Key Fundamentals for Protecting Operational Technology Using Segmentation

Keeping the network safe from top to bottom used to look very different. Until recently, firewalls placed at the edge of a fixed perimeter served as the organization’s primary protection. It provided controls and inspection for all traffic moving into and out of the network. But with digital transformation now a priority for industrial organizations, the convergence of IT applications and OT environments makes establishing and maintaining 360° visibility increasingly tricky. Porous perimeters, distributed applications, and security gaps resulting from rapidly evolving and expanding infrastructures expose the vulnerabilities of most critical infrastructures—including difficult-to-secure systems and implicit trust models of resource access—to highly motivated cybercriminals. 

But it doesn’t have to be this way. Zero trust models can restore order to chaotic OT environments by controlling who and what has access to resources, down to per-session granular control over applications. And when microsegmentation is added, visibility and control are also reclaimed. However, understanding the fundamentals of segmentation as a security best practice in an OT environment can be tricky. But once mastered, it can take businesses a step closer to combatting the risks being introduced to its once pristine OT environment by the folks running the IT network. 

Convergence-induced obstacles

While intermingling digital innovation with mission-critical physical assets can provide a variety of benefits from both conceptual and efficiency standpoints, it also has its challenges. Chief among these is maintaining visibility and control. Unless this transition is undertaken with care, security may be left behind, exposing organizations to unnecessary risk. There are numerous ways in which IT and OT convergence can introduce new security challenges, including:

• Expanded attack surface: Isolated OT networks are a thing of the past. And in operational technology environments, where system availability and reliability are vital, the increase in automation and the introduction of connected smart devices can quickly expose the network to new security threats.
• Priorities: There are fundamental differences in security priorities between industrial automation/control systems and IT solutions. When the former leads with no-questions-asked availability (implicit trust) and the latter are focused on confidentiality (strict access control), discrepancies between objectives can cause disjointed security efforts. 
• Growth in remote access: The hybrid workforce seems to be here to stay. To accommodate this change, remote access to OT resources, primarily through applications, and the onboarding of remote maintenance into systems are a must. However, most industrial control systems were not designed with security in mind, so they are often helpless in the face of sophisticated threats that can be introduced through these new additions to the OT environment. 
• The need for speed: Performance is critical in today’s digitally-accelerated business. LTE, 5G, and multi-GB broadband are essential for remote access to applications, connected IoT devices, and cloud-based resources. When IT teams speed-optimize the connected applications and devices deployed in their industrial environments, they create new attack opportunities. This is especially true for new malware designed to evade detection and deliver payloads faster than legacy security systems can inspect traffic.

In addition, traditionally flat OT networks provide additional leeway, giving bad actors access to the entire network once the perimeter is breached. And because they are increasingly connected to IT systems, we’re seeing people (both internal and external, and malicious and non-malicious) knocking at the door to disrupt operations.  For example, according to Fortinet’s 2022 State of Operational Technology and Cybersecurity Report, a staggering 90% of organizations had at least one OT network intrusion during the past year, and nearly two-thirds experienced three or more.

Leverage microsegmentation for OT threat readiness

Fortunately, there is a solution. In addition to replacing implicit trust with a zero-trust access model, microsegmentation provides a practical approach to minimizing and mitigating security threats. Leveraging the Purdue Model, one of the oldest models to define the foundation and framework of industrial reference architectures, this approach allows OT administrators to segment and isolate the OT attack surface into specific control zones and to control what data flows across those zones through defined conduits. This approach enables businesses to proactively address the growing threat to the OT environment in a contained manner, limiting any attack to a small subset of the OT network rather than giving it broad access to the larger environment. Furthermore, microsegmentation can limit east-west traffic to minimize the chance for a bad actor’s lateral movement through the network.

Today’s organizations need accountability, internal systems need hardening, and new technologies require advanced attack detection. But with proper planning and integrated technologies, organizations can begin the journey from their flat networks to a segmentation model to improve visibility and enhance the defense of resources, systems, and users business-wide. 

---

Learn more: In this 45-minute webinar, Fortinet OT leaders take a closer look at how critical infrastructures can be armed for security using microsegmentation. Gain critical insights into the fundamentals required to support operational cybersecurity frameworks, both on-premises and in the cloud.