Segmenting networks for Industrial Control Systems

IT security is increasingly being recognized by most companies as an important aspect of IT security strategy in Industrial Control Systems (ICS). Some measures differ fundamentally from IT security in data centers, such as patching and vulnerability management. Other aspects can largely adopted from the data center sector – this includes network segmentation. Most companies operate a policy of “zero trust” or “consider breach”. In these scenarios, networks are no longer considered secure or insecure. Each network is classified as potentially insecure because it is assumed that an attacker will definitely overcome the perimeter.

Network segmentation is an integral part of important frameworks in the ICS environment, such as EN 62443 and NIST 800-82. However, implementing a zone concept in an existing ICS environment is a particular challenge: Switching off, reconnecting and adjusting firewall settings is usually not possible. Nevertheless, segmentation remains a critical aspect of security for ICS environments and can be implemented with the right planning. This includes a cautious approach to selecting and using tools when analyzing the existing environment.  Aggressive active scanning with Nmap can cause downtime on IoT and ICS devices. Not every device will respond to a ping which could lead to gaps in mapping the network accurately. In addition to specialized tools for ICS applications, packet sniffers that log network traffic, support ICS protocols and can detect existing devices accurately are also suitable. In any case, documentation in an efficient and well-managed ICS network should in any case should already give an accurate map of the network.

Once an accurate map of the existing devices has been produced, you can move on to analyzing segmentation. Sniffers can also be useful here to discover which devices communicate with each other. Ideally, devices which already have a high level of communication with one another should be combined in one segment. If boundaries established throughout the company are being crossed – for example, if access to ICS components from the regular office network is logged, it is worthwhile checking whether this connection is absolutely necessary. If such connections are deemed legitimate and acceptable during a risk analysis, gateways such as a proxy or a firewall must be implemented.

One of the main reasons ICS admins are reluctant to think about segmentation in existing environments is the fear of inadvertently blocking important connections. This risk is real, absolute certainty that every single device and its communication requirements have been considered is not realistic. However, a thorough analysis phase with a packet sniffer, good documentation and modern ICS-suitable firewalls with features such as learning mode help to minimize this risk. Although the firewall already ensures segmentation in learning mode, it still lets all packets pass. It monitors all network relationships during the learning process and produces an accurate analysis whether necessary connections would have been inadvertently blocked. After testing the tasks that will be carried out in the production system over a number of weeks, firewall rules can be enabled gradually.

Direct connections to the Internet must be considered carefully. Although Internet connections have often been deemed in the past as unnecessary and unacceptable in terms of risk, this is not always the case today. Although direct connections to the Internet remain taboo, an absolute ban on connections beyond company borders is no longer up-to-date. For example, many manufacturers offer cloud-based management functions. Whether such services are appropriate in a specific environment is an individual decision. However, they can be enabled if the connections are secured by a VPN tunnel, firewall, and strict management of rights and roles to restrict potentially damaging actions. Incoming remote connections, which are required by many manufacturers to maintain their ICS components, are also acceptable as long as they are routed via a VPN and it is always clear what is being done. For critical components, Privileged Access Management might be considered.

Network segmentation cannot be introduced early enough, but it doesn’t all have to be done at once. True to the 80/20 rule, the most important assets whose failure would cause the greatest damage should be secured first. Once that job is done, you can think about the rest. But this does mean that companies need to know what their critical assets are. And many companies fail to manage risks effectively because they have not considered this carefully and conducted a thorough risk analysis.  So before diving into the technical details, remember it is important to do the right research. The BSI ICS security recommendations , NIST 800-82 and EN 62443 show in detail how best to approach the topic and the BSI and NIST resources are even free of charge.