The value of segmenting local area networks into security zones is widely recognized yet rarely done well. Many large production environments are susceptible to today's sophisticated attacks due to a focus on perimeter security, leaving internal networks as a “flat” architecture, and difficult to defend from well-designed exploits. Attacks on poorly segmented networks are often the result of malware having found the easiest path in, then moving to penetrate more valuable assets within the enterprise WAN.
Segmenting into defined security zones improves an organization's defensibility by:
- Reducing attack surface
- Limiting exposure of critical production assets
- Using access controls to restrict movement from segment to segment
- Focusing security monitoring and controls on the zones where they are most effective
- Improving detection and mitigation capabilities tied to Incident and forensics support
For those companies that redesign their networks for better segmentation, maintaining a clean, functional design will be a big challenge. Here are five ideas to make it easier:
Update policy to reflect current best practices
Policy and standards drive behavior. A required architecture is easier to maintain when all involved parties understand the underlying reasons for the design’s details. Approved standards that reinforce the design give the network and security teams insight into the purpose of design details. As an example, the policy regarding network segmentation might have details such as these (from ISA/IEC 62443-3-2-Draft):
4.4.5 Separation of control system and safety system zones
220.127.116.11 Safety-related systems should be grouped into separate zones
18.104.22.168 Safety-related systems usually have different security requirements than basic control system components or systems, and components interfaced to the control system components
22.214.171.124 Portable and mobile devices that are permitted to make temporary connections to a zone should be grouped into a separate zone(s)
4.4.7 Separation of wireless communications
126.96.36.199 Wireless communications should be in a separate conduit from wired communications
Design controls for consistency from the data center to the field location
The zone-based design is intended to ensure consistent application of controls throughout the enterprise. As an example, historical production data is found within a plant network and is ultimately aggregated within the data centers. Controls applied to that data should be consistent, regardless of whether the data is found at a facility or at the data center. A motivated attacker will choose the easiest path in. The value of the data remains the same, wherever it is found.
With newer networking technologies, such as Software Defined Networks (SDN), security zones need to be reflected in containers and virtual machines.
Consider automated inventory requirements before segmentation
Automated inventory systems are often hemmed in by switches, requiring the use of span ports or taps. Changing the topology by adding switches or internal firewalls will likely affect the ability to inventory assets. Planning for inventory should be based on threat analysis and zoning rule.
Only apply controls where needed
Placing effective controls in the right places of the network represents a large part of the security team’s responsibilities. An easy (though questionable) approach is to simply apply controls throughout the enterprise equally. On the surface, this approach seems thorough. In reality, applying controls where they are not warranted is a formula for failure. Here’s why:
- Security controls tend to be costly
- Support of the controls ties up resources
- As use of a control expands, so does staffing
- Sophisticated controls, such as IPS and Deep Packet Inspection are bandwidth and hardware intensive
- SOC staff can be overwhelmed by legitimate alerts from zones where the alert isn’t really that important.
Network segmentation, based on security requirements, ensures that the right controls are enabled in the segments where The Plant’s calculated risk profile indicates the need.
White/Black lists based on zones
White listing for Internet destinations from process control networks is easily done with a variety of firewall and cloud-based security products. The accuracy of this type of control is dependent on the quality of segmentation. The white list allows only known vendors’ websites to be accessed by equipment found in a PCN security zone. Blacklisting is used for zones that are filled with users and PCs.
To enjoy the functionality of segmentation the segments, which are typically tied to VLAN’s and physical networks, will need to be maintained. The maintenance here is essentially making sure that every device on the network is plugged into the correct switch/port. This is another area where a good tool is handy. It is possible to do manually too. A manual survey of the VLAN’s typically compares MAC address taken from ARP dumps, to manufacturer’s names, to IP segments to VLAN assignments. It takes some skills, but is fairly straightforward.
Segmentation, properly done, is a significant enhancement to any security program. To make it work the best, it will take good planning beforehand, and periodic maintenance after it is made operational.