Network segmentation boosts performance, protection

Technology Update: Reduce network cybersecurity risk and optimize network performance by following these 5 steps to leverage best practices of network design.
By Jessica Forguites November 7, 2014

The Cell/Area Zone is where the industrial automation and control system (IACS) end devices are logically grouped, then connected into the Cell/Area IACS network. This could be a specific machine/process skid, geographic area, or operational function. UseFive steps of network design can reduce cybersecurity risk and optimize network performance. Can attack vectors hidden in a thumb drive or PC software patch gain access to your programmable logic controller (PLC)? Are you vulnerable to malware from stolen original equipment manufacturer (OEM) credentials? If yes, you’re not alone. Major industrial and commercial companies, even governments, have endured serious and public security breaches in recent years.

Interconnected plant and enterprise-level networks are proving essential to the operation of today’s industrial processes, machinery, and infrastructures. These networks, and the information they provide, serve as the lifeblood of modern organizations. In an era in which millions of cyberattacks take place daily, networks and data must be secured from a wider range of threat vectors than the isolated, single-purpose networks of the past.

Network segmentation is one way to help reduce security risk when taking advantage of open, interconnected networks. Segmentation creates smaller domains of trust by breaking down the network into smaller functional- and access-based areas. While segmentation is not purely a mechanism for security, it simplifies security-policy enforcement by limiting traffic flow and guiding it through checkpoints, which help ensure only approved data and users are allowed access to specific portions of the network.

Segmenting a network draws real and imaginary lines around network devices and components using physical and logical segmentation. This creates security groups aligned to each section. The "real lines" refer to physical segmentation, which is the subdivision of the actual hosts, devices, or nodes on a network. Logical segmentation, meanwhile, is more abstract. It is the process of outlining which endpoints need to be in the same subnet or local area network (LAN), and involves the relationships the devices have with each other—for example, if they’re functionally interconnected, tied to the same process, or only interact with each other on a limited basis. The segmentation approach taken can significantly influence security, cost, performance, and time to develop your network infrastructure. 

Single network value

Industrial companies used to rely on a multitiered networking model with different network technologies performing different control disciplines (motion, safety, and process control). Different communication standards provided natural physical-network-technology segmentation. Automation systems that support the manufacturing enterprise have increasingly turned to tightly interconnected systems using IP- and Ethernet-based technologies, such as EtherNet/IP, an ODVA Ethernet protocol. This enables the convergence of multiple control and information disciplines, and can improve productivity, utilization of assets, and decision making. This also provides options for securing communications that were unavailable with the single-purpose networks of the past.

Segmentation necessity

The advantages of network convergence are quickly becoming undeniable. However, it does require end users and machine builders to deploy industrial-network design methodologies, like segmentation, to help maintain real-time network performance. Segmentation has the added advantage of making a network more modular. Modularity reduces network sprawl and gives manufacturers the flexibility to add capacity with minimal impact to the network performance and infrastructure. Modularity also helps ensure traffic flows through checkpoints, such as firewalls and managed switches, as part of a larger security strategy. 

Apply segmentation topologies

The concept of physical segmentation is to help define demarcation where support moves from one responsibility to another based on the physical location of the devices being connected. Physically segmenting a network is accomplished in various ways. The most straightforward is purely using isolated networks not connected to the plant or enterprise network infrastructure. However, this means losing the advantages of convergence discussed previously.

Other approaches for physical segmentation can provide connectivity. For example, dual network interface cards (NICs) and network address translation (NAT) features create two network identities for an individual end device.

Using multiple NIC cards in a programmable controller or other machine resources allows communication with devices previously unconnected to Ethernet networks. Multiple NICs can be used to establish connectivity of one end device from multiple networks that are otherwise physically isolated. Using multiple NICs, plant operators can access a specific controller via one card, and the enterprise IT department can pull controller information via the other card to serve up real-time plant information into enterprise-level databases and reports.

Using managed industrial switches with NAT features provides the flexibility to segment or isolate network traffic by determining which devices are exposed to the larger network. By limiting access to certain devices, they can be isolated from broader network traffic, which can help optimize the network performance at the local level. NAT is popular among equipment builders and OEMs because it can simplify integration of IP-address mapping from a set of local, machine-level IP addresses to the end user’s broader plant-process network. This allows OEMs to adapt to an end-user network and restrict the number of IP addresses used, limiting time and risk during commissioning.

