Preventing internal & external cybersecurity breaches with zero trust OT network segmentation
By Ryan Lung, Senior product manager at TXOne Networks
In the last years, malicious actors have threatened organizations with increasingly higher risks of losses of money or even of lives. In response, security researchers developed more secure and reliable network security methodologies. Prior to the invention of the zero trust approach, network defense was typically based on two separate “trust levels”— inside network and outside network (the internet). Communications originating from the inner network were considered trustworthy; those from the outer network were not. As malicious actors have rapidly developed their skills, they have shown clearly that these traditional methods cannot meet post-digital transformation security needs. This is why the zero trust model insists that we “never trust, always verify” and even for industrial control system (ICS) networks key ideas borrowed from it can lead to a much better overall security in OT (operational technology) environments. OT zero trust cybersecurity provider TXOne Networks shows that these defensive improvements are more necessary with every passing day.
Increasing OT threat landscape
The terrain of the OT threat landscape is changing with the rhythms of Industry 4.0, industrial IoT, and digital transformation. Stuxnet was one of the first pieces of malware specifically designed to target an industrial control system (ICS) and caused the first major OT cyber incident. This kind of attack was unlikely in an OT environment until 2017, when a worm called WannaCry propagated extremely widely. In the aftermath many different kinds of malware emerged, and malicious actors began putting serious work into designing targeted ransomware attacks to exploit specific industry verticals. The greater productivity promised by modern technologies drives manufacturers to embrace them and to take the risk of opening the door further to networking and the internet. However, every advancement brings with it new attack surfaces, and the potential for another, even more aggressive wave of cyberattacks.
Finally, as a decentralized, untraceable digital currency, Bitcoin is the perfect means by which criminals can collect ransoms without fear of the payment being tracked to reveal their identities. These factors ensure the continual shifting of the threat landscape. Once attackers have created a new form of malware, the malware typically gets into an OT environment through insider threats or external cyberattacks.
Insider threats and external attacks
Insider threats can be either unintentional or intentional. In an unintentional case, an employee or third-party visitor, unknowingly brings an infected device onto the premises. An intentional case might result from a dissatisfied employee or one who has been paid by third parties to conduct sabotage. In both cases, unsecured USBs or laptops are the typical devices that transmit threats.
External cyberattacks often begin in the IT network, most commonly start with a phishing attack and usually take the form of ransomware or bots. Ransomware encrypts assets and offers them back to stakeholders at a high price. Bots usually allow attackers to prepare for or set up the rest of the attack, e.g., allowing them to take direct control of systems, execute applications, or collect important information. Once attackers have compromised the control center network, it’s very easy for them to spread malware and escalate privileges in different levels of the system. Effects can include entire production cycle shutdown, damage to assets, or human endangerment.
Network segmentation vs. cyberattacks
Network segmentation has become a common means for organizations to repel modern cyberattacks, and this practice not only strengthens cybersecurity but also helps to simplify management. As quarantine for malware is built into the network’s design, if an asset gets infected, only that segment will be affected. The options for intruders are drastically reduced, and they will be unable to move laterally. For IoT devices, it allows the data and control paths to be separated, making it more challenging for attackers to compromise devices. Even if one production line is affected by a cyberattack, the threat will be contained so that the others can continue to work.
For the Management, network segmentation makes it easier to monitor traffic between zones and empowers administrators to deal with a massive amount of IoT devices. As new communication technologies are added to worksite environments, network segmentation will be the first line of defense and the foundation for keeping risk low.
Building up zero trust OT environments
While the core of zero trust is network segmentation, stakeholders who want to bulletproof their worksite and keep the operation running should also implement virtual patching, trust lists, hardening of critical assets, and security inspections.
To support policy management, maintenance, and event log review, solutions used to implement these practices should be centralized. In addition, ideal network segmentation solutions for OT and ICS environments must be OT-native and need to come in different form factors for
different purposes. The two key form factors are OT-native IPSs for micro-segmentation and 1-to-1 protection of critical assets, and OT-native firewalls for transparently creating segmentation with
broader definition of network security policy. IPSs can also come as an “array”, where many of them are included in one appliance for ease of management.
In order, to create advanced configurations at the command level, these appliances should have the ability to support the OT protocols that the work site’s assets use. Thus, micro-segmentation can be conducted using trust lists set at the network level and OT-native IPSs or firewalls at the protocol level. In addition, support for virtual patching is necessary as well and critical assets should be hardened using trust lists deployed within the device, at the level of applications and processes.
Creating trust lists
Firstly, for fixed-use legacy assets, it’s as simple as creating a trust list that only allows applications and processes necessary to the asset’s purpose to run, which also prevents malware from running. Secondly, for modernized machines that have more resources and must conduct a variety of tasks, hardening must be based on trust lists with a library of approved ICS applications and certificates, as well as machine learning. In addition, security inspections for stand-alone or air- gapped systems as well as inbound and outbound devices prevent insider threats from affecting company operations. The concept of zero trust has shown OT security intelligence specialists that network trust awareness is critical to maintaining operational integrity.
Implementing zero trust in OT and ICS environments is much easier with network segmentation and therefore network segmentation has become a byword in work site cyberdefense. However, when IT-based solutions are deployed in operational technology and ICS environments, their large demands on resources and lack of sensitivity to OT protocols are just as likely to interfere with operations as they are to protect them. For this reason, TXOne Networks has developed OT-native solutions, supported by the efforts of threat researchers who constantly monitor the threat landscape. As malicious actors develop new methods of cyberattack, the best practices of network segmentation, virtual patching, trust lists, hardening critical assets, and periodic security inspections allow organizations to repel the cyberthreats of today and prevent the threats of tomorrow.
For more information, visit TXOne Networks.
About the Author
Ryan Lung is a senior product manager at TXOne Networks, where he manages TXOne Networks’ networking product management and design teams and is responsible for ICS network security products. He has worked in network security product management and design for over 14 years. Ryan Lung earned an M.S. degree in Information Management from National United University.
Ryan Lung can be reached online at firstname.lastname@example.org