Cybersecurity advice: Micro-segmentation in ICS environments

Examine micro-segmentation as part of a broader cybersecurity architecture, not a replacement for the current cybersecurity architecture. Industrial cybersecurity system micro-segmentation decreases the attack vector on industrial environments, according to a company with a Control Engineering Engineers’ Choice Award product.

By Mariam Coladonato and Dan Schaffer February 19, 2022
Courtesy: Phoenix Contact USA

 

Learning Objectives

  • Understand the need for industrial control system micro-segmentation by looking first at macro-segmentation.
  • Walk through a defense-in-depth example: Water-treatment plant.
  • Learn about cost, complexity and manageability for ICS micro-segmentation to improve cybersecurity.

Within industrial cybersecurity, the importance of micro-segmentation is often overlooked as an effective defense strategy in industrial control system (ICS) networks. By now, all asset owners should know implementing a single perimeter firewall on top of critical operational technology (OT) network is only a small step toward overall security; however, it should not be the only one.

The key concept with micro-segmentation is granularity. Micro-segmentation breaks down the organization, in this case the OT network, to the most granular level with which the user is comfortable. In most cases, this results in a small group of critical assets that talk to each other on the TCP/UDP traffic level.

[subhead]ICS macro-segmentation, then micro-segmentation

As with all cybersecurity strategies, an overall plan of “defense in depth” should be the umbrella under which individual techniques apply. For micro-segmentation, the typical first step is “macro-segmentation.” This is bringing in the entire infrastructure security perimeter and looking at the big picture from information technology (IT) into OT segmentation. Just as the network is defined under IEC 62443 and even the Purdue model, define the network into zones and conduits.

Defense-in-depth example: Water treatment plant

For example, in a water treatment plant, the different defensive layers already in place might include:

  • Secure remote connectivity, such as a virtual private network (VPN), for field engineers.
  • Remote employees working from home.
  • Role-based access controls for local and remote users, and even “headless” processes.
  • IT systems and solutions monitoring external traffic and web applications.
  • A network or security operations center (NOC/SOC),
  • Automation systems protection with antivirus for workstations.
  • Physical security systems with cameras.
  • The required isolation for the operations of the different process inside the water treatment plant.

The goal of micro-segmentation is to reduce the attack surface by placing security perimeters into small, isolated zones with different access privileges. This provides better and more granular protection as well as mitigate damage from an incident by containing it in a very small cell. However, the challenges of micro-segmenting ICS networks are costs, complexity, and manageability.

A water treatment plan includes multiple zones that are each vulnerable to a cyberattack. Micro-segmentation can provide more granular protection and contain an incident to a very small cell, so it mitigates the effects of the attack. Courtesy: Phoenix Contact USA

A water treatment plan includes multiple zones that are each vulnerable to a cyberattack. Micro-segmentation can provide more granular protection and contain an incident to a very small cell, so it mitigates the effects of the attack. Courtesy: Phoenix Contact USA

Cost, complexity for ICS micro-segmentation to improve cybersecurity

Micro-segmentation relies on deploying protection and breaking down a large network into many smaller cells or segments. Since deploying a high number of security appliances can be cost-prohibitive, it is important to use devices that offer a high level of focused protection at a reasonable price point.

A big challenge for asset owners or OT personnel is limited comfort with the setup or configuration of complicated firewall rules. IP addresses, Layer 4 ports and protocols can be confusing, not very intuitive, and can make errors. One key feature for OT protection is a firewall that helps with creation and verification of network firewall rules needed.

For example, features like the “Easy Protect Mode” can isolate the desired network without the need for device configuration. Controlling with a simple discrete input or dry contact, a user-friendly stateful inspection firewall rule set is activated. Based on the incoming and outgoing data traffic, an integrated firewall assistant can create an automatic list of existing network connections and the firewall rules for the user to pick and choose which ones to allow or to block. A “test mode” also can identify undefined communication connections. It reports these and recommends supplementary firewall rules after the firewall assistant has been disabled.

Manageability of micro-segmentation for ICS cybersecurity

A final item to consider, which becomes even more important with the large number of devices that micro-segmentation requires, is managing all these security appliances on the network. Management tools are essential in everyday tasks like deploying new configurations, pushing firmware updates, changing passwords, etc. These tools prevent the need to manually “touch” hundreds of devices and allow an administrator to do tasks in bulk quickly and consistently.

While IT departments have long had software suites, both proprietary and open, to help with these tasks, they are still much less common and sometimes less feature-rich in the OT space. Selecting a firewall or security appliance that has a central management tool, or an appliance open enough to work with a third-party tool, is essential to maintain the network. Firewalls that support features like SNMP and REST APIs are good indicators they can be managed and even automated by third-party software and are good for widespread use.

Asset owners and stakeholders must look at micro-segmentation as part of a broader security architecture, not a replacement for the current security architecture. This process decreases the attack vector on industrial environments. Just as important, it helps to ensure a single breach of a given vulnerable process doesn’t allow the attackers or even a piece of malware to propagate to the rest of the environment. Implementing industrially-rated security appliances and firewalls that help address the challenges of cost, complexity, and manageability are key to ensure the micro-segmentation strategy will be successful.

The FL mGuard 1100 series from Phoenix Contact is a family of low-cost industrial firewalls featuring trusted routing and NATing technology. [network address translation (NAT)] Courtesy: Phoenix Contact USA

The FL mGuard 1100 series from Phoenix Contact is a family of low-cost industrial firewalls featuring trusted routing and NATing technology. [network address translation (NAT)] Courtesy: Phoenix Contact USA

Mariam Coladonato is senior product specialist cybersecurity, Phoenix Contact USA. Dan Schaffer is senior product marketing manager, Phoenix Contact USA. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media and Technology, mhoske@cfemedia.com.

KEYWORDS: ICS micro-segmentation cybersecurity advice, Engineers’ Choice Awards

CONSIDER THIS

How are you using ICS micro-segmentation to improve operations cybersecurity?


Mariam Coladonato and Dan Schaffer
Author Bio: Mariam Coladonato is senior product specialist cybersecurity, Phoenix Contact USA. Dan Schaffer is senior product marketing manager, Phoenix Contact USA.