The importance of network segmentation for critical infrastructure

By Patrick Miller

Network segmentation - creating specialized, highly-protected network segments for critical systems - can provide necessary isolation and defense against ransomware and other attacks on critical infrastructure.

Keysight Sr. Industrial Solutions Manager Gail Ow interviews Ampere CEO Patrick Miller about internal network security monitoring. Interview edited for length and clarity.

GAIL: 

So we're talking about industrial cybersecurity. My name is Gail Ow. And joining me today is Patrick Miller, CEO of Ampere Industrial Security. So today we're talking about network segmentation. Why do we need to focus on network segmentation now? It's kind of a hot topic.

 

PATRICK: 

It's a hot topic. It's in many things, it's in executive orders, it's in standards, it's in regulations, it's in the national security memo. Network segmentation is basically just taking your really, really important critical things that could cause like loss of life, or go boom, or other things like that - and you're putting them in a special network that only very explicit, or no rules, are allowed for traffic to go through. These systems can live in their own world where they cannot be touched by other things in their special network space. What you don't want is your critical equipment showing up on some search engine somewhere, where someone can easily log into it, and take control over your environment or do bad things. That is the big fear.

 

It's actually happening. It has happened in several cases. Public cases of this happening are known. So, putting all these important things behind not just one layer, but multiple layers, so that the bad guys – whoever – wants to do bad things to your system, they've got to go through all of these different network segments with different rules and different controls and special methods like multi factor authentication, jump hosts, and different protocols to actually get to those important systems. That's the goal at the end of the day. You don't want to have somebody out there on the internet logging into your critical systems from a coffee shop and turn off the lights, cause a machine to go boom, or other bad things to happen.

 

GAIL:

Oh, excellent.

 

PATRICK:

A good example of this in the real world is in the Middle East a few years ago. Some malware got on machines, and within seconds-to-minutes, 30,000 machines were essentially erased, or “bricked.” They were useless, essentially dead. The reason that it didn't cause bigger problems (and this is a big enough problem by itself), was that the really important critical industrial control systems were separated. They were segmented off. So, that malware didn't affect that part of the operation. And that's exactly why we want to segment those important critical components away from everything else.

 

GAIL:

Okay, so I can understand how this is very, very important and actually how complex it can be. How do we figure out what's important, you know, like, what needs to be segmented? Do I just get to make it up or is there some guidance that I can get from somebody somewhere?

 

PATRICK:

There's, there's a several ways to do this. An asset inventory is always where you start. You need to know what you have. The next step is knowing what, from that list, is important. There are different models you can use. Some like to start with business impact assessments, a special discipline and practice. Or, you can use existing frameworks, like NIST 800-82, IEC 62443,  NERC CIP, or API 1164. These are all acronyms, numbers, and things, but they are basically ways to prioritize the important systems – and then look for ways to put them inside protected network. So there are plans for this with frameworks to make things more structured.

 

GAIL:

That's great. How are we doing with this? I mean, different sectors must be different places in this.

 

PATRICK:

We're doing okay. I think the concept of network segmentation isn't new. Some organizations may have started down this path already. But, what I've seen in a lot of cases is that there is some critical system somewhere under Dave's desk or Alice's desk – and the app it’s running was written by three engineers in a basement (and two of them are dead). We just can't touch it because it's so critical. So, it stays where it is. You end up with these systems in random networks that just can't go down because they host something critical. Then, when you do network segmentation, since you're separating networks which can cause network outages, you often must wait for the right window to make these changes. For example, until you know that pair of generation units can get a scheduled outage. In the industrial space, we don't want to take an unscheduled outage because that means losing money. This can slow the process of network segmentation down but take as many opportunities as you can to get as much network segmentation as you can get for these industrial control systems.

 

GAIL:

I can, I can see that. Wow. Okay.

 

GAIL:

There's always a chance to improve. Even things like remote access, or using things like a jump host versus just a direct TeamViewer session. That's a good example on the OT side. As we get better and better, we're using more digital technologies. We're restricting firewall rules to allow only and explicitly what's needed. There are always ways to make these segmentations tighter and better. I like to call it “shrink wrapping.” You really want to figure out the critical systems you need in this space, and then you shrink wrap the network right around that important stuff. Then you create very specific rules about what can go in and out. And then, you do the same thing for all the other areas so that every zone basically has its own set of specific rules, but especially for the important stuff. Your enterprise workstations and everything else in the corporate network can have a different life.

 

GAIL:

Well, thank you so much, Patrick, always enjoy talking to you. I'm sure our audience does too. You take care. Thank you so much.

Also see Keysight Technologies’ companion blog - How Network Segmentation Can Mitigate Pipedream Attacks on Critical Infrastructure

Featured Posts