A very common case that we are seeing constantly week after week is the rapidly increasing amount of threats and vulnerabilities in the control systems within critical infrastructures and industrial environments. This is mainly due to the strong dependence on legacy systems in which updating, patching and making corrections without impacting on the availability and integrity of operations is not an easy task, or even being impossible in many cases.

Moreover, it is very usual to find completely flat OT networks in these environments with security measures barely implemented as these networks tended to be completely air-gapped from IT and corporate systems. This implies that any malicious actor trying to penetrate the network will easily get through and move laterally with complete freedom, identifying critical assets or communications and therefore discovering vulnerabilities and exploiting them.

It is now traditional in IT networks to implement proactive security measures such as network segmentation, and it is common sense to do so in any network where applications, devices, data and communications live together. The roots of network segmentation run deep in enterprise IT environments, but are not so common in OT networks. Recently developed industrial security norms such as IEC-62443 are now recommending to implement a network segmentation as one of the first steps for a successful industrial security strategy. However, it is not as easy as it seems in many cases due to the complexity of these networks.

Unlike in IT environments, a cyberattack can target water facilities, power plants, pipelines, railway systems, or hospitals, defense is about critical infrastructures, industrial processes, critical assets, the environment, and, most importantly, human safety.

Traditionally, perimeter security measures were implemented to protect these environments, but they have resulted to be insufficient over time. To overcome this, organizations started to establish the proper zones with clearly defined and enforced security policies, better known as network segmentation. This segmentation is highly related with the physical architecture of the networks, but in many cases, it is not related to the real business operations where different external agents intervene such as operators, maintenance, vendors and so on.

Additionally, traditional segmentation using NAC solutions such as VLAN, VPN or DMZ present many difficulties when trying to deploy them, due to the heterogeneity of OT networks, device management, legacy protocols and IP configurations. It can even have an impact on the performance of these networks where latencies are critical for operational continuity. The traditional approach to network segmentation can also add complexity to authorized access management, which is a serious problem nowadays with the rise of remote access in OT networks.

In order to address the problems that traditional segmentation brings to OT networks and to strengthen their security, a new approach can be implemented called Crypto-segmentation. This approach takes network segmentation to the next level by adding strong cryptography to enforce network logic. It is designed for complex networks which require being more accessible from other networks and external agents such as maintenance or suppliers, and where trust based measures are not enough to ensure strong security. Crypto-segmentation is the perfect way for a transition from traditional perimeter security to “Zero-Trust” approach.

This approach is based on the creation of crypto-segments (groups of devices and applications) independent of the physical and logical network, being able to encompass devices which are in different physical or logical networks. These zones have their own cryptographic keys to secure and segregate traffic end to end as it travels across the network. Crypto-segmentation is deployed as an additional overlay, cloaking assets without the need to change configurations or replace devices and therefore avoiding friction with operations and minimizing downtimes.