As businesses continue to digitally transform — a trend that was already underway but that accelerated due to the disruption of the COVID-19 pandemic — it’s no secret that cybersecurity has been brought to a new level of importance and complexity. Many companies have adopted hybrid infrastructures, requiring remote access and increased connectivity to keep things running. This has broadened the attack surface they must protect.
This new world of connectivity requires particular attention from businesses with cyber physical systems. These were traditionally physically isolated from the general IT network — air gapped is the term used — so connectivity requires a new approach to ensure security. Without this security, cyberattacks such as ransomware and malware can spread laterally through networks, wreaking havoc on all parts of vital company infrastructure.
But there is an answer to enhancing network security even as connectivity increases: network segmentation. Think of a house with sophisticated locks on its front door, but no locks on any internal doors, drawers, cupboards, or safes. While criminals might struggle to pick the front entrance’s locks, those who succeed will gain full access to everything of value inside. The same is true for an unsegmented operational technology (OT) network: Once cybercriminals gain entry, they can access and seize everything within. Securing your network by segmenting it into several smaller subnetworks is necessary to stop attackers from gaining control of the entire infrastructure.
The why and how of network segmentation
Cyberattacks such as NotPetya and WannaCry have shown how damaging attacks that target the OT side of business infrastructure can be. And they demonstrate the vulnerability of unsegmented networks. Attacks on OT networks hurt more than just reputations and finances — they can cause real physical damage to machinery. Because OT controls and monitors physical devices and infrastructure, damage to OT networks has tangible and dangerous repercussions. Network segmentation helps avoid these repercussions.
So how do you efficiently segment your OT network? While it’s slightly more complicated to segment an OT network than an IT network, it must be a priority. You can separate your OT network from the IT by placing a demilitarized zone (DMZ) in between.
One of the best ways to approach OT network segmentation is to create zones within the OT network and deploy internal firewalls between them, limiting movement. Segmenting functions into separate zones, such as separating, for example, the manufacturing execution system (MES), the human machine interface (HMI), and the programmable logic controller (PLC), helps to restrict network traffic between the zones to a minimum and prevent malicious activities.
Creating separate network security zones within the individual layers of the OT network, which is often referred to as microsegmentation, provides additional protection and isolates devices from each other. Lateral movement and the spread of malicious software within the network become impossible. This makes it easier to detect and fix threats.
Key benefits of segmenting your network
You’ll gain multiple benefits by keeping different parts of your OT network isolated from one another through network segmentation. The most significant benefit is the ability to slow down attackers attempting to infiltrate your network. Cybercriminals who gain access to a zone in a segmented network have a harder time getting at the rest of the network, and they will be easier to pinpoint and stop in their tracks. If they do manage to cause damage with an attack, that damage will be contained, with less time and money required to deal with the aftermath. Additionally, the overall security of data is strengthened because the separation between zones reduces the risk of data theft or destruction.
Another key benefit of network segmentation is the ability to grant secure remote access. Remote access is a top concern in the fallout of the pandemic, as many companies are still working remotely or have external service partners and machine manufacturers connecting for remote maintenance and troubleshooting. In OT environments, remote management is the top threat vector — as such, it is essential that you can grant secure remote access to eliminate attacks on remotely managed systems and machinery. Firewalls, such as our CloudGen Firewall, allow users to easily grant secure, temporary VPN access to different parts of the network as needed. Reducing the attack surface as much as possible, Zero Trust Network Access solutions like CloudGen Access can provide conditional access to specific applications only.
Network segmentation is crucial in today’s working environment and is as important in OT systems as it is for IT networks. We’ve seen what can happen to an unsegmented network when it is breached. Avoid the devastation of modern ransomware attacks and network breaches by implementing network segmentation today. Barracuda’s CloudGen Firewall is a great way to do this. Try it for free and see the benefits for yourself.