing through the firewall.
Once basic segmentation is established between the two environments, the next step is to complete a full inventory of devices on the ICS network. It's important to understand the function of each device, data flow, protocol, firmware and software version. Having a full picture of the ICS network will aid in the determination of a comprehensive segmentation strategy and help identify vulnerabilities in the network.
The discovery process in ICS networks has historically been extremely difficult, often involving physical walk-downs, spreadsheets and checklists. The problem with these methods is the human element, which often produces incomplete inventories (if they're even performed at all).
Another common theme among ICS environments is the widespread use of shadow IT. When engineering or ops teams need to solve an ICS problem, it's common practice to bypass IT. On top of that, there's usually poor communication with relevant business units. This shadow IT approach can lead to the purchase and installation of solutions without proper input from IT security, which can result in the introduction of vulnerabilities via unvetted and non-inventoried equipment.
A mature segmentation strategy will integrate the principle of least privilege, through which processes only have access to required resources. An asset should only communicate with the asset or assets required to perform an operation. Any other access should not be permitted. A good (initial) strategy begins with segmenting by system or device type using zones, conduits, boundaries and security levels as described in IEC-62443. This will limit the reach of a specific device and prevent it from communicating outside of its system or device group.
Further analysis can promote even more effective segmentation. For example, consider a group of operator consoles that only need to communicate with a server, not with each other. The server needs visibility to each console. In a mature segmentation scenario, the only communication allowed would be between the server and the consoles over a specific port. Preventing consoles from communicating with other consoles can help prevent and contain the spread of malware should one device become compromised.
This level of segmentation, while ideal, is difficult and time consuming to implement in an ICS environment. It should be performed only after thorough analysis and planning has been completed. If you have questions, WWT's experts are happy to provide guidance.
A Proven Solution
Regarding recommended solutions, Fortinet has developed the FortiGate Rugged Series of hardened security appliances designed to withstand the extreme operational requirements found in industrial environments. These appliances enable the implementation of a functional and physical segmentation strategy for critical infrastructure and industrial ICS environments.
FortiGate also combines high-performance, next-generation firewall functionality and robust two-factor authentication with antivirus, intrusion prevention, URL filtering, and application control. The granular security policies of FortiGate's Internal Segmentation Firewall deployment mode enforce ICS zones and conduits based on criteria such as user identity, application, location and device type to lock down zones and ensure only legitimate traffic is permitted laterally between zones. Check out WWT's FortiGate Sandbox on our new B2B Innovation Platform here.
That said, a more proactive approach is required for a thorough analysis of ICS networks, their processes, protocols and communications.
Enter Fortinet and Nozomi Networks, who are working together to provide a comprehensive security solution for ICS environments. This recommended solution combines Nozomi Networks' Guardian -- a next-gen cybersecurity and operational visibility solution known for its deep understanding of ICS networks, protocols and device behavior -- with Fortinet's network security expertise through FortiGate. Guardian's passive ICS protocol monitoring capabilities baseline the behavior of industrial devices while detecting anomalies and critical states in the ICS network. It works closely with FortiGate to provide a secure and responsive gateway between the ICS and IT networks.
The Fortinet-Nozomi solution optimizes productivity and business continuity in industries reliant on ICS networks while minimizing system downtime and limiting data loss. Nozomi Networks' Guardian appliance passively monitors ICS network traffic through switch span ports and creates an internal representation of the entire network, its nodes and the state and behavior of each device in the network. This provides advanced visibility, monitoring, alerting, reporting, troubleshooting and forensic capabilities. Upon the detection of an anomaly, Guardian sends an alarm to system, security and network personnel. Guardian is also capable of automatically modifying the right policy in FortiGate to block suspicious traffic.
Overall, the Fortinet-Nozomi solution provides advanced detection of ICS security issues with proactive threat remediation and containment within industrial environments.
By combining technologies like those used by Fortinet and Nozomi Networks, WWT can help customers implement ICS segmentation, identify and inventory network assets, identify protocols used, baseline data flows, identify vulnerabilities, identify malicious or unwanted network traffic, and implement a custom segmentation strategy specific to their environment.
Let us help you reduce risk to your critical equipment with minimal impact to operations. Book an Enterprise Segmentation Workshop today.
For more information, sign up for a My WWT account today and explore the following resources: