Growing importance of IT/OT network segmentation is underscored by recent high-profile cyber attacks, which have laid bare significant vulnerabilities. These incidents demonstrate that even relatively unsophisticated malware can breach the divide between corporate IT networks and OT (operational technology) networks. These escalating situations underscore the paramount importance of prioritizing safety and maintaining uninterrupted operations. This further emphasizes the ongoing imperative to reassess and strengthen IT/OT network segmentation to secure industrial control systems (ICS).
In this two-part series, Industrial Cyber addresses the intricacies of IT/OT network segmentation and explores the potential of AI and machine learning in enhancing industrial network segmentation.
Addressing complexity of IT/OT network segmentation
Industrial Cyber contacted experts in the field of industrial cybersecurity to delve into the persistence of malware propagation, which, despite the widespread recognition of industrial network segmentation, continues to pose operational risks, prompting questions about its effectiveness. They analyze whether the current implementation falls short when it comes to implementation. Additionally, the experts investigate significant factors contributing to the vulnerability of industrial networks, even in the face of advancements in cybersecurity measures.
Roman Arutyunov, co-founder and senior vice president of products at Xage Security, told Industrial Cyber that segmentation, in general, is not an easy thing to implement. “Companies often struggle with defining and using their network perimeters. Within many of these expansive networks lies vulnerability, and a breach by malware can spread unchecked throughout the entire system, compromising tens of thousands of assets.”
He added that unfortunately, malware doesn’t need to be sophisticated for these types of breaches, and by the time the malware is detected, it has often already spread far enough that costly incident response measures are necessary. “That’s where we are at, in the industry.”
“To combat these breaches, analysts are proposing a more robust solution: identity-based segmentation, which provides a granular, zero-trust framework for safeguarding individual assets and interactions within enterprises,” Arutyunov pointed out. “This approach represents a significant advancement and offers a solid foundation for thwarting attacks. Under this approach, defining which applications can interact with specific assets is pivotal, and the implementation of managed credentials, coupled with regular updates and rotation and multi-factor authentication (MFA), is key. This helps restrict access to a single system, shifting the balance against attackers who must work hard to compromise identities – for minimal gain.”
The root cause of these security lapses often lies in companies’ continued reliance on shared accounts, neglecting MFA, and failing to adopt the principles of zero trust, Arutyunov said. “The industry needs to shift to a paradigm where safeguarding individual assets takes precedence over conventional network-based security.”
Referencing the company’s 2023 Threat Report, Andrew Ginter, vice president for industrial security at Waterfall Security Solutions, told Industrial Cyber that there are three ways ransomware can impact physical operations.
“Ransomware can target OT systems and automation directly – e.g.: SNAKE ransomware has code in it to stop common OT server processes to more easily encrypt those systems’ configurations and databases,” according to Ginter. “We can shut down OT out of an ‘abundance of caution’ because we are not confident of the strength of our OT security program in light of modern ransomware threats, or we must shut down OT systems because minute-by-minute physical operations depend on services and systems that ransomware has impaired on compromised IT networks.”
He added that he has a “sense that dependencies are responsible for more OT shutdowns than ‘abundance of caution’ scenarios – but I don’t have the data to back that up. That’s a question for the 2024 threat report.”
“The challenge with any network segmentation project is that it’s the best on the day it is implemented and will degrade over time to what I refer to as network entropy,” Jason Weber, vice president of product at Veracity Industrial Networks, told Industrial Cyber. “There are two main challenges in maintaining a well-structured and secure network architecture. First, within the OT environment, the most important goal is to produce products. As a result, production (in most instances) takes precedence over cyber security concerns. If production goes down at 3 a.m., the main priority is to get it back up and running and not necessarily to ensure that segments or network architecture rules are enforced.”
Weber added that the second is a lack of trained network experts. “Some control engineers and maintenance engineers have a deep understanding of industrial networks, but this is not the norm. Most have knowledge of the process and the control system running that process. This can also cause a network design with the best intentions to be compromised.”
