Separating systems to limit damage in a cyberattack is still considered the way to secure industrial technology, but it remains a difficult goal. Segmentation works to secure operational technology (OT) environments only if operators know what threats and risks to look for, but in most cases key concerns are overlooked.
Not only does OT help power critical infrastructure sectors, but it’s increasingly converging with IT environments as well. However, security continues to lag despite its critical role across industries.
Network segmentation that isolates systems to reduce the blast radius is an ongoing recommendation, but organizations need to tweak the process to boost effectiveness. Vendors that overpromise, users seeking convenience, and the cost of running segmented systems all work against the ideal.
Security gaps are rampant because of security awareness and visibility issues, says runZero founder and CEO HD Moore. People don’t consider that every device they bring onto the network is possibly multihomed and has connections to the Internet on its own, he explains, pointing to OT field gear, which often has devices that allow remote access through a cellular connection.
Threat actors will take advantage of those attack vectors, especially if Internet-connected devices contain vulnerabilities. And their attacks are only growing more “creative,” says Moore, making it harder to detect and respond to threats.
“It may be totally segmented, but it’s also completely open and on the Internet, and it’s really hard to find those without looking for it,” Moore tells Dark Reading.
Why Microsegmentation Fails
Segmentation breaks down into two categories: traditional and micro. Both pose concerns when it comes to OT security.
In traditional segmentation, operators place physical devices behind a firewall. With the microsegmentation model, they install an agent onto the machine, giving every machine their own miniature firewall that communicates to only those systems, applications, or devices the user allows.
Traditional segmentation falls apart when devices behind the firewall can communicate outside of the security perimeter, Moore warns, such as if a technician were to bring a Wi-Fi-enabled laptop to the factory floor and plug it directly into the network.
Traditional segmentation “is so commonly broken that you can almost always guarantee there’s a way around the firewall,” Moore says. An unmanaged laptop could introduce malware or other serious threats into the environment.
Microsegmentation is even more concerning because the model doesn’t work for devices that operators can’t install protection on vital patches. They simply can’t risk the downtime disruptions required.
“Factory machines and OT equipment are effectively not able to be microsegmented, so you’re back to using one big firewall to separate, hoping no one goes around it,” Moore says.
‘Convenience Is Destroying Segmentation’
No matter which segmentation model organizations follow, operators crave more usability, which can create attack vectors. Convenience workarounds end up destroying segmentation, Moore says.
But it’s a vendor and user challenge.
Firewall vendors make promises: If organizations buy their box, they’ll protect them. But users find the firewall restrictions annoying and devise “squirrely ways” to bypass the feature.
“They’re like, ‘Well, this firewall is still here,’ not realizing the firewall no longer matters when you’re going around it,” he says.
And those firewalls may not be sufficient in the first place. Firewall vendors have been “failing pretty hard lately,” Moore notes.
“Firewalls that are most commonly used for segmentation have also been the ones most commonly exploited in the last three years: Palo Alto, Fortinet, etc., are seen in the news repeatedly,” he says. “Firewalls are the first step into the organization, and it’s not good when it fails.”
Not A One-Time Project
Segmentation may have issues, but it can still be beneficial if implemented, monitored, and managed effectively. It is one of the few things in OT with real evidence behind it, says James Winebrenner, CEO of Elisity.
“Segmentation as a one-time project – the diagram you drew in a workshop two years ago and filed – is exactly what’s leading to the gaps because the network it described stopped being true the week after you saved it,” Winebrenner tells Dark Reading. “A segmentation diagram is a snapshot, and attackers don’t operate against snapshots. They operate against the network you actually have today.”
In April, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory, Adapting Zero Trust Principles to Operational Technology, which emphasized how network segmentation is “one of the most foundational and effective security controls in OT environments” and how it goes hand-in-hand with zero-trust principles. But CISA also warned that organizations can’t just lift IT zero trust into OT, which has legacy machines, can’t afford downtime, and has software restrictions.
Winebrenner echoes the guidance, which he says emphasized how “segmentation alone isn’t foolproof.” Instead, he urges organizations to treat segmentation as something they operate, rather than something they install. The security that works on a plant floor is one that rechecks policy. He refers to CISA’s guide, which advises an enforceable policy over a “one-time architectural decision.”
Segmentation Is Overused
Part of it boils down to an economics problem. Organizations can’t afford to pay for each factory equipment or ventilation system to have its own network switchboard. Not only is it unfeasible, but many devices still need to communicate with each other, explains Moore.
With so much legacy equipment on factory floors and power plants that can’t receive patches and vendor updates, it’s also unclear what they’re allowed to filter or segment off.
“A lot of folks say: ‘OK, we’ll put it all in one box and walk away and hope it’s OK,'” he says.
One of the most vital points to remember in OT is that these connections don’t work only one way, Moore says. For example, segmentation doesn’t provide protection from a compromised customer using the same VPN as the organization. He recommends that organizations scan endpoint detection and response logs, find points that have an unrecognizable IP address, and determine why they’re connected.
“The hard thing about segmentation is that folks tend to overuse it,” he says. “You have a bunch of equipment that you don’t want attackers to get to, you put it into a segmented network, but you put it all on the same segmented network. Then all it takes is one of those systems getting hacked.”

Comments are closed