Understanding the Role of Microsegmentation in Network Security
I was speaking to a customer who was in the process of installing BlastWave on their network after their initial trial and purchase. The engineer, who had loved the experience of using BlastWave versus the system they had previously installed, confessed to me during a checkup call. “Vince, I loved the idea of microsegmentation during the trial, and it was really easy to set up, but how much do I need to do that in reality?”
This is not an unusual question from a customer early in the BlastWave deployment lifecycle. I will normally give a few different references to start the conversation.
Network Segmentation: Essential Insights from CISA and NIST
- CISA published “Layering Network Security Through Segmentation” Infographic. The highlight of this piece is the guidance to “Segment zone to isolate and protect high-value assets and data,” making malicious traffic easier to detect (since it has to cross more protected boundaries between zones)
- NIST published a “Security Segmentation in a Small Manufacturing Environment” use case highlighting how segmentation helps strengthen internal and external defenses.
Protecting Against Insider Threats with Microsegmentation
One point that NIST makes in their case study is that segmentation protects against external threats AND insider threats. Many people focus on external threats and often forget internal threats when designing OT security solutions. Internal threats can be internal employees and temporary contractors who can access the network for maintenance or ongoing management tasks. Microsegmentation moves access to the “least privilege” minimum by limiting what a user can access on the network, even if access is allowed.
Key Questions for Effective Network Segmentation
Here are the key questions that I explore with customers when we start talking about microsegmentation:
1. What devices need to be able to communicate? Are any of these devices vulnerable to known exploits, or have they previously had issues?
If they are, you should segment this class of devices from others. Since they are vulnerable, they could laterally move on your OT network and increase the scale of havoc that could be wreaked during an attack.
2. Do you have any contractors accessing the network?
If you do, then you should microsegment the sections of the network that they can access to protect the network from being exploited by these contractors. Remember the Target hack that started with HVAC contractors?
3. How secure is your Remote Access? Does it use MFA that you trust?
If your remote access uses passwords (even if they are SSO and MFA supported), you should microsegment your network as much as possible. Many hacks and attacks begin with credentials theft (including MFA bombing, MFA hijacking, etc.), and you should probably microsegment if there is a single password in your chain.
4. How easy is it for unauthorized devices to get on your network?
If it is trivial for a bad actor to gain access to your layer 2 network through WiFi or even a physical plug, you should microsegment since a hacker could use this to move throughout the network laterally. Although this seems like a strange question that no one would ever answer yes to….you might be surprised at the answers you get when administrators are honest.
Explore the Advantages of Software-Based Microsegmentation with BlastWave
At the end of the day, unless there is a technical reason (like latency, no managed switching infrastructure, or zero tolerance for even milliseconds of downtime), OT networks should have some microsegmentation, and usually, the more the merrier. We have customers that literally segment every device into its own segment for protection.
With BlastWave, that is all done with software; no network reconfiguration or IP address changes are needed. Curious? Check us out!
Follow Us
Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.
.svg)