by Courtney Schneider, Cyber Policy Research Manager, Waterfall Security Solutions
Micro-segmentation as a security strategy for the IIoT
Micro-segmentation is a security strategy that identifies sub-networks within the larger enterprise network as exceptions to the IT security program – exceptions where we must implement stricter security policies for very important sets of equipment. The focus is to make network security more controllable for high-value, exceptional systems.
Industrial and IIoT networks almost always represent engineering risks, as well as conventional “business” risks. Engineering risk is risk to physical operations: plants shutting down, threats to employee safety and equipment damage. Micro-segmentation is an effective security strategy to address these physical/engineering risks in OT and IIoT networks.
The Industrial Internet of Things (IIoT) is the ultimate mind-meld of IT and OT networks. The IIoT connects edge devices in OT networks directly to the Internet to enhance operational efficiencies to bring benefits to the business and the bottom line. What confuses security designs for IIoT deployments is differing kinds of risk.
OT practitioners and engineers plot risk on a spectrum of unacceptable physical consequences to safe, correct, continuous and efficient physical operations. Conventional security practitioners, however, focus on protecting information, cyber resilience, incident response, data recovery and business continuity. Conventional cyber assets are part of a sea of networks, some needing more protection than others, managed for business risk.
What then of IIoT security, which basically melds these two concepts of physical and business risk together: the ubiquity of IT networks layered on physical control and industrial networks? How do we implement a security program to simultaneously satisfy these very different needs from IT, OT and engineering teams?
Evaluate the possible physical consequences of an IIoT deployment
IIoT security planning starts with a cyber risk assessment. Not all IIoT deployments pose nefarious threats to the physical world. When deploying hardware that is only physically able to monitor but not control anything, we generally face only conventional business risks. Conventional enterprise security principles apply, and direct connectivity to enterprise and even cellular and Internet networks is appropriate.
For example, consider a system of thousands of solar-powered rainwater measurement devices distributed throughout a watershed as part of a water treatment flow prediction system. If the switches are compromised, or for that matter physically kicked under a rock by passing tourists, there are no grave consequences to the water system. The system is massively redundant, and device inputs are constantly correlated with external inputs, such as official meteorological reports of rainfall in an area.
But if the rainfall-monitoring devices can also control switches that are connected to, say, an irrigation system to activate or deactivate irrigation in an area based on rainfall it receives, now there are potential physical consequences of compromise. Worst-case physical consequences of mis-controlling the IIoT devices and the irrigation system might include flooding or wash-outs and physical damage to irrigation canals or other irrigation-water flow-control equipment.
Or – if monitor-only IIoT edge devices are connected to conventional control networks, we have a different problem. For example, what if the monitor-only rainfall sensors that are deployed inside the boundaries of a large water-treatment facility were connected to the facility’s OT network. These connections exist because that water-treatment OT network is the one that was easiest to access for the IIoT sensors. In such an example, compromised monitor-only sensors provide attackers an opportunity to pivot their attacks into the facility’s control-critical network, where they are able to bring about unacceptable physical consequences.
When facing physical engineering risk – what do you do?
When unacceptable physical consequences of compromise are possible for IIoT deployments, either because worst-case-compromise of the devices themselves can bring about such consequences or because compromised edge devices can pivot attacks into control-critical networks, we need strong protections for the edge devices. In these scenarios, a good place to start is to micro-segment control-critical sets of equipment or networks using unidirectional gateway technology. Unidirectional gateways are described in section 9.2.6 of the Industrial Internet Consortium (IIC) Industrial Internet Security Framework (IISF). These gateways are the strongest of the network segmentation options described in the framework.
Unidirectional gateways are a kind of security gateway used to provide additional protections to edge devices when endpoint protections in those devices are not sufficient to address control-critical cyber risks. Unidirectional gateways enable safe flows of monitoring information to enterprise and cloud systems for big data analysis and other benefits, while physically preventing any information flow back into the edge devices. All cyber attacks are information – if no information can flow back into edge devices, no attacks can flow back either.
Where to deploy the gateways is the question – in complex OT networks, unidirectional gateways may be deployed close to the edge devices, close to the connection to enterprise or Internet networks or anywhere in between. What has emerged as a best practice here is perhaps obvious in hindsight – enterprise security teams need to sit down with engineering teams and work out a strategy. Both teams need to agree on where to deploy at least one layer of unidirectional protections. The deployment point is generally selected at a point in the network architecture where monitoring flows out of OT networks are simplest, where control flows back into protected OT networks are minimal and where all control-critical components become unidirectionally-protected.
Pulling it all together
Upholding engineering principles in OT networks generally results in not only increased safety but reduced complexity. Enterprise security policies can result in technical complexity – encryption, anti-virus systems, frequent security updates – and complexity is the enemy of safety. Operations and engineering teams can raise real barriers to enterprise security programs when those teams feel that complex security programs pose unacceptable threats to safe, continuous, correct and efficient physical operations. To make real progress with engineers on OT security, one must negotiate which systems are so important that they are exceptions to the enterprise security program.
- Look at the worst-case consequences of a security breach for each system – and categorize them as control-critical assets with unacceptable physical risks or as enterprise assets with acceptable business risks;
- Consider the potential for a pivoting attack – all edge devices that could pivot into an attack with unacceptable physical consequences must be modeled as control-critical, not business-critical assets;
- Negotiate with engineering/OT teams at which layer of a network architecture to protect networks unidirectionally to reliably prevent online attacks with unacceptable physical consequences; and
- Micro-segment using unidirectional gateway technology, and manage unidirectionally-protected assets according to engineering physical-risk-prevention principles rather than enterprise security principles.
Some degree of engineering risk is impossible to avoid in industrial environments, and so a robust micro-segmentation security strategy is always needed. It is vital that any changes to a process or system be introduced in a controlled and coordinated manner. Unidirectional gateways micro-segment control-critical networks by preventing all inbound information from penetrating the protected network through hardware-enforced physical protections to mitigate unacceptable physical risks.
The IIoT is the ultimate convergence of IT and OT networks. The first step in robust protection for converged networks is negotiating engineering vs enterprise security postures. All inbound information – whether well intended or not – is a potential attack. A successful IIoT security strategy first decides which systems have physical consequences of compromise and so must be modeled as engineering systems that do not protect information but rather need protection from information. Do a consequence-based risk assessment, negotiate segmented networks with engineering and we will see significant progress towards OT and IIoT security.