Zane Blomgren, director for industrial cybersecurity at Belden agreed that operations halting is a signal that many implementations of network segmentation are not fully effective. “It also signals a lack of confidence in the state of industrial network security. There are several reasons for this. First, there are still many flat networks that intermingle with IT networks which leave them very vulnerable to spillover. Second, we see system shutdowns ‘in an abundance of caution’. These organizations stop control systems to proactively avoid a spillover from IT systems. Colonial Pipeline is a prime example. The company’s IT systems succumbed to ransomware and to prevent hackers from venturing further into the company’s network systems, operations were shut down.”
Lastly, Blomgren added that they also see organizations where they have begun network segmentation, but have favored availability over tight security restrictions. “In these cases, the more static nature of the network segmentation leaves them less able to respond with agility to developing malware and other threats. To help address these issues, creating a stronger border/DMZ can help tremendously and is a good first step.”
He also additionally recommended a focus on incident response planning and tabletop exercises to proactively prepare for threats. “Make sure to examine both your visibility into the issue and your mitigation approach.”
Harnessing AI, machine learning for industrial network segmentation
The executives delve into how advanced technologies such as AI and machine learning have enhanced industrial environment segmentation and cybersecurity. They assess the demonstrated potential of these technological advancements to further fortify the efficacy of industrial network segmentation.
Arutyunov said that AI holds significant promise in helping organizations formulate essential policies under complex circumstances – such as when tasked with protecting thousands of company assets managed by various employees. “Creating an effective central policy requires collaboration with various stakeholders to ascertain appropriate access rights. AI can facilitate this process. AI can behaviorally profile users, providing policy recommendations derived from these profiles, while continuously improving its understanding of intricate patterns in real-time,” he added.
“AI can also help with more dynamic tasks, such as assessing the ever-changing risk levels associated with specific interactions, striking a balance between maintaining a secure environment and ensuring a seamless user experience,” according to Arutyunov. “It’s imperative that user interactions aren’t overly cumbersome, and AI can provide real-time insights into risk assessment, enabling security policies to be adjusted accordingly.”
Ginter said he hasn’t “seen AI used for segmentation – it is used routinely for anomaly-based intrusion detection, not segmentation.”
AI is just beginning to be introduced into industrial environments, Weber noted. “The OT world is traditionally slow to adopt new technologies and likely only early adopter manufacturers have embraced AI today.”
However, he added that “the potential for AI is incredible, from monitoring network packets and traffic to ensuring that there are no potential threats that have penetrated the defenses, and validating that network standards, segmentation, and other best practices are followed. Another use case for AI is to help guide plant floor employees when they are making updates or changes to ensure adherence to best practices and processes.”
Blomgren identified that AI/ML has been getting a lot of buzz these past few months, yet we’re seeing more hype than implementation. “While AI/ML has the potential to benefit industrial organizations generally — and their network segmentation more specifically — many are taking a wait-and-see approach. We think that’s advisable given that many industrial organizations haven’t put into place the foundational controls needed to effectively take advantage of AI’s promise.”
He added that to start down the path to AI/ML in industrial network segmentation, “we advise organizations, to begin with policy management and/or other foundational rules-based controls that allow for rapid responses to changes in threats.”
“AI or ML will, at a point, be a very powerful tool to uncover and define communication baselines and patterns,” Blomgren evaluates. “However, starting AI/ML-based network segmentation without foundational controls in place will rarely be successful because these projects often require a higher level of maturity, corresponding budgets, and people with skills to effectively govern AI to maximize its benefits. Simply put: you don’t need AI to realize the value of network segmentation. You just need to get started and work it in stages, based on prioritization of assets and the potential risk the business faces should it be successfully attacked.”
Tune in on Monday for the second part of this industrial network segmentation series, where executives tackle industrial network segmentation challenges and work their way toward future-proofing industrial network segmentation.