OT Network Segmentation – Bridging the NAC Gap

By Matt Hubbard, Sr. Technical Product Marketing Manager

In my last blog, I wrote about how network segmentation is applied in another industry with similar requirements: Healthcare. Similar to that industry, organizations deploying Operational Technology (OT) such as manufacturing face the challenge of not only securing OT devices and Industrial Control Systems (ICS), but all devices across their environment. Having many goals including maintaining operations and production lines along with ensuring worker safety, these organizations have looked to network segmentation or ‘air gapping’ to secure all connected devices in their environment.

Network Segmentation – The Most Common Approach Has Gaps

Armis has written previously about the cybersecurity needs of OT environments and how, per NIST, network segmentation and segregation is one of the most effective architectural concepts that an organization can implement to protect ICS. As such, most OT organizations have employed some form of network segmentation as part of their overall cybersecurity strategy. The technique is used to improve security and is commonly utilized by network operations and security teams to isolate various systems from one another including OT, IT, and IoT systems. The most common approach for performing network segmentation today is via Network Access Control (NAC). Unfortunately, NAC systems can be complex to deploy and have poor visibility to all the devices on the network – specifically OT and IoT devices. This makes achieving the goal of network segmentation difficult, if not impossible. 

For network segmentation projects to succeed, however, what is needed is complete visibility to all devices on the network, full context about the behavior & security posture of each device and the ability to apply automated enforcement of network segmentation based on policy. Let’s take a closer look.

First Things First. See Every Device. Know Their Behavior.

Identifying and classifying every device – OT or otherwise – is fundamental. Knowing what OT and other devices are in your environment, where they are, and how they’re being used is critical – whether in a single manufacturing facility, in a warehouse, at remote sites, or in support facilities.

Armis is purpose-built to discover, identify, and profile every device in your environment and is ideal for OT and ICS security initiatives. We identify each device’s make, model, type, serial number, operating system and version, last known location, MAC and IP address, as well as  applications running on the device. For OT and ICS devices, we also provide critical information like details about backplane slots in PLCs, along with risk and vulnerability scores. We do this with a passive, agentless solution, so there is nothing to install on devices, and no risk to disrupting a device – critical when that is a PLC, robotic arm, SCADA server or an HVAC system in a warehouse facility.

Equally important, we not only identify and classify OT devices, but we track their behavior over time, so we have context of what a device is, how it should be behaving, and if it is behaving suspiciously or maliciously.

Automating Network Segmentation

With complete visibility of all devices on the network, as well as full context about their behavior & security posture, the Armis platform can apply automated enforcement of network segmentation based on policy.

For example, based on device attributes and known good behavior, we know that a PLC should be communicating with an engineering workstation, but not connecting to the internet. So, a policy can be created to segment this device to prevent “bad” behavior from occurring in the first place.

We enforce network segmentation and security by automating blocking or quarantining actions through integrations with existing infrastructure components. Based on policy thresholds that you set, Armis is able to automatically segment, block or quarantine devices via your existing wired or wireless infrastructure, NAC, switches, WLC or firewall, as seen in the diagram below.

The Benefits Armis Provides

With this approach, Armis delivers the following benefits from the CISO to plant floor engineer:

• Full Device Visibility – Identify and classify all devices, OT or otherwise
• Continuous Passive Tracking – Real-time analysis of the behavior of all devices of their behavioral, connections, and interactions 
• Vulnerability and Gap Analysis – Real time information a devices states including state, OS, patch status, exposures, active threats, and more
• Automated Network Segmentation – Apply dynamic policies to ensure OT, ICS and other devices are placed on the appropriate network
• Automated Policy Enforcement – Integrate and work with existing IT and security management beyond segmentation for mitigation of identified risks and threats

Our automatic network segmentation allows OT organizations to apply dynamic policies to ensure all connected devices are behaving appropriately and properly confined to the segments they need to be on so they can ensure OT device security and compliance, and keep workers safe and secure. 

To learn more or schedule a demo, click here.