Once an attacker finds and exploits this most vulnerable point of entry, it’s potentially a "kid-in-a-candy-shop" scenario. The intruder may be able to pivot to a larger part of the network and anything connected to it—from product designs or recipes, to machine controls or company finances.
And it’s not only external threats that pose a danger on an unsegmented network. Internal threats, whether a disgruntled employee or human error like an incorrect system change, also can wreak havoc when there are no network boundaries or access limitations.
This is why network segmentation should be part of every company’s industrial security strategy.
Network segmentation separates your network into multiple smaller networks and allows you to establish zones of trust. This can help limit the access of outside security threats and contain any damage they cause. And it can help give employees and business partners access to only the data, assets or applications that they need.
Levels of segmentation
Virtual LANs or VLANs are most commonly associated with network segmentation. These are broadcast domains that exist within a switched network. They allow you to segment your network logically—such as by function, application or organization—instead of physically.
VLANs can secure devices and data in two ways. First, you can block devices in certain VLANs from communicating with devices in other VLANs. Second, you can use a Layer-3 switch or router with security and filtering functionality to help to protect the communications of devices that do talk to each other across VLANs.
But while VLANs are an important part of segmentation, they’re only one solution. You should also use other segmentation methods across different levels of your network architecture.
One example is the use of an industrial demilitarized zone (IDMZ). The DMZ creates a barrier between zones, such as the enterprise and manufacturing or industrial zones. All traffic between the two zones terminates at this barrier, while still allowing data to be securely shared.
Other segmentation methods to consider using include access control lists (ACLs), firewalls, virtual private networks (VPNs), one-way traffic restrictors, and intrusion protection and detection services (IPS/IDS).
Think holistically
When implementing network segmentation, consider how it will be applied across your entire organization.
Some companies create purpose-built firewalls at individual facilities. But this can lead to “islands” of security. Different sites will have different firewalls, making it difficult to deploy them in a consistent manner or centrally manage them.
It’s also important to think about segmentation within the context of your company’s long-term needs.
Purpose-built security solutions are too often rigid—they may meet your needs today but can’t flex or evolve with your business to meet tomorrow’s operating or security needs. Purpose-built solutions also tend to rely on the expertise of a small number of employees. And those employees can take vital security or maintenance knowledge with them if they leave.
The solutions you use to implement network segmentation should be flexible enough to grow with your operations. And they should be standardized so the appropriate worker(s) at any site can use and maintain them.
Help is available
Network segmentation is a well-known IT concept, but it’s still taking hold in the industrial world. The industrial companies that are implementing it are discovering the challenges that come with applying it across an entire connected enterprise, like managing segmented data and scaling it to grow with production operations.
If you’re unsure of where to begin or what segmentation method to deploy, freely available resources can help.
The Converged Plantwide Ethernet (CPwE) design guides are a good place to start. Guides on topics like IDMZs, industrial firewalls and networking considerations can help you deploy segmentation using the latest technologies and industry best practices.
The guides are jointly developed and tested by Rockwell Automation and Cisco, and build a foundation to other collaborative products and services to help you segment and secure your network. We also offer training, network and security services, and technologies.
