Protecting IoT and OT with zero trust and network segmentation [Q&A]
In recent years we've seen a surge in the numbers of IoT and operational technology devices appearing on networks.
But while this technology offers many advantages it also brings new risks, both for the devices themselves and the networks they're attached to. What can businesses do to benefit from the technology but still keep their networks safe?
We spoke to Phil Neray, VP of IoT and Industrial Cybersecurity at CyberX to find out.
BN: Why has there been an increase in the need for IoT/OT network segmentation in recent years?
PN: Network segmentation is part of a larger strategic trend called 'Zero Trust' that has become a core foundational principle of cybersecurity. Unlike traditional perimeter security which is focused exclusively on keeping adversaries out of your network, zero trust assumes that adversaries are already inside your network -- and focuses instead on preventing attackers from moving laterally (East-West) across your networks to compromise critical assets.
How did attackers get into your network in the first place? There are many ways for today's adversaries to bypass perimeter firewalls to gain access to your corporate and industrial networks. These include: exploiting weak credentials on internet-exposed RDP ports; email phishing attacks that install malware on users' desktops; and IoT/OT devices with default credentials that are connected directly to the internet.
Additionally, according to an analysis of 1,800 production IoT/OT networks described in our 2020 Global IoT/ICS Risk Report, nearly two-thirds (64 percent) of industrial sites are still using unencrypted passwords, and 71 percent have Windows XP and other older Windows boxes that no longer receive security patches from Microsoft. These inherent vulnerabilities make it much easier for adversaries to compromise additional higher-value systems after establishing their initial footholds.
Network segmentation and zero trust have become even more important as digitalization and Industry 4.0 drive the deployment of billions of new IoT/OT devices such as smart sensors, increasing the attack surface by a factor of three times compared to a few years ago. These IoT/OT devices don't support agents and are often unpatched, unmanaged, and invisible to IT teams -- making them soft targets for adversaries seeking to disrupt production or gain access to corporate networks.
BN: What are the benefits of zero trust and network segmentation for IoT/ICS networks?
PN: Network segmentation is the process of separating groups of assets into distinct zones -- separated by next-generation firewalls configured with application-layer policies -- in order to reduce the attacker’s ability to pivot from their initial foothold to other network segments.
In comparison, in an unsegmented or 'flat' network, threat actors can move easily between segments to compromise your most critical assets.
For example, in an attack on IoT devices discovered last year by Microsoft, the adversary compromised a VoIP phone to gain initial access to the corporate network. From this initial foothold, they scanned the network to look for other insecure devices that would enable them to traverse the network in search of higher-privileged accounts that would grant access to higher-value data. The potential damage from this attack would likely have been minimized had the IoT device been isolated on a separate network.Other performance-oriented benefits of network segmentation include:
- More granular control over resource allocation, in order to optimize performance for more critical applications and devices
- Reduced network traffic in segments with processes that require low latency response times, which is especially important in cyber-physical systems (CPS) such as turbines where the required latency is measured in sub-milliseconds
Even basic network segmentation, such as separating IT networks from OT networks, significantly reduces the attack surface and prevents adversaries from easily navigating the intrusion kill chain.
BN: Where should teams begin with network segmentation projects?
PN: Visibility is the top priority for organizations implementing IoT/OT network segmentation, because it’s essential for answering key questions such as:
- How many IoT/OT devices do we have? Most companies are often unaware of the number of devices they have -- in fact, it's not uncommon for them to have two or three times as many as they initially thought.
- How are they classified (camera, sensor, controller, HMI, etc)?
- How are they communicating with each other?
- Which ones are connected to the internet?
- Which of them are easier or more difficult to patch on an ongoing basis?
- What applications and protocols are they using?
- Where are my 'crown jewel' assets located -- i.e., those high-value assets whose compromise would result in material impact to my organization, such as via a major safety or environmental incident, lost production, or theft of sensitive intellectual property?
Once you have the answers to these critical questions, it becomes much easier to design your network segmentation architecture and define the right policies, without impacting business-critical processes.
BN: What technologies are needed to gain IoT/OT visibility for network segmentation?
PN: It turns out that traditional networking tools designed for IT networks, such as Nmap, can't effectively be used to provide visibility into IoT/OT networks, because active scanning can take down the very IoT/OT devices you're trying to protect.
Another traditional approach is to manually examine logs from network switches, but this can be time consuming and error prone.
Finally, you can’t typically rely on NAC devices to discover and classify IoT/OT devices, because they have a limited understanding of the specialized devices and protocols used in IoT/OT environments.
Instead, many organizations are now using agentless, IoT/OT-aware network traffic analysis (NTA) platforms to answer the key architectural questions listed above. By using passive monitoring with Layer 7 Deep Packet Inspection (DPI), these technologies provide the asset and behavioral visibility required -- with zero impact on the network and without requiring deployment of agents.
Because some of these platforms also incorporate IoT/OT-aware behavioral anomaly detection (BAD) algorithms to immediately detect unauthorized or anomalous behavior -- plus capture rich contextual information about IoT/OT security events along with high-fidelity PCAPs for incident response -- they can also be called Network Detection and Response (NDR) platforms.
When combined with Endpoint Detection and Response (EDR) solutions, NDR platforms provide the key capabilities required to implement XDR, where the 'X' represents all the security data sources required to gain a holistic view of all threat activities in your environment and identify adversary behavior using machine learning.
BN: How can I test the effectiveness of my network segmentation architecture?
PN: One of the best ways to determine the effectiveness of your network segmentation is by using threat modeling. Using this approach, you examine all the digital pathways to your crown jewel assets in order to identify the most likely paths an attacker might take to compromise them. If you've properly segmented the network, it will be much more difficult for attackers to navigate the intrusion kill chain to compromise these assets.
Some IoT/OT cybersecurity platforms also offer an automated approach to threat modeling. In this approach, the platform analyzes the network topology and all vulnerabilities it has automatically discovered in order to identify the most likely attack paths to your critical assets, ranked by risk. This will ensure that you've properly segmented your network to reduce the risk to your organization's safety, production, and sensitive intellectual property.