Tales From the Frontline: “My Network is IEC62443 Segmented - I Have No Risk!”

Well…..not exactly. 

I was talking to a manufacturing prospect last week, and they told me that they had already segmented their network according to IEC62443, so they felt secure. I poked at that assertion a bit, and the more questions I asked, the more uncomfortable the discussion became.

Me: “How are you segmenting your network?”

Prospect: “We have firewalls between each zone and conduit policies that restrict traffic between the zones.”

Me: “How many firewalls are deployed?”

Prospect: “We have 10 firewalls that serve 20 different zones.”

Me: “How often do the policies change on the firewalls?”

Prospect: “We are regularly adding devices to the network, so they change quite often.”

Me: “How do remote or maintenance workers enter the network?”

Prospect: “We have a remote access solution in the DMZ, and the remote workers can pass from zone to zone once they get into the DMZ.”

The conversation continued, but tell me if you can see the risk that is NOT prevented in this deployment and which security levels you might assign to the entire network based on the IEC 62443 description below.

We have an upcoming webinar in January to investigate the IEC 62443 zones and conduits deployment architecture. We would love to have you join and share your questions and concerns about network segmentation. Register here.