Strengthening Cybersecurity: The Role of Network Segmentation and Microsegmentation

In the ever-evolving landscape of cybersecurity, buzzwords like "zero-trust" have taken center stage. While these advanced measures, which prevent devices from communicating unless explicitly permitted, are essential, they must be built on a foundation of fundamental protections like network segmentation. According to Alan Raveling, OT Architect for Cybersecurity and Infrastructure at Interstates, the basics remain crucial.

“Most users and applications still have a lot of basic cybersecurity work to do,” says Raveling. “For example, it’s likely they’ve already separated their OT and IT networks, but is production line A separated from production line B? It’s just as likely they need to microsegment their networks, too. This means determining and setting up known routes and pathways, funneling communications through something that can act like a policeman, and deciding which communications are allowed, which are not, or which are OK for two hours and then restricted again.”

Starting with Cybersecurity Fundamentals

Raveling emphasizes starting with the basics: passwords, authentication, and user accountability at every workstation to build a robust cybersecurity infrastructure. From there, organizations should focus on network segmentation and monitoring while addressing coding requirements to support multiple devices. These steps align with the ISA/IEC 62443-3-3 standard, which outlines best practices for secure industrial automation systems.

“Cybersecurity needs to be part of the requirements phase of any project,” explains Raveling. “Process engineers need a security expert in the room to help draft their proposal for a machine or production line. They also need to talk with their managers about whether the risk they plan to take is acceptable. Existing patchworks of devices and applications must address cybersecurity project-by-project because many legacy devices aren’t capable of adding cybersecurity functions. So, while some plants can support security level 2 (SL2) according to ISA 62443, others aren’t ready and must find other ways to compensate.”

Real-World Microsegmentation in Action

Interstates has been at the forefront of implementing microsegmentation projects that align with these principles. One notable example involved a consumer liquids manufacturer transitioning from three Ethernet networks to 20, incorporating multiple demilitarized zones (DMZs) and firewalls.

“This was a considerable undertaking because we had to change the Internet protocol (IP) addresses on lots of equipment and collaborate on how to handle internal and external communications,” shares Raveling. “We had to add new switches, but it was mostly reconfiguring and reallocating existing switches. If you have the capabilities and resources available internally, this can be done without it costing too much.”

In a smaller project, Interstates segmented another client’s network, identified all assets, and compiled a comprehensive list of applications and local area networks (LANs). They also moved users from a shared group account to multiple individual accounts.

“Users must get stricter about the types of accounts they use,” Raveling advises. “Likewise, instead of allowing contractors to use their own laptops, organizations should require contractors to use a client organization’s laptop that’s configured for safe use, or use a secure remote access server if they’re working remotely.”

Building for the Future

As the complexity of industrial systems grows, the importance of adhering to cybersecurity standards like ISA 62443 and implementing measures such as microsegmentation becomes even more critical. At Interstates, we’re committed to helping organizations navigate these challenges, ensuring both safety and efficiency.

This article was originally published on Control Global.