Securing the Unsecurable: Segmentation for Legacy OT Devices with IEC 62443

Operational Technology (OT) networks face a growing cybersecurity protection challenge: legacy devices. Often decades old, these systems were not designed with modern security, leaving them highly vulnerable to cyberattacks. This risk factor means these systems fall within the IEC 62443 Zones and Conduits protection mandate. 

The Legacy OT Security Problem:

Legacy OT devices, such as programmable logic controllers (PLCs), remote terminal units (RTUs), and older SCADA systems, often lack basic security features and are no longer supported by manufacturer security patches. This makes them easy targets for attackers who can exploit known vulnerabilities to disrupt operations, steal data, or even cause physical damage. A quick Google search (or ChatGPT session) will reveal many known vulnerabilities that can be exploited in critical systems. The increasing convergence of IT and OT networks further exacerbates this risk, providing attackers with more pathways to access these vulnerable systems.

Why Traditional Firewall Segmentation Falls Short:

Traditional network segmentation creates broad divisions, such as separating the OT and IT networks. This IT/OT DMZ is like a drawbridge over the moat for the OT castle - once you are over the bridge, you can go anywhere in the castle. While this segmentation offers some protection, it's often not granular enough to secure legacy OT devices effectively. Attackers who breach the OT network can still move laterally within it, potentially compromising multiple vulnerable devices. With IT leakage responsible for 45%-75% of attacks on OT networks (depending on your source), protecting unpatchable devices is a high priority for OT security administrators.

Microsegmentation: A Granular Approach:

Microsegmentation takes network segmentation to the device level. It involves creating small, isolated segments around individual devices or groups of devices, limiting communication between them to only what is necessary - which includes the devices they must talk to and the protocols required. This "zero trust" approach assumes no device is inherently trustworthy, requiring explicit authorization for any communication.

The challenge to microsgementation has always been the effort to implement it in OT networks. The most common feedback we hear from prospects is that “It would take years and lots of downtime to microsegment my network.” If you use Next-Generation Firewalls (NGFWs) to create and enforce microsegmentation policies, then that is a true statement.

But there is a better way. 

The SANS 2024 State of ICS Security Report shows that some OT networks have started down this path and more that plan to soon:

We will explore how to implement Software Defined Macrosegmentation and Microsegmentation to solve the IEC 52443 Zones and Conduits challenges in our upcoming webinar: https://www.linkedin.com/events/7274762217470709761/about/

Once you learn how to implement IEC 62443 Zones and Conduits, you can enjoy the benefits of protecting unpatchable devices:

Benefits of Microsegmentation for Legacy OT Devices:

• Containment: If a legacy device is compromised, microsegmentation prevents the attacker from quickly moving laterally to other critical systems, containing the breach and minimizing its impact.
• Reduced Attack Surface: By limiting communication pathways, microsegmentation significantly reduces the attack surface, making it harder for attackers to find and exploit known vulnerabilities in legacy devices.
• Simplified Compliance: Microsegmentation can help organizations meet IEC 62443 regulatory compliance requirements by demonstrating a strong commitment to security best practices and risk management.

• Virtual Patching: In cases where devices cannot be patched, virtual patching can create rules that block known exploits.

‍

Securing legacy OT devices is a critical challenge for organizations operating critical infrastructure and industrial processes. Microsegmentation provides a powerful solution by creating granular security boundaries that limit the impact of breaches and reduce the overall attack surface to these known vulnerabilities. Organizations can significantly improve their OT security posture and protect their critical assets by focusing on this specific microsegmentation technique for only these devices in their network.

Join our webinar this week to learn more.