In the age of the Industrial 4.0 Revolution, data is king. It’s the impetus that drives IT/OT convergence in some of our most critical industries. Smart cities like Dallas are merging IP subnet-based VLANs and utility infrastructure to track water usage and leaks, enabling smart water conservation.
Similarly, the manufacturing and industrial sectors are deploying IoT solutions to harvest critical data from machine and production lines. Armed with insights from this data, companies are shortening project timelines, minimizing unplanned downtime, reducing operational costs — and enjoying unprecedented growth.
However, with the safety of our nation’s critical infrastructure in the balance, security considerations must temper the drive for efficiency and profitability.
Conventional IT segmentation falls short in an OT environment. For decades, we relied on robust perimeter security to track north-south traffic communications at the network level. However, conventional IT segmentation with complex VLAN and firewall configurations takes time to build. And, there’s little tolerance for prolonged downtimes in OT environments — especially when it comes to pipelines, power plants, or ports of call.
IT firewalls also can’t provide 100% visibility into which set of packet exchanges are authorized in an OT environment.
With the increasing sophistication of cyberattack techniques, micro-segmentation is emerging as a viable solution for reducing OT attack surfaces. Currently, “connectivity to external systems continues as the overwhelming root cause of...incidents, an indication that organizations still fail to follow network segmentation best practices.”
Micro-segmentation affords granular visibility at the workload level. It provides zero-trust security, SDN-based control, granular control of systems that must meet regulatory requirements, and superior breach containment for OT environments.
The Purdue Enterprise Reference Architecture (PERA) Model and Its Practical Role in Cyber Security
Traditionally, “air-gapping” limited interconnections between OT and IT environments. However, the era of Big Data has rendered this division impractical. Today, IT/OT convergence is a key factor in achieving operational excellence and maintaining a competitive advantage.
This is where the PERA model comes in. With the increasing adoption of 5G broadband and strategic data analysis in industrial environments, micro-segmentation is emerging as a key factor in successful IT/OT convergence.
In a nutshell, the PERA model (an industry framework for segmenting OT networks) promotes process automation, business intelligence adoption, and effective cyber risk mitigation. It effectively aligns OT and IT departments — and strengthens the security posture of an entire organization. Essentially, the PERA model guides micro-segmentation security policies by grouping assets into zones that share common security requirements.
In the PERA model, the industrial network is divided into 4 zones and 6 levels. A fifth zone, the Safety Zone, is only relevant for nuclear power stations; 95% of installations don’t include this zone in their PERA models.
1) Internet Zone
Level 5: Sometimes combined with Level 4, this is considered the public-facing level, which comprises corporate-level web and email servers, this is typically where the attack would originate.
2) Enterprise Zone
Level 4: This is where IT infrastructure is located, from operational management to printing and phone systems. It is considered critical to segment this level from the ICS environment, as allowing access between the two exposes vulnerabilities.
3) Industrial Zone
Level 3.5 (DMZ Zone): This optional level separates the ICS networks from the corporate environment. This is where we usually find RBAC (role-based access control) infrastructure, where users are given access based on their roles. This level is typically segregated from the enterprise levels, limiting direct access to the internet.
Level 3: Level 3 is responsible for managing the ICS-SCADA environment, including historians, workstations, DNS (Domain Name Server), and the DHCP (Dynamic Host Configuration Protocol). It communicates with the OT levels and with the corporate levels through the DMZ zone.
4) OT/ICS Zone
Level 2: This level includes HMIs (human-machine interfaces) and the engineering workstations that control the Remote Terminal Units (RTU), Programmable Logic Controllers (PLC), and Distributed Control Systems (DCS). Communication with the corporate levels again is done through the DMZ zone.
Level 1: This is where the Remote Terminal Units (RTU), Programmable Logic Controllers (PLC), and Distributed Control Systems (DCS) reside. These control-based appliances are usually not connected above Level 2.
Level 0: This level includes the field devices, solenoid valves, motors, smart IIoT (Industrial Internet-of-Things) sensors, and Intelligent Electronic Devices (IEDs) that are critical to plant operations. It is considered critical to segment this level and the internet-connected devices, as these are the devices targeted for manipulation through an attack.
5) Safety Critical Zone
This is an optional PERA zone that only pertains to nuclear power plants or very critical infrastructure environments.
Securing ICS Networks Against Unauthorized Access
In order to properly segment ICS networks, industrial organizations must determine how, what, and why systems are communicating within their networks. A proper understanding of asset configurations and data flows is crucial to knowing how to segment network zones.
In particular, asset inventory management is an important first step in securing the integrity of an OT network. To protect what you have, you must know what you have.
But, what about firewalls? Although conventional or even Web application firewalls (WAFs) are useful in an IT environment, they don’t provide sufficient security within OT spaces. More security layers are needed, and this includes measures such as:
- Requiring the use of multi-factor authentication (MFA) and biometric-based security tokens to access applications
- Monitoring privilege escalation vulnerabilities and failed login attempts
- Using an encrypted VPN with packet-filtering firewalls
- Augmenting the use of firewalls with data diodes and data diode TAPs
While firewalls have long been the bedrock for segmenting networks—there is a use case for data diodes along with firewalls, as well as the Data Diode TAP variation.
Data diodes are also a security barrier system, but one that enforces a physical separation between network segments using one-way data transfer protocols, designed to eliminate back door attacks or breaches. Data diodes provide a physical and electrical separation layer, designed to pass one-way traffic between segments to eliminate attack risks.
Data Diode TAPs typically send unidirectional ‘copies’ of the traffic to security monitoring tools. Data Diode TAPs are purpose-built ‘unintelligent’ hardware devices, whose circuitry physically doesn’t have the monitoring ports connected back to the network, rendering bidirectional traffic impossible and ensuring security tools or destinations are isolated from the network segment.
Superior OT Network Segmentation Solutions That Empower Your Organization
In OT environments, cyber breaches are the stuff of nightmares for CISOs and network engineers. Take the Mirai hack, where 150,000 internet-enabled security cameras turned into botnet zombies that disrupted internet access in much of the Eastern United States.
The solution? Micro-segmentation.
The key to effective segmentation is asset visibility, and traditionally, this was achieved by connecting a SPAN port to an intrusion detection system (IDS). However, SPAN ports can’t guarantee 100% packet visibility. They can also introduce bidirectional traffic that poses a security risk back into OT networks.
Thus, deploying a combination of firewalls, data diodes, and data diode TAPs to properly segment a network is the superior choice. Firewalls filter out and block anomalies and threats between segments.
Meanwhile, data diodes facilitate unidirectional data flow between segments, and data diode TAPs send a full-duplex copy of network traffic to security monitoring tools. Data diode TAPs ensure that possible threats don’t flow back into the network.
Looking to add Data Diode TAP visibility to your OT Security deployment, but not sure where to start? Join us for a brief network Design-IT evaluation or demo. No obligation - it’s what we love to do.