Network segmentation is the separation of networks into well-defined groups of devices. Traditional network segmentation creates a Layer 3 subnet or a Layer 2 VLAN (or simple broadcast domain). IT architects design enterprise networks in this manner, and initial OT segmentation architectures used firewalls to create secure zones and conduits between layers of the Purdue model with either Layer 2 or Layer 3 segments. The firewalls layer specific security policies onto these segments, restricting the protocols or systems that can communicate across the conduits between zones. However, more than this coarse-grained segmentation is needed for OT networks to protect against lateral movement and living-off-the-land attacks. Once a hacker gains access to any device in a segment, they can move to all the devices in that segment relatively freely since no east-west protection is granted by L2/L3 segmentation.
Microsegmentation is the industry’s take on fine-grained segmentation. It is a network security strategy where a local area network is divided into tiny, isolated segments, with security policies applied to each segment individually. This allows for highly granular control over network access and data flow. The policies are managed through software rather than dedicated hardware devices and are part of the software-defined networking movement. For OT, this means segments can be created at the device level. However, more extensive OT networks communicate as part of their normal industrial processes - i.e., PLCs talk to PLCs, and SCADA systems talk to SCADA systems, requiring a more group-centric approach. In environments with highly vulnerable legacy devices, segmentation prevents hackers from moving laterally from one exploited device to another class of device, thereby limiting the risk a single vulnerability introduces into the network.
The critical technique of Network Segmentation and Microsegmentation mitigates risk for Critical Infrastructure and Operational Technology networks, as demonstrated by CISA’s endorsement of segmentation and the requirement for security zones and conduits in IEC 62443. Many cyber attacks have turned from simple user credentials or system compromise to devastating shutdowns and ransomware because the hackers use lateral movement once a single machine or device is compromised. Here’s why cybersecurity thought leaders are focusing on segmentation:
Dividing a network into smaller, manageable segments reduces the attack surface. This subdivision limits the spread of cyber threats, ensuring that a breach in one segment does not compromise the entire network. The advent of IoT, cloud computing, and remote work models has expanded the traditional network perimeter, introducing new vulnerabilities and complexities. Network segmentation delivers better separation between OT and IT networks, ensuring that user compromises in the IT domain do not leak into the operational network. IT hacks, specifically credential theft, have been the source of as much as 75% of the initial penetration of OT networks.
The complexity of firewall and ACL configuration management is a significant security vulnerability in networks with thousands of users and devices. Traditional segmentation methods are generally static and don’t easily accommodate the dynamic nature of today’s OT networks, where devices and users require flexible access to resources. VLANs and ACLs lack the depth in contextual control that OT networks need for operations. They don’t typically consider user identity or real-time context when granting access, which can lead to over-privileged access or security gaps. An incorrect policy does not open the entire network to hacking in a well-segmented OT network like an “any-to-any” firewall troubleshooting rule does.
Network segmentation supports numerous regulatory standards, which require separating certain types of data and systems to pass risk assessments and maintain security compliance. Disparate systems and manual configurations lead to consistency and make meeting regulatory data protection and privacy requirements more complex. CISA, IEC 62443, and many industry-specific guidelines recommend or mandate segmentation because of its ability to mitigate risks on any network.
Traditional cybersecurity solutions divide networks into L3 subnets or L2 VLANs and do not restrict movement within those networks. So, if a user gains access to a network, they can freely move between systems by discovering and exploiting their vulnerabilities. Preventing this is important for IT-to-OT movement and movement within a flat OT network. Software-defined segmentation enables an OT administrator to segment their network without downtime, re-IPing, or re-architecture.
Scenario:
An oil and gas company has an extensive, complex IT network with worldwide reach. The company's network is not adequately segmented, leaving it vulnerable to lateral attacks within the network once a hacker has gained initial access. A group of attackers gains access to the oil and gas company's network through a phishing email, and they use this access to steal sensitive data, including employee login credentials and blueprints for the company’s oil and gas pipelines. The attackers then use this data to launch attacks that disrupt worldwide operations and cause significant financial damage. In response, the company evolved its network architecture using BlastShield to protect and segment the network, preventing future exploits and simplifying the segmentation without adding hundreds of firewalls.
Industry Perspective:
The oil and gas industry has moved aggressively to implement network segmentation to reduce the risk of cyberattacks and, in response to regulatory pressures, to keep this critical infrastructure segment fully operational. The Colonial Pipeline hack showed the economic and human impact that an attack could have on a large region of a country. The Transporation and Security Administration (TSA) Security Directive 1582, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standards, the American Petroleum Institute (API) Recommended Practice 1164, International Electrotechnical Commission (IEC) 62443, and the Cybersecurity and Infrastructure Security Agency (CISA) Framework all list network segmentation as a critical strategy to reduce the threat of cyberattacks.
