Network segmentation – what is that?
Supplying critical infrastructure poses many challenges, especially when integrating complex SCADA systems towards business systems that have different requirements, to succeed, network segmentation is essential.
Understanding network segmentation
An important part of improving your cybersecurity is to work with network segmentation. Network segmentation in data networks means dividing a data network into subnetworks, where each is a network segment. The benefits of such splitting are mainly to improve security and performance.
Questions we cover in this article
Why is network segmentation required?
Many businesses have an IT architecture based on systems designed during a politically stable era. Frequently the architecture has grown over the years while getting current information on e.g. electricity consumption, ordering 24/7 services or teleworking has become standard. The result is that SCADA systems, business systems and the web are interconnected. Therefore, it is difficult to know how many paths lead to critical information. Only when dedicated analysis or tests are carried out through a risk and safety analysis all loopholes can be detected.
However, it is neither practical nor economically justifiable to protect all information in the same way. To safeguard critical information, strict network segmentation must be applied with a combination of physical and logical separation. Physical separation creates security zones deployed on physically different hardware appliances. Logical separation allows different zones or network traffic to be co-allocated on the same hardware or network cable – less obvious and with less confidence in the separation mechanism strength than physical separation.
To safeguard critical information, strict network segmentation must be applied, combining physical separation with logical separation.
Where is logical separation appropriate?
Everywhere besides when protecting critical information. Office networks should use logical separation. Different parts of the business create their own zones: finance, marketing, sales, customer service, etc. each with different authority. As a co-worker, you access only what you need to do your job, i.e. relevant documents, not the entire folder structure. Logical separation works as the inner walls of a fort making it difficult for attackers to proceed within the systems and access the entire IT environment. Hedging logical units is achieved with products that reduce the risk surface and thereby limit the impact of cyberattacks.
Where is physical separation vital?
Critical information requires physical separation. Simply put, an isolated island is created without connection to the outside world. This minimizes the risk area – the attacker has to sit at the computer containing the critical information. Physical separation is extremely effective, but to be practical in today’s world, controlled information exchange has to be possible without compromising isolation. With certified solutions that meet military standards, both functionality and security can be guaranteed.
Why should network segmentation be taken seriously?
All businesses, regardless of whether they operate in industry, infrastructure, authorities, or defence, must actively strengthen their preparedness for cyberattacks.
The NIS Directive has raised information security requirements for critical infrastructure, while the GDPR imposes strict sanctions for the improper handling of personal data. Beyond regulatory compliance, information security is a strategic issue that can directly impact a company’s competitiveness, profitability, growth, and long-term viability.
Effective security measures typically cost only a fraction of the potential damage caused by a cyber incident. For example, the 2017 cyberattack on Maersk is estimated to have cost the company approximately $300 million — how much would protection have cost?
Want to find the right solution for you?
We are at your service.
What happens without network segmentation?
Network segmentation reduces the risk and limits the damage of a cyberattack. Without it, there is a risk that sensitive information can leak or be manipulated, and that malware and ransomware can spread uncontrollably and quickly. Attackers do not normally take the direct path to the target, such as electricity distribution. Instead, they worm their way in via weak points far out in the architecture, via email or customer service, to reach their goal. State-funded attackers are also equipped with patience, prepared to work long-term doing everything in small steps, and are unfortunately often one step ahead. The harsh reality is that industrial control systems may have been attacked without anyone noticing. So far.
Are firewalls sufficient?
Firewalls today rarely have a clear dividing line between protocols and information, which makes them vulnerable. Few firewalls offer high assurance; whole batches may be manipulated. When connected, attack vectors are left open. If firewalls are managed through cloud services, the outsourcing in itself increases exposure. Firewalls should be used for what they are meant for – superb external protection. As a logical separation, firewalls from several different manufacturers should be deployed and supplemented by regulations where several people have to approve ruleset changes and understand the consequences if the firewall is switched on or off. For the most valuable information, physical separation is always required.
For office networks with limited access to sensitive and business-critical information, firewalls managed through cloud services are a good cost-effective solution.
Can logical separation be solved through VLAN?
VLAN is an excellent technology for logical separation. However, it allows the attacker to select the weakest link to attack the target. From a security point of view, a combination of logical and physical separation is therefore always recommended.
How to implement network segmentation?