Topologies that leverage multiple NIC cards and NAT naturally segment different kinds of communication to reduce network chatter, and increase performance and security. However, network boundaries using this method are restricted by design and require investment in specific hardware that offers the built-in features.

Logically segmenting the network using virtual local area networks (VLANs) and subnetting is well-known in the IT world, but is still a newer concept in the cell/area zone for control system engineers. Using this approach, users can segment "control" devices from other things by configuring multiple VLANs in managed switches. This gives users the ability to choose what traffic traverses across subnets/VLANs with the help of routers or Layer 3 switches.

Segmenting cell/area zones from each other will help create smaller Layer 2 domains, reducing overall network bandwidth and creating even smaller domains of trust. As new systems are brought onto the network, they can be incorporated with limited performance impact to existing systems.

Extending plant network addressing to the machine also alleviates the need for some of the physical methods described above. Resources on the network would only have one identity on the network, but their performance is protected from the broadcast and multicast communications of other resources outside of the local VLAN. This reduces risk and the cost of connectivity as new devices are added to the network.

Firewalls can act as both physical and logical segmenters on a network. For example, industrial routers can support both NAT and routing features. For firewalls to be effective, network traffic must flow through them, controlling the flow of information over the network logically.

Firewalls often work best when employing higher-level intrusion detection and prevention systems (IDSs/IPSs) to inspect traffic to and from remote devices. They also look for signatures that indicate an attack or threat from authorized sources over authorized channels. The IDS/IPS provides an additional level of security to reduce threats or attacks that may leverage open ports on a firewall or can come from authorized users or devices, such as a virus coming from an authorized user’s computer. 

Starting network design

Careful planning is required to achieve the optimal design, deployment, and performance from both the Cell/Area IACS network and IACS device perspective. Industrial routers like the Allen-Bradley Stratix 5900 services router from Rockwell Automation can sTo design and plan your network, consider the following steps and ask the following questions:

1) Assess: Consider each level of the logical model and generate a network-requirements document through computation of industry best practices and standards (including the recently released NIST Framework for Improving Critical Infrastructure Cybersecurity), as well as any required future expansion capabilities.

Questions to consider: Why is the current network design not operating according to operational/availability baselines? Is the current network architecture robust enough to protect intellectual property and assets? How do I know if issues I have on the network are security-related, and how do I fix them? If I need to add capacity in the future, how can I be better prepared for that with what I’m putting in place today?

2) Design: Inventory devices and applications with network dependencies within the logical model to help define a physical and logical topology for a requirements document.

Questions: Does my existing architecture protect against malware attacks? What do I need to do to ensure my architecture scales to accommodate current and future demands? How do I prioritize technology-refresh tasks to maximize operational availability?

3) Deploy: Implement the installation, procurement, and configuration of the network following the generated requirements document. Then, audit the network against standards to help ensure that the network requirements were met.

Questions: How do I configure devices to best interface with process control networks? What will the impact be if I upgrade to "X," and how do I go about making changes? How do I securely dispose of old equipment to ensure my data is not exposed?

4) Governance: Ensure legal and regulatory compliance.

Questions: Am I required to be compliant with any regulations? If so, what are they and how do I comply? What is the risk if I am not compliant? How long do I have to become compliant?

5) Manage and monitor: Maximize network availability, manage change control, and monitor the network to identify issues early. This can be accomplished by assessing network moves, additions, and changes as part of the change-control process to protect the integrity of the requirements and performance of your network.

Questions: How do I securely access my network remotely? What resources are available to help me maintain availability?

Following these five steps and leveraging best practices for network design can provide the advantages of an open and interconnected network, with optimized performance and reduced security risk.

– Jessica Forguites is a Rockwell Automation product manager; edited by Mark T. Hoske, content manager, CFE Media, Control Engineering,

Key concepts

  • Network segmentation boosts performance, protection.
  • Reduce network cybersecurity risk and optimize network performance.
  • Following these 5 steps to leverage best practices of network design.

Consider this

Is the current network architecture robust enough to protect intellectual property and assets?

ONLINE extra

This online article has links and more cybersecurity and networking information that what appeared in the November issue.

Control Engineering has pages for Ethernet and for security. 

See related articles on networking below.

Want this article on your website? Click here to see how ContentStream® can make that happen.