BlastShield: Microsegmentation for Preventative Oil and Gas Cybersecurity
BlastShield delivers microsegmentation by requiring each user or user group to authenticate to the gateway using multifactor authentication (MFA) and then create encrypted peer-to-peer tunnels for authorized devices. These P2P connections prevent lateral movement, even in a flat Layer 2 network, and segment the network without complex firewall rulesets. BlastShield also addresses the limitations of perimeter-based defenses, like VPNs and firewalls, which are becoming obsolete in the face of advanced threats, edge-to-cloud applications, and the evolving workforce. With BlastShield, oil and gas companies can embrace digital transformation securely, reducing downtime and complying with industry standards and guidelines.
Scenario:
A small, local water treatment facility operates an outdated and poorly secured IT/OT network, needing proper IT and OT network segmentation. A hacker group purchases a stolen password on the dark web and gains access to the water facility's network. The attackers use this access to steal sensitive data, including the login credentials for the facility's control systems. The attackers use the stolen login credentials to take control of the water treatment plant, threatening to add excessive amounts of chemicals to the water supply. Rather than allowing the city's drinking water to be contaminated, they pay the ransom and re-architect the network with Blastshield for increased protection, segmenting the IT and OT networks and implementing microsegmentation within the OT network for their control systems.
Industry Perspective:
Network segmentation is essential in an industry where a breach can lead to severe consequences, including service interruptions and compromised water safety. Water and Wastewater facilities often lack IT/OT staff, and network segmentation using complex firewall policies can open the network to hacks due to misconfiguration. Proper segmentation reduces the risk of cyberattacks, protects operational technology (OT) systems, and minimizes disruptions to water service. Network segmentation is also critical for compliance with regulatory standards like the Transporation and Security Administration (TSA) Security Directive 1582, Transportation Security Administration (TSA) Security Risk Management Program (SRMP), International Electrotechnical Commission (IEC) 62443, and the Cybersecurity and Infrastructure Security Agency (CISA) Water Sector Cybersecurity Guidance Framework, and the European Union Directive on Security of Network and Information Systems (NIS Directive) all list network segmentation as a critical strategy to reduce the threat of cyberattacks for the water industry.
BlastShield: Microsegmentation for Water / Wastewater Protection
BlastShield simplifies the challenge of microsegmentation by creating simple peer-to-peer encrypted and authenticated tunnels without complex firewall rulesets. IT and OT network staff are permitted access only to the systems they are responsible for. BlastShield prevents lateral movement within the network with the P2P VPN connections without complex network changes, reducing the stress and workload on the limited network staff.
Scenario:
A large manufacturing plant has implemented network segmentation to isolate its critical industrial control systems (ICS) from its IT network. However, the plant's ICS network has undocumented connections to its SCADA (Supervisory Control and Data Acquisition) and the IT network to enable remote access. A hacker group gains access to the plant's IT network through a phishing email and steals sensitive data, including the login credentials for the plant's SCADA system. The attackers then use the stolen login credentials to access the plant's SCADA network, manipulate the system to cause disruptions to plant operations and demand a ransom to release control of the systems. Rather than pay the ransom, the IT staff shut the network down and secured it using BlastShield to segment their networks and deliver Secure Remote Access.
Industry Perspective:
Network Segmentation is crucial for manufacturing companies, which operate complex and interconnected networks that span multiple locations, including factories, warehouses, and supply chain partners. Segmentation significantly reduces the risk of cyberattacks by limiting the movement of attackers within a network, enhancing protection for Industrial Control Systems (ICS) networks. Many manufacturing industries are subject to regulations that mandate network segmentation to protect critical infrastructure, so implementing network segmentation helps companies comply with these regulations and avoid penalties. According to a recent survey by the SANS Institute, 82% of manufacturing companies have implemented network segmentation or plan to do so within the next two years. The manufacturing industry is committed to implementing network segmentation as a critical component of its cybersecurity strategy. By doing so, manufacturing companies can protect their critical infrastructure, prevent disruptions to operations, and comply with regulatory requirements.
BlastShield: Network Segmentation Drives Manufacturing Networks
BlastShield simplifies the challenge of microsegmentation by creating simple peer-to-peer encrypted and authenticated tunnels without complex firewall rulesets. IT and OT network staff are permitted access only to the systems they are responsible for. BlastShield prevents lateral movement within the network with the P2P VPN connections without complex network changes, reducing the stress and workload on the limited network staff.
Scenario:
A single energy company powers a bustling metropolis, serving millions of citizens. The company operates with a patchwork of multiple IT and OT networks that have grown through mergers and acquisitions and have multiple undocumented connections between segments. This lack of proper segmentation and documentation between their IT and operational technology (OT) networks has opened a backdoor into their critical networks. One day, a bad actor discovers this vulnerability. They launch a multi-pronged attack designed to phish employees, laterally move within the network to gain control of critical IT/OT systems, and hold the power grid for ransom. Faced with the impact of a city-wide blackout, the company pays the ransom and deploys BlastWave to segment its network properly and prevent lateral movement from its IT network to the OT network.
Industry Perspective:
In today's cybersecurity landscape, the energy sector is a prominent target due to its pivotal role in our industrial society. Bad actors from nation-states and criminal enterprises are developing ransomware and malware targeted at OT systems to maximize leverage during hacks. Energy providers must comply with stringent regulations like NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) and TSA Security Directive 1582, which mandate network segmentation. These regulations recognize the vulnerability of interconnected networks and aim to mitigate the risks of cyberattacks by enforcing stricter security protocols.
BlastShield: Network Segmentation Powers the Energy Sector
BlastShield™ provides a tailored solution for the energy sector by enabling effective network segmentation. This segmentation is crucial for isolating critical infrastructure control systems and minimizing the risk of cascading effects from a cyber breach. By implementing BlastShield's segmentation, energy companies can ensure their services' continuous, secure operation while complying with stringent industry regulations and standards. The ability to isolate network segments also enhances resilience against targeted attacks and reduces the potential impact of security.
Scenario:
Hackers buy access credentials from a disgruntled IT employee at an international data center that serves multiple countries, governments, and businesses across the globe. Using this single account, they exploit weak access controls and poor password hygiene, traversing the IT network like ghosts in the machine. They discover a jackpot: the login credentials for the core OT system, the conductor of the data center's symphony of servers and cooling units. Screens flicker, alarms blare, and critical servers begin to overheat. Fortunately, the network administrator cut the link between the IT and OT networks and reset the environmental controls. After consulting his OT team, he deploys BlastShield between the IT and OT networks, cloaking its operations from discovery by segmenting the network with biometric multifactor authentication to prevent stolen passwords from allowing access to this critical enclave.
Industry Perspective:
As the backbone of cloud services and data storage, data centers require robust network segmentation to protect sensitive data and maintain service integrity. By segregating critical systems like storage, computing, operational technology, and network infrastructure from each other and the internet, data centers create barriers that make it harder for attackers to move laterally and gain access to sensitive data. Additionally, some industries hosted in public data centers have stringent regulations, like PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act), which mandate network segmentation for specific data types. By complying with these regulations, data centers can avoid hefty fines and ensure they handle sensitive information responsibly.
BlastShield: Network Segmentation Keeps Data Centers Processing
Utilizing BlastShield™ for network segmentation in data centers offers high security and operational efficiency. It allows data centers to create isolated environments for different clients or services, ensuring that the breach of one segment doesn’t affect others. This segmentation is essential for meeting the data protection requirements of various clients and adhering to privacy regulations. Furthermore, BlastShield’s approach simplifies the management of complex networks typical in data centers, providing administrators with precise control over traffic flow and access rights.
Scenario:
A building management company operates several towering skyscrapers in a large metropolitan area. Tenants, contractors, and employees come and go, and the IT team has yet to expire all access credentials properly. One of these accounts is part of a significant data breach, and a hacker uses the credentials of a former HVAC contractor to get into the building’s OT network. Once in the network, he causes havoc for several tenant companies he does not like, changing the temperature in their office space, running up heating costs, and turning their lights on and off irregularly. The building managers finally determine what is happening and implement BlastWave to manage access into the OT network and more tightly control access to a limited number of systems for each contractor rather than access to their entire OT network.
Industry Perspective:
In building management, particularly with the rise of smart buildings, network segmentation is critical in ensuring the security and efficiency of various interconnected systems. These systems include HVAC, lighting, security, and access control, all of which are increasingly managed digitally and are vulnerable to cyber threats. Ethical and criminal hackers are increasingly targeting companies and searching for any attack vector that could harm or inconvenience target companies. Effective network segmentation is required to protect these systems from potential breaches that could disrupt building operations and compromise tenant safety.
BlastShield: Network Segmentation Locks Building Management’s Network
BlastShield™'s network segmentation capabilities are particularly advantageous for building management. By creating distinct network segments for different building systems, BlastShield ensures that a breach in one system does not lead to a domino effect, compromising others. This segmentation is vital for maintaining the operational integrity of building management systems and ensuring the safety and comfort of building occupants. Additionally, implementing BlastShield’s segmentation aids in compliance with building and data security regulations, offering a comprehensive and secure solution for modern building management challenges.
BlastShield™ exceeds traditional segmentation by advancing the concept of microsegmentation as a superior security alternative. Unlike broad segmentation strategies, BlastShield’s microsegmentation allows for incredibly detailed control, segmenting networks down to the level of individual devices, systems, protocols, or users. By isolating network segments, BlastShield effectively prevents the lateral movement of threats within the network, a critical defense mechanism against external and internal threats. BlastShield™ software-defined segmentation policy changes take effect in real time, facilitating dynamic and flexible policy enforcement during emergencies or administration changes. Unlike many solutions that use ACLs and VLANs, microsegmentation scales effortlessly to large OT environments. With its detailed segmentation capabilities, BlastShield™ aids in compliance with stringent regulatory standards, offering necessary tools to protect sensitive data and ensure privacy. BlastShield’s microsegmentation solution is innovative and future-ready for network security.
Schedule a Demo: https://www.blastwave.com/schedule-a-demo
Start a Free Trial: https://www.blastwave.com/free-trial
Get a practical roadmap for deploying Zero Trust Protection in your Operational Technology Network.
Our Privacy Policy applies.
Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.