Segmenting an IT environment can be a very complex task including many different competencies and can have a major impact on ongoing operations. The complexity depends on aspects such as how big the environment is, what the current situation looks like, budget, what staff is available and the will of the management.
Here are five steps that you can use as a starting point when you start planning your segmentation project:
Create a zone model
Define what should be segmented
Perform a security analysis of included systems
Arrange the systems according to the zone model
Implement, test and put into operation
Interested in exploring products for network segmentation?
Read more about our data diodes here:
What are the benefits of zoning and network segmentation?
Zoning an IT system is done for both security and functional reasons. In general, the underlying driving force is to reduce the risk of various disturbances in the terms of security, zoning is about gathering assets with the same type of protection needs concerning privacy, integrity, accessibility and access. The higher the demands placed on the protection of a system, the higher the costs to build and maintain the system and protection mechanisms, which means that for economic reasons, one wants to minimise the size of systems with high demands on protection.
This means that by using zoning, one should try to gather assets with an increased need for protection and separate these from assets with lower demands for protection. Segmentation means that you have separate zones for your assets, but most often, you still allow some communication between these zones. In some slightly more extreme cases, isolation or” galvanic separation” may be relevant and then no network-based communication between the zones is allowed.
How can network segmentation be used for centralized log collection?
A data diode each protects the zones that supply log information. The data flow is unidirectional in the direction of the log system. A shared log system can thus be used regardless of how many zones that supply data to the log system. If any of the zones contain secret information, either the log system has to be protected at the corresponding level of confidentiality or the log information from such a zone has to be filtered so that the log system stays uncontaminated from secret information. However, this can lead to a decrease in the value of the log information, since free text data often must be filtered, which leads to the log information becoming more difficult to interpret.
Here are some advice:
There are no shortcuts to information security. You have to work strategically with assets, threats and risks.
Map and test the entire IT architecture. Where are the different systems connected?
Be careful with evaluations. Who needs access? What information is involved? How are flows guaranteed secure and effective?
Choose security solutions for operation, accessibility and adaptability based on the attacker’s perspective and the worst case scenario.
Make physical separation for the most valuable information the priority.
FAQ
Why do you need to protect your information?
Availability: So that the Information is accessible whenever it is needed.
Integrity: So that we can trust that the information is correct and has not been tampered with, altered, or destroyed by unauthorized parties.
Confidentiality: So that authorised persons may take part in it.
What is the main purpose of cybersecurity?
The main purpose of cybersecurity is to protect systems, networks, and data from digital threats such as unauthorized access, cyberattacks, and data breaches. Cybersecurity helps organisations to ensure that their information remains confidential, accurate and available when needed.
What is network segmentation?
Network segmentation means dividing a data network into smaller subnetworks, or segments. This helps increase security by limiting access and containing potential threats, and can also improve overall network performance.
Which organisations should implement network segmentation?
Organisations that handle sensitive information, such as those in defence, authorities, infrastructure, and industry.
What are network segmentation best practices?
1. Create a zone model
To structure the segmentation project using zoning, you should create a zone model that defines what types of zones you have and what security and assurance requirements you have for the security functions that separate the zones.
2. Define what should be segmented
Define which system or systems that should be segmented and should thereby be included in the segmentation project. It is very important that the scope of the project is clearly defined and well communicated to everyone involved.
3. Perform a security analysis of systems
The systems included in the segmentation project need to be classified according to its sensitivity and criticality. The classification should be performed on an ongoing basis by the organisation, but a security analysis can identify systems and information that have not been classified.
4. Arrange the systems according to the zone model
Place the systems according to the zone model. Placement is based on requirements for security, availability, functionality and operational responsibility. Understanding how the different systems communicate with each other at network level is central.
5. Implement, test and put into operation
In order for the segmentation project to go from paper product to reality, various components (applications, firewalls, switches, etc.) will need to be reconfigured and in some cases networks will have to be partially rebuilt. The various security solutions will be configured, tested and put into operation.
Want to know more about our products? We offer advanced data protection within several areas. Contact us. We are at your service.
What are the benefits of network segmentation?
Network segmentation helps organizations strengthen their cybersecurity by reducing risk and limiting the impact of cyberattacks. Without it, there is a risk that sensitive information can leak or be manipulated, and that malware and ransomware can spread uncontrollably and quickly.
Contact us
Let's find the right solution for you. We are at your service.
Rickard Nilsson
COO
