Network segmentation boosts performance, protection
Technology Update: Reduce network cybersecurity risk and optimize network performance by following these 5 steps to leverage best practices of network design.
Five steps of network design can reduce cybersecurity risk and optimize network performance. Can attack vectors hidden in a thumb drive or PC software patch gain access to your programmable logic controller (PLC)? Are you vulnerable to malware from stolen original equipment manufacturer (OEM) credentials? If yes, you're not alone. Major industrial and commercial companies, even governments, have endured serious and public security breaches in recent years.
Interconnected plant and enterprise-level networks are proving essential to the operation of today's industrial processes, machinery, and infrastructures. These networks, and the information they provide, serve as the lifeblood of modern organizations. In an era in which millions of cyberattacks take place daily, networks and data must be secured from a wider range of threat vectors than the isolated, single-purpose networks of the past.
Network segmentation is one way to help reduce security risk when taking advantage of open, interconnected networks. Segmentation creates smaller domains of trust by breaking down the network into smaller functional- and access-based areas. While segmentation is not purely a mechanism for security, it simplifies security-policy enforcement by limiting traffic flow and guiding it through checkpoints, which help ensure only approved data and users are allowed access to specific portions of the network.
Segmenting a network draws real and imaginary lines around network devices and components using physical and logical segmentation. This creates security groups aligned to each section. The "real lines" refer to physical segmentation, which is the subdivision of the actual hosts, devices, or nodes on a network. Logical segmentation, meanwhile, is more abstract. It is the process of outlining which endpoints need to be in the same subnet or local area network (LAN), and involves the relationships the devices have with each other—for example, if they're functionally interconnected, tied to the same process, or only interact with each other on a limited basis. The segmentation approach taken can significantly influence security, cost, performance, and time to develop your network infrastructure.
Single network value
Industrial companies used to rely on a multitiered networking model with different network technologies performing different control disciplines (motion, safety, and process control). Different communication standards provided natural physical-network-technology segmentation. Automation systems that support the manufacturing enterprise have increasingly turned to tightly interconnected systems using IP- and Ethernet-based technologies, such as EtherNet/IP, an ODVA Ethernet protocol. This enables the convergence of multiple control and information disciplines, and can improve productivity, utilization of assets, and decision making. This also provides options for securing communications that were unavailable with the single-purpose networks of the past.
The advantages of network convergence are quickly becoming undeniable. However, it does require end users and machine builders to deploy industrial-network design methodologies, like segmentation, to help maintain real-time network performance. Segmentation has the added advantage of making a network more modular. Modularity reduces network sprawl and gives manufacturers the flexibility to add capacity with minimal impact to the network performance and infrastructure. Modularity also helps ensure traffic flows through checkpoints, such as firewalls and managed switches, as part of a larger security strategy.
Apply segmentation topologies
The concept of physical segmentation is to help define demarcation where support moves from one responsibility to another based on the physical location of the devices being connected. Physically segmenting a network is accomplished in various ways. The most straightforward is purely using isolated networks not connected to the plant or enterprise network infrastructure. However, this means losing the advantages of convergence discussed previously.
Other approaches for physical segmentation can provide connectivity. For example, dual network interface cards (NICs) and network address translation (NAT) features create two network identities for an individual end device.
Using multiple NIC cards in a programmable controller or other machine resources allows communication with devices previously unconnected to Ethernet networks. Multiple NICs can be used to establish connectivity of one end device from multiple networks that are otherwise physically isolated. Using multiple NICs, plant operators can access a specific controller via one card, and the enterprise IT department can pull controller information via the other card to serve up real-time plant information into enterprise-level databases and reports.
Using managed industrial switches with NAT features provides the flexibility to segment or isolate network traffic by determining which devices are exposed to the larger network. By limiting access to certain devices, they can be isolated from broader network traffic, which can help optimize the network performance at the local level. NAT is popular among equipment builders and OEMs because it can simplify integration of IP-address mapping from a set of local, machine-level IP addresses to the end user's broader plant-process network. This allows OEMs to adapt to an end-user network and restrict the number of IP addresses used, limiting time and risk during commissioning.
Topologies that leverage multiple NIC cards and NAT naturally segment different kinds of communication to reduce network chatter, and increase performance and security. However, network boundaries using this method are restricted by design and require investment in specific hardware that offers the built-in features.
Logically segmenting the network using virtual local area networks (VLANs) and subnetting is well-known in the IT world, but is still a newer concept in the cell/area zone for control system engineers. Using this approach, users can segment "control" devices from other things by configuring multiple VLANs in managed switches. This gives users the ability to choose what traffic traverses across subnets/VLANs with the help of routers or Layer 3 switches.
Segmenting cell/area zones from each other will help create smaller Layer 2 domains, reducing overall network bandwidth and creating even smaller domains of trust. As new systems are brought onto the network, they can be incorporated with limited performance impact to existing systems.
Extending plant network addressing to the machine also alleviates the need for some of the physical methods described above. Resources on the network would only have one identity on the network, but their performance is protected from the broadcast and multicast communications of other resources outside of the local VLAN. This reduces risk and the cost of connectivity as new devices are added to the network.
Firewalls can act as both physical and logical segmenters on a network. For example, industrial routers can support both NAT and routing features. For firewalls to be effective, network traffic must flow through them, controlling the flow of information over the network logically.
Firewalls often work best when employing higher-level intrusion detection and prevention systems (IDSs/IPSs) to inspect traffic to and from remote devices. They also look for signatures that indicate an attack or threat from authorized sources over authorized channels. The IDS/IPS provides an additional level of security to reduce threats or attacks that may leverage open ports on a firewall or can come from authorized users or devices, such as a virus coming from an authorized user's computer.