SDN-based Micro-Segmentation for OT networks

By Graham Walker

Operational Technology (OT)

Integrating Industrial IoT and Industry 4.0 intelligence involves converging information technology (IT) and operational technology (OT) to link enterprise and industrial information flows. As a result, OT networks are often connected to IT networks, making them vulnerable to cyber-attacks. A security breach in an OT network can lead to physical harm, production downtime, and financial losses. In this blog, we’ll discuss the importance of security in OT networks and explain why micro-segmentation is an ideal way to secure these networks.

OT networks are commonly used to control and monitor physical processes in the manufacturing, transportation, and energy industries. Cyber-attacks on OT networks can result in:

Physical damage to equipment that leads to costly repairs and production downtime.
Disruption of the processes controlled by OT networks leading to delays and production downtime.
Safety hazards to employees and the public.

What is Network Segmentation?

Segmentation can mitigate these threats by isolating critical systems from other parts of the network. It’s an approach to network security that enables organizations to create secure zones within their networks to protect sensitive data and applications. Micro-segmentation divides the network into smaller sections, isolates them, and enforces strict communication policies between devices. This approach hampers the ability of attackers to move laterally within the network, limiting the damage that can be done in the event of a breach.

Benefits of Micro-Segmentation

Micro-segmentation enhances the OT network security posture by providing an additional layer of security to protect against attacks. It enables network administrators to implement granular access controls and restrict access to specific network areas.

Micro-segmentation also reduces the attack surface by limiting the number of entry points for attackers to access the network. By isolating applications and data within individual segments, even if one segment is breached, the rest of the network remains secure, protecting critical assets from cyber threats. Extending micro-segmentation from the network infrastructure to the endpoint is the best approach to contain the attacker’s lateral movement.

Compliance standards such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) require implementing security measures such as segmentation. Micro-segmentation helps organizations comply with these requirements.

Detection and response to security incidents is made easier by micro-segmentation because of improved visibility into network traffic. If an attack occurs, micro-segmentation enables earlier detection because the threat has many more security boundaries to cross, so the attack’s spread is slower.

Micro-segmentation security also provides flexibility in managing OT networks by enabling network administrators to manage security policies centrally and make changes quickly to adapt to changing network conditions.

However, micro-segmentation adds significant overhead to network administration, and as networks are updated and expanded, the security of a manually administered micro-segmentation strategy will inevitably deteriorate.

Software-Defined Networking (SDN)

Software-defined networking (SDN) is a network architecture that separates the network control plane from the data plane. This separation enables network administrators to centrally manage traffic flows and security policies via a software application. With SDN, the network is easily divided into smaller logical segments, also known as virtual networks. Each virtual network can be isolated from other virtual networks and can have its own security policies.

Here’s how software-defined networking enables micro-segmentation:

Administrators can use SDN to define policies that control network traffic between virtual networks (segments). Policies are based on parameters such as user identity, device type, application type, and location. These policies ensure that only authorized traffic is allowed to flow between virtual networks.
SDN enables network resources to be dynamically allocated based on the policies defined by administrators. This dynamic allocation ensures that virtual networks are isolated from each other and have the necessary resources to function properly.
SDN provides real-time visibility into network traffic, enabling administrators to monitor traffic patterns and detect anomalies. This visibility is essential for identifying and responding to potential security threats quickly.
SDN simplifies administration, even on large networks, and ensures that security policies are automatically applied whenever the network is changed, upgraded, or expanded. So the strength of the micro-segmentation security strategy is maintained throughout the network’s life.

Conclusion

Securing OT networks is essential to many industries’ safe and efficient operation. Cyber-attacks on OT networks can lead to physical harm, production downtime, and financial losses. Implementing SDN-based micro-segmentation can help organizations protect critical assets, comply with regulations, enhance the security posture of OT networks, provide better visibility into network traffic, and improve flexibility in managing OT networks.

The Open Networking Foundation certifies that Allied Telesis industrial-grade switches are OpenFlow compliant (OpenFlow is a fundamental protocol required for SDN applications). As a result, Veracity recommends these switches for use with its Micro-Segmentation SDN Controller – an industry-leading solution for OT network security.

See our range of Industrial Ethernet switches here.