Importance of Network Segmentation for Ot

The #1 cyber security control in ICS/OT to stop attackers? Secure network architecture. It might be one "control," but it has many parts. 1. IT-OT DMZ Most ICS/OT networks have some communication with the IT network. A DMZ with two layers of firewalls implemented between the IT and OT networks. The DMZ helps limit the flow of traffic between the two main networks. Forcing the traffic through systems that act as intermediaries. Intermediaries that can help enforce security. Ultimately, the DMZ limits the damage that can be done WHEN an attacker gains access to the IT network. The main goals here are to: -> Prevent an attacker from moving into the OT network from IT -> Limit communication from the OT network to IT side -> Ensure DMZ hosts are hardened against attack -> And monitor for potential attacks 2. OT Network Segmentation Besides the IT-OT DMZ, further network segmentation should be performed within the OT network. As a starting part, many reference the expanded Purdue Model. Even though this was not its intent (and you should jump to "Zones and Conduits" below). An attacker could gain access to the IT network, but placing additional segmentation through firewalls and ACLs on switches can limit them. The goals here are to: -> Provide necessary communication for the plant to operate -> Limit damage in the event an attacker gains access -> Give systems the ability to spot malicious activity -> Slow down an attacker in the OT network 3. Zones and Conduits As organization mature, they look to ISA/IEC 62443 as the gold standard for building an ICS/OT cyber security program. A main focus of ISA/IEC 62443 is to break up the OT network overall into zones. Zones are logical groupings of assets that share the same function and/or security requirements. Conduits help reflect the paths of communication between assets in different zones. Zones help segment the network further and allow operators to wrap Access Control Lists around those zones. Only allowing required traffic to communicate between zones. That HMI needs to talk to that PLC? Great! That HMI doesn't need to talk to anything else? Then don't let it! Give your assets what they need. No more. No less. If you give more, an attacker will take advantage of it one day! 4. Further Microsegmentation Zones can help limit communication between parts of the network. But they do not limit traffic between hosts within the same zone. Just like above, we want to limit pathways an attacker could use against us. If an attacker gained a foothold in the DMZ, would they have access to the other hosts? And then the pathways accessible to those hosts? Perhaps they cannot directly access a PLC or DCS from the DMZ. But is there a pathway through other zones and hosts from the DMZ that would allow it? Is there a pathway that would allow access to your SIS? P.S. What else would you include or change? #CyberSecurity #Automation #Engineering #ICS #Technology

ICS Architecture: Control DMZ-Relevant under ISA/IEC 62443 & NIST 800-82r3 1. Control DMZ under ISA/IEC 62443 > A DMZ is "a common, limited network of servers joining two or more zones for the purpose of controlling data flow between zones." It ensures separation and mediates communication between zones, preventing direct connections. > Used to control and secure data flows, minimizing risk from direct IT-OT communication. >> Zone Boundary Protection (SR 5.2) > The system must enforce restrictions on communication between zones through mechanisms like firewalls and IDS/IPS. > Fail-Close Mode: Essential ICS functions must operate even if zone boundary protection fails, using "fail-close" or "island mode." >> Network Segmentation (SR 5.1) > Logical or physical segmentation must isolate zones, including the DMZ, ensuring secure data flow across defined conduits. >> Restricted Data Flow (FR 5) > Prevent unauthorized data movement between zones, with the DMZ acting as an intermediary. >> Data Confidentiality (FR 4) > Encryption: Communication traversing the DMZ must use secure methods to prevent eavesdropping. > Authentication: Robust identification and authentication mechanisms for all users/devices accessing the DMZ. >> Timely Response to Events (FR 6) > Continuous Monitoring: The DMZ must support real-time monitoring and logging for all traffic. > Audit Logs: Logs must be securely stored and accessible for review without impacting operations. >> Resource Availability (FR 7) > DoS Protection: The DMZ must be resilient to Denial-of-Service attacks. > Fail-Safe Operation: Critical OT functions must continue uninterrupted during DMZ failures. >> Compensating Countermeasures > If certain controls (e.g., firewalls or IDS) are infeasible, alternative measures (e.g., physical access controls) must compensate. --- 2. NIST SP 800-82r3 > The DMZ creates a logical separation between corporate and OT networks, preventing direct traffic and enforcing secure mediation. > Employ DMZ architecture to manage data flow, ensuring only authorized traffic passes between IT and OT environments. > Use stateful firewalls and unidirectional gateways to establish secure boundaries. > Limit communications to predefined, secured paths. > Incorporate protocol enforcement and network monitoring to detect suspicious activity. > Use multi-factor authentication for access to systems within the DMZ. > Separate authentication mechanisms for IT and OT networks ensure traceability. > Persistent monitoring for all DMZ traffic, logging, and anomaly detection to ensure security. > Logs must be securely maintained and accessible for analysis without affecting performance. > Fail-safe mechanisms must maintain critical functionality or degrade gracefully during failures. This is just the beginning—the guidelines are so extensive to be covered in a single post.

Water utilities don’t have the easiest job when it comes to protecting their legacy systems, like SCADA or IoT. Though some are modernizing their systems, others are still challenged with legacy systems. Yet, there  they’re essential for operations. I mean, who wouldn’t want clean drinking water unaffected by cyber attacks. BitLyft has the opportunity to work with water utilities everyday. Here are a few suggestions we have come up with that can make a big difference. Limiting and securing remote access is an absolute must and first step. Remote access can be convenient and help you get your job done, but it introduces significant risk. Just think about it, if it is easy for that employee to perform their job, it’s also easy for the criminal to perform their criminal activity if they get a hold of the remote access. A simple step would be plugging in an Ethernet cable, only when it needs to be used. It can also be as easy as making sure that remote access account has two-factor authentication or other ways to verify the intended user is the proper user. Second, network segmentation is a modern approach to network design.   You must have it. Legacy systems should isolate their own VLANs and separate the office or business aspect of the water utility from the actual utility itself. Segmenting SCADA and IoT from the business network. If these systems are allowed to communicate freely with one another the network can be open to substantial risk and disaster can be waiting to happen. Lastly, use network monitoring tools. This is in order to make sure that the traffic on your network is the intended traffic, that devices are talking to one another that are meant to be talking to one another. Real time threat detection is very important inside the network, as well as understanding what is trying to get into the network. If there is anything you would add, let me know in the comments. I’d love to have a free and open chat with you. Small steps lead to big changes when it comes to protecting water utilities.