Supplying critical infrastructure poses many challenges, especially when integrating complex SCADA systems towards business systems that have different requirements. There are many challenges in connecting safe and secure IT networks. To succeed, network segmentation is essential.
What is network segmentation?
An important part of improving your cybersecurity is to work with network segmentation. Network segmentation in data networks means dividing a data network into subnetworks, where each is a network segment. The benefits of such splitting are mainly to improve security and performance.
Why is network segmentation required?
Many businesses have an IT architecture based on systems designed during a politically stable era. Frequently the architecture has grown over the years while getting current information on e.g. electricity consumption, ordering 24/7 services or teleworking has become standard. The result is that SCADA systems, business systems and the web are interconnected. Therefore, it is difficult to know how many paths lead to critical information. Only when dedicated analysis or tests are carried out through a risk and safety analysis all loopholes can be detected.
To safeguard critical information, strict network segmentation must be applied, combining physical separation with logical separation.
However, it is neither practical nor economically justifiable to protect all information in the same way. To safeguard critical information, strict network segmentation must be applied with a combination of physical and logical separation. Physical separation creates security zones deployed on physically different hardware appliances. Logical separation allows different zones or network traffic to be co-allocated on the same hardware or network cable – less obvious and with less confidence in the separation mechanism strength than physical separation.
Where is physical separation vital?
Critical information requires physical separation. Simply put, an isolated island is created without connection to the outside world. This minimizes the risk area – the attacker has to sit at the computer containing the critical information. Physical separation is extremely effective, but to be practical in today’s world, controlled information exchange has to be possible without compromising isolation. With certified solutions that meet military standards, both functionality and security can be guaranteed.
Where is logical separation appropriate?
Everywhere besides when protecting critical information. Office networks should use logical separation. Different parts of the business create their own zones – finance, marketing, sales, customer service, etc. – each with different authority. As a co-worker, you access only what you need to do your job, i.e. relevant documents, not the entire folder structure. Logical separation works as the inner walls of a fort making it difficult for attackers to proceed within the systems and access the entire IT environment. Hedging logical units is achieved with products that reduce the risk surface and thereby limit the impact of cyberattacks.
Read more about logical separation!
Why should network segmentation be taken seriously?
All businesses, both in the public sector and in the business sector, must actively increase their preparedness for cyberattacks. The NIS Directive raised the requirements for information security in critical infrastructure. The GDPR contains strict sanctions for incorrectly managed personal data. Above all, information security is a strategic issue that can determine the company’s competitiveness, profitability, growth and future. Effective security measures are usually a fraction of the cost of potential damages. The cyberattack 2017 cost Maersk approximately $ 300 million – what would protection have cost?
What happens without network segmentation?
Network segmentation reduces the risk and limits the damage of a cyberattack. Without it, there is a risk that sensitive information can leak or be manipulated, and that malware and ransomware can spread uncontrollably and quickly. Attackers do not normally take the direct path to the target, such as electricity distribution. Instead, they worm their way in via weak points far out in the architecture, via email or customer service, to reach their goal. State-funded attackers are also equipped with patience, prepared to work long-term doing everything in small steps, and are unfortunately often one step ahead. The harsh reality is that industrial control systems may have been attacked without anyone noticing. So far.
Are firewalls sufficient?
Firewalls today rarely have a clear dividing line between protocols and information, which makes them vulnerable. Few firewalls offer high assurance; whole batches may be manipulated. When connected, attack vectors are left open. If firewalls are managed through cloud services, the outsourcing in itself increases exposure. Firewalls should be used for what they are meant for – superb external protection. As a logical separation, firewalls from several different manufacturers should be deployed and supplemented by regulations where several people have to approve ruleset changes and understand the consequences if the firewall is switched on or off. For the most valuable information, physical separation is always required.
For office networks with limited access to sensitive and business-critical information, firewalls managed through cloud services are a good cost-effective solution.
Can logical separation be solved through VLAN? VLAN is an excellent technology for logical separation. However, it allows the attacker to select the weakest link to attack the target. From a security point of view, a combination of logical and physical separation is therefore always recommended.
How to implement network segmentation?
Segmenting an IT environment can be a very complex task including many different competencies and can have a major impact on ongoing operations. The complexity depends on aspects such as how big the environment is, what the current situation looks like, budget, what staff is available and the will of the management.
Here are five steps that you can use as a starting point when you start planning your segmentation project:
- Create a zone model
- Define what should be segmented
- Perform a security analysis of included systems
- Arrange the systems according to the zone model
- Implement, test and put into operation
Read more about what these 5 steps mean in our guide at the top of this page "5 steps for network segmentation" and in our White Paper "Protect critical systems and information with network segmentation".
What are the benefits of zoning and network segmentation?
Zoning an IT system is done for both security and functional reasons. In general, the underlying driving force is to reduce the risk of various disturbances in the system. In terms of security, zoning is about gathering assets with the same type of protection needs concerning privacy, integrity, accessibility and access. The higher the demands placed on the protection of a system, the higher the costs to build and maintain the system and protection mechanisms, which means that for economic reasons, one wants to minimise the size of systems with high demands on protection.
This means that by using zoning, one should try to gather assets with an increased need for protection and separate these from assets with lower demands for protection. Segmentation means that you have separate zones for your assets, but most often, you still allow some communication between these zones. In some slightly more extreme cases, isolation or” galvanic separation” may be relevant and then no network-based communication between the zones is allowed.
Example of how network segmentation can be used - Centralised log collection
A data diode each protects the zones that supply log information. The data flow is unidirectional in the direction of the log system. A shared log system can thus be used regardless of how many zones that supply data to the log system. If any of the zones contain secret information, either the log system has to be protected at the corresponding level of confidentiality or the log information from such a zone has to be filtered so that the log system stays uncontaminated from secret information. However, this can lead to a decrease in the value of the log information, since free text data often must be filtered, which leads to the log information becoming more difficult to interpret.
Read more about Network segmentation in our White Paper #14 "Protect critical systems and information with network segmentation"!
Read more about strategies for protecting Critical Infrastructure in our White Paper Seven strategies for protecting critical infrastructure!
Some advice for the road:
- There are no shortcuts to information security. You have to work strategically with assets, threats and risks.
- Map and test the entire IT architecture. Where are the different systems connected?
- Be careful with evaluations. Who needs access? What information is involved? How are flows guaranteed secure and effective?
- Choose security solutions for operation, accessibility and adaptability based on the attacker’s perspective and the worst case scenario.
- Make physical separation for the most valuable information the priority.