In the past when I was architecting/implementing for ICS ecosystems I found out very early that one of the major steps to securing an ICS/SCADA, or any other network, is segmentation. During my efforts to secure these ecosystems, I learned that with network segmentation in place and a little forethought, it is possible not only to secure these environments but also build a scalable and compliant network that is future-proof. Segmentation, in my opinion, could be the single most important thing that a network practitioner can do to protect not only ICS environments but all network components from attacks and/or cross-contamination. Segmentation takes us back to a point where, if needed, a cable can be pulled and a device or network in jeopardy can be completely isolated from the rest of the world until the time and resources are available to correct the situation.
On the IT side of the company, segmentation is a known and accepted best practice and has been for some time. Operating Systems manufacturers have been aware of the need for years and have built tools into their products to help manage these processes. For the enterprise, in many cases, the task of segmenting a network (re-IPing and VLAN creation/assignment) can be done quickly and easily because of the many off-the-shelf solutions available to handle this task. More importantly, enterprise systems are not deterministic like ICS/PCN/DCS, so the possible consequences of changing these systems are not as impactful. Lose an email server and no one is happy; lose your controlling HMI and being unhappy is the least of your worries.
On the OT side of the company, the re-IPing and segmenting of control systems networks is a costly endeavor in both time and resources; and, if done incorrectly or a key system is missed or misconfigured, it can affect production for an extended period of time, resulting in the loss of product and/or revenue and, in worst-case scenarios, life and/or property. It is for these reasons that control systems networks are left as is by many operators. The risk associated with fixing the lack of separation between the enterprise and controls is not worth the possible cost. Instead many opt for solutions that only mask the problems.
The good news is the Palo Alto Networks security platform offers a method to allow operators to segment and separate their critical control systems networks from the enterprise with minimal impact to the control systems network.
The technology is native to the next-generation firewall and is available in every model from the PA-200 to the PA-7080. The name of the technique is called VLAN Insertion. What it does is allow for the logical insertion of one device between two other devices without the need for the physical re-cabling of the original devices or the introduction of additional switches, providing a method to segment a control systems network without the need to re-IP.
Examples of how this technology can be leveraged in a SCADA environment would be the separation of the HMIs from business machines that have been placed on the same network segment or an instance where incident response to a possible breach or contaminated machine has been found within the SCADA ecosystem, but the machine is required to control the system/process. VLAN insertion is a quick and safe method of separating/isolating these systems. However, the best part of this technology is that you can use it to meet compliance mandates.
Besides becoming compliant and secure, the additional gains of using this technique are:
- High visibility into the network.
- Converting from stateful firewalls to application-based firewall technology and positive enforcement.
- Protection of these critical assets with AV/IPS/Malware/URL detection.
- Ability to scale up or down as needed.
- Ability to safety migrate to a new IP address structure as time permits.
- Becoming compliant with internal and government mandates.
- Access control over these assets, using AD, LDAP, TACACS Plus, etc.
- Granular control over at-risk protocols and their function codes like MODBUS, DNP3.
What I found, and what I think all network/security practitioners and security architects would agree with, is that this is a crucial tool to have in one’s toolbox.
Watch the How to Architect “Zero Trust” Network Segmentation in Industrial Control Systems webcast to learn more about how to use this powerful tool and the ways it can be leveraged in ICS.