Home / Blog / Divide and conquer: Segmentation to the rescue

Divide and conquer: Segmentation to the rescue

Posted on 10/20/2015, by INCIBE
Divide and conquer

Growth and lack of control

Networks of control systems have been growing gradually as the system grew, without an order or clear infrastructure on most occasions. The original network islands (workcells with no communication between them) that made up each process of a control system have been being linked without much attention being paid to the priorities, requirements and levels of security of each process.

Furthermore, the increasingly greater interrelationship between control systems and corporate systems has not helped adequate growth to take place, connections have simply been established in accordance with information needs.

Network order: ISA 95 levels and separation of networks 

As we saw in the article “The evolution of network infrastructure in control systems”, ISA-95 divides control systems into five levels. These levels also allow a first separation of networks to be carried out and show how to perform segmentation.

In a correctly segmented industrial control system at least four types of different network must be defined: a process network, a control network, a data or control centre network, and a data exchange network. Added to these there are the corporate network and the external network to complete the network architecture. The functions of each network is as follows:

  • Process or field network: This network consists of all of the sensors and actuators that are distributed around the process. This network requires a very high speed and exchanges small data flows, using exclusive industrial control system protocols. Its correct functioning is essential for the system and the availability of data is vital for the process.
  • Control network: The control network groups together all local control tools, such as PLCs, RTUs, etc. This network also contains a local process management system (local display console), which is in charge of supervising a section of production. In addition to controlling the process, the devices in this network usually perform translation tasks between low-level protocols used in the process network and high-level protocols used at higher levels.
  • Data or control centre network: This network includes devices that are allocated to controlling the process, such as operator stations, the engineering server, application servers, etc. In this network, there is high data traffic and, as such, its bandwidth must be high in order to deal with all of the requests. Most communications carried out in this network are Ethernet-based.
  • Data exchange network: Due to the different levels of criticality of networks, to facilitate the transfer of information between them, DMZ will be used when necessary. They are mainly used to separate the data network from the corporate network, but more may be necessary depending on the size of the control system or its criticality. This network will include database systems or similar that must be accessed from the two networks that it aims to link.
  • Corporate network: The corporate network forms all of the business communications that are related to the business and not to the process. E-mail access, office tools, etc. are common in this network. The latter requires a large bandwidth.
  • External network: Communications with the exterior make up the last network in any infrastructure. This network groups together internet access and it is also the network from which access of certain suppliers or vendors comes (third-party access).

Other segmentations: RG 5.71 levels

Network segmentation can also be carried out by separating networks according to the level of confidentiality that it is necessary to apply to them. In line with standard RG 5.71, five criticality levels are defined, from 0, or the least critical to 4, or the most critical, which determine the way in which information can flow from one level to another.

The following levels can be identified, from highest to lowest, as an example of separation into levels in accordance with criticality: vital area (level 4), protected area, owner-controlled area, corporate area and public area (level 0).

Communication between the different levels of criticality of RG 5.71

-Communication between the different levels of criticality of RG 5.71-

RG 5.71 standard establishes the guidelines for selecting the elements through which segmentation must be carried out. As such, for example, in levels in which bidirectional communication is permitted, separation will be carried out by intrusion prevention systems or firewalls, but when communication must only be unidirectional, the only possibility is to use data diodes.

Segmentation strategies

Depending on the level of criticality of the system or the level of security that one wishes to obtain, different strategies and/or tools will be employed to carry out a correct segmentation:

  • Air Gap: The air gap consists of physically separating the connections of two networks. Nowadays, this form of segmentation is not useful, due to the global need for information and, furthermore, it has been proven that it is not a secure method.
  • IDS/IPS: IDS do not allow traffic to be blocked and, as such, they are completely ruled out for segmentation. IPS, however, do allow certain information packages to be blocked in accordance with certain predefined rules. Their role in segmentation is to separate different computers within the same network, known as horizontal segmentation.
  • Virtual networks: Virtual networks (VLAN) created with the majority of commercial routers allow computers that are connected to them to be separated into different networks, separating the traffic of ones from that of others. VLAN networks separate computers into logical networks within the same physical network and, as such, a poor configuration of the private networks would allow the traffic of other networks to be seen.
    Private virtual networks (PVLAN) are a further step in the creation of VLANs, since they allow the creation of secondary networks (PVLAN) within a primary network (VLAN).
  • Firewalls: Firewalls are the most common elements for carrying out segmentation. Their functioning is based on the permission or denial of traffic between the different networks or devices, based on filtering rules. The definition of rules is what determines the security that it provides, since a poorly defined rule may be an access route for potential attacks.
  • Data diodes: Data diodes only allow traffic in one direction. Unlike a firewall, where there is a bidirectional communications channel and only one logical rule stops it, in a data diode there is no channel in one of the two directions and, as such, this communication can never be carried out. Data diodes are used when we only want to take information from a network but not receive it, thus ensuring the availability and integrity of the information, or when we want information never to leave a network, thus ensuring confidentiality.

In the article IT tools that evolve for OT some specific commercial tools are mentioned that can be used to carry out segmentation in industrial control systems.

Practical examples of segmentation

Shown below is a series of diagrams of different network segmentation solutions in an industrial control system, with different levels of security in each case.

Unsegmented network

In this first example we can see what industrial control system network infrastructure has been traditionally: a flat network defined by functionality. As can be seen in the image, there are no security elements for carrying out segmentation and poor practices are employed, such as using servers with two network cards to link different networks.

Network without correct segmentation

-Network without correct segmentation-

Basic segmentation

This second infrastructure is in charge of separating each network through a firewall. The elements have been placed in different networks and adequate rules must be defined for the communications necessary between the different devices to take place.

Basic segmentation of an industrial control system

-Basic segmentation of an industrial control system-

Advanced segmentation

A further step in security comes through the incorporation of other network security elements, such as data diodes and IPS devices. In this advanced infrastructure, the inclusion of a DMZ network has been opted for to separate the corporate network from the data network. As such, the exchange of historian data with the corporate network is carried out by a replicate historian through a data diode, thus preventing the original from being affected.

A traffic inspection has also been included amongst the elements of the control network, to ensure that the data that come to the Front-End and, subsequently, to the SCADA server, are correct.

Another possible segmentation could be carried out by using VLAN and PVLAN to group together different elements of the control network and the field network and provide an even greater level of security and segmentation.

Advanced segmentation for an industrial control system

-Advanced segmentation for an industrial control system-

In industrial control systems, as with any other type of network, the first obstacle to overcome when faced with a technical or security incident is to ensure that its scope is as restricted and as limited as possible. In this regard, network segmentation must be viewed as a cornerstone that must never be missing in secure design.