Partner with us
Request a Demo
Opscura Blog

The Importance of OT Network Segmentation when Protecting your OT Environments

<a href="https://www.opscura.io/about/#ourteam" target="_self">Opscura </a>

Opscura

Deep OT Segmentation, Encryption and Protection

OT network segmentation is critical in protecting your OT environments from rising cyber threats. The average cost of a data breach—currently at $4.88 million—should strike fear into the heart of any CISO. As alarming as that figure is, it pales in comparison to the cost of production downtime. According to a 2023 Siemens report, the cost of industrial and process downtime ranges from $39,000 to more than $2 million per hour. Yes, per hour. In oil and gas, the hourly cost of downtime is almost $500,000; an automotive plant can exceed $2 million an hour in downtime costs.

Today, the risk of cybersecurity incidents and ransomware attacks can’t be ignored. Manufacturing and industrial companies need to proactively defend against a rising threat. According to the 2024 State of Operational Technology and Cybersecurity Report, 73% of OT professionals have experienced cybersecurity intrusions that affected OT systems this year—up from 49% in 2023. The good news is that the best foundation for proactive defense for OT assets can be built on OT network segmentation.

ot network segmentation

What is OT Network Segmentation, Exactly?

OT segmentation limits the ability of a cyber threat to move laterally within the network. Segmentation divides the network to be protected—whether IT or OT—into smaller, isolated zones, based on business needs and security requirements. This allows you to more easily control access and implement security measures for each zone based on its risk level and function. Segmentation limits the potential impact—aka: “blast radius”—of a cyber breach to within the affected zone, reducing the risk of a breach taking down the entire network and impacting any ‘crown jewels’.

The 3 Main Challenges to OT Network Segmentation

IT network segmentation is fairly well understood and relatively easy to implement without affecting organization processes. OT network segmentation, however, poses entirely different challenges:

1. The sheer cost

Security is always a balance of risk and cost. Taking an OT network down for 1-3 days to reconfigure IP addressing and network systems is the single largest cost of a segmentation project. Until recently, it has been difficult for companies to justify millions to billions of dollars in downtime costs when compared to the cost of a $5-10 million ransomware incident.

2. The legacy technology

Many OT systems are built on legacy technology and lack the digital intelligence to execute security functions. Others carry unsupported operating systems or are not updated. Some lack the compute power or bandwidth to add security agents. Still others simply can’t be patched to standards. Particularly in brownfield OT networks, until recently, it was just not possible to add security solutions independently of existing infrastructure without significant downtime.
Traditional IT segmentation solutions can’t be easily extended to an OT environment because they simply don’t speak the same languages.

3. The disconnect between IT and OT security teams

IT and OT segmentation use the same practice to achieve different goals. IT wants to protect data with high flexibility and responsiveness, and works within an OSI Layer 3-7 environment. OT wants to protect uptime and works with physical products—beer, potato chips, car parts, liquefied natural gas. These move through Purdue level 0-2 controls and processes with completely different sets of implications if something goes wrong.

A New Approach to OT Segmentation

Industrial organizations find themselves between a rock and a hard place, but there is a way to implement OT segmentation while minimizing the risk of downtime and a cyber breach. 

“Non-invasive” OT segmentation enables you to implement defenses and simultaneously lay the groundwork for important capabilities such as:

      • Managing asset inventory 
      • Implementing network visibility tools
      • Identifying places where assets should be isolated
      • Implementing least privilege functionality
      • Managing control of privileged access
      • Managing remote access