Zone Defense in a Connected World

Nearly 40 billion. That’s how many devices will be connected to the Internet in 2020. A 285% increase from 2015, with industrial and public service sectors as the largest users of digital things.

Common sense says that more connected devices mean more exposure to cyber attack. By extrapolation, it also says that proper cyber security—especially in critical infrastructure environments—is becoming an imperative.

As OT networks become increasingly connected, the attack surface is widening and, so too, is the likelihood for heightened risk. In contrast to IT, OT environments—such as steel mills, power plants, pipelines, rail yards, and hospitals—have much more at stake. The safety of people and multi-million dollar critical infrastructure, productivity, and the environment have become much more susceptible to threats and exploitation.

But with so many devices, where do you start?

Zone Defense: Strengthening the Perimeter

In sports, a winning strategy requires a sound defense. And a common tactic in basketball and American football is to set up a zone defense. Rather than matching player-to-player, these approaches assign defensive players an area—or zone—to cover.

Not unlike trying to protect an opponent from scoring a game-winning goal, zone segmentation is a key strategy applied to protect network operations from cyber attacks. It is the foundational building block of any modern industrial cyber security practice, and must be applied in a manner that suits the specific needs of your industrial control system (ICS) and operational technology (OT) environment.

The basic goal for segmentation is simple: create boundaries or zones around groups of assets and/or data so that specific policies can enact on those zones based on business requirements. However, because IT segmentation technologies tend to fall short of OT security requirements, a new zoning approach is needed.

In OT cyber security, a perimeter defense—which only accounts for traffic going in and out of the network—is no longer enough, and more protection is now needed inside the network. This is why network segmentation and its zone-specific policies play such a crucial role in controlling, monitoring, and protecting crucial assets. Proper segmentation enhances your organization’s security posture and helps harden the control network. Without it, successful attacks can result in a tremendous loss of asset availability, decreased revenue, and increased costs.

While network segmentation is a fundamental component of cyber security, it is important to understand that industrial control environments can present certain implementation challenges:

• Mind the (air) gap: Due to the rise of industrial systems, mobility, cloud technologies, and multi-vendor environments, air gapping is no longer effective. The Internet will find or build a bridge over an air gap.
• Watch the perimeter: Multiple perimeters are formed from industrial system devices communicating with one another as well as other sub-system devices, making traditional perimeter security inadequate.
• IT tools and techniques don’t work in OT networks: IT technologies simply weren’t built to work in OT environments.

Segment to Protect

OT network segmentation must enable easy, zone-level separation in a centralized manner—without requiring network re-engineering or re-configuration. It also requires an intuitive graphical user interface (UI) for simplicity’s sake and should allow for virtual segmentation of bulky and/or remotely located critical devices.

Same Game, Different Language

IT and OT can and should play well on the same team, but you need to recognize they don’t speak the same language. Put another way, OT devices use different protocols than their IT teammates. And that’s ok, as long as it’s clear the role each team has in securing operations.

Your security solution must understand the many communication languages of industrial environments, specifically the relevant OT protocols, in order to properly filter and inspect network traffic across zones. Remember, legitimate protocol commands can be used for illegitimate purposes. Taking a deeper look into the full context of each data flow can help give you a glimpse into malicious intent or accidental misconfiguration.

Define Normal

It is critical to create zone policies that are specific to your particular OT environment. To do so, you need to be able to create a baseline view that records all OT network traffic and can determine what normal traffic looks like in order to protect each zone from malicious and anomalous behavior. You also need to understand the full context of OT protocols, and be able to complete virtual zoning (remotely and centrally) as well as enforce customized security policy for each unique OT environment.

While defending against a sports opponent can’t compare to protecting your operation from cyber attack, applying an effective zone defense can help improve your security posture and strengthen your competitive position.