Network Segmentation Solutions

PBOSECURE

Network Segmentation Solutions

The most efficient defensive strategy to integrate industrial control and IT systems, is the implementation of an ICS firewall with complete policies. In other words, the entire traffic has to be accounted for.

This will help to control information flow and prevent traffic from lower security zones such as Demilitarized Zone (DMZ) or IT Enterprise Network (IT) from accessing the ICS network. It protects ICS network from the corporate network and vice versa.

where the relationship between ICS and IT is established, the introduction of a firewall with an explicit denial policy will guarantee that no traffic passes through the networks until specific rules are in place.

Where systems are located in a mixed environment, the process includes the introduction of a firewall between the ICS components and the IT components in monitoring mode. This allows for safe traffic monitoring and ground rules, while minimizing operational impacts. For no negative impact on the running process, this activity is to be performed during a period of preventive maintenance or shutdown.

Once all traffic has been referenced and matching rules are in place, an explicit denial rule can be added. This will prevent new, unexpected and uncounted traffic from going through the firewall.

The next step would be to use the make a use of full Asset Inventory of ICS Network. It is important to understand individual device operation, data flow, protocol, firmware and software version. A complete portrait of the ICS network will help determine a complete segmentation strategy and identify network vulnerabilities.

A well-advanced segmentation strategy will incorporate the principle of least privilege, whereby processes can only access the resources they need. An asset must only communicate with the asset(s) required for a transaction. No further access should be allowed. A good (initial) strategy starts with segmentation by system or device type using areas, conduits, boundaries and safety levels as described in IEC-62443. This will limit the scope of a specific device and prevent communication outside its system or group of devices. Segmenting in ICS environment is challenging and time consuming. It should only be conducted after careful analysis and planning. If you have queries, PBOSecure experts are happy to offer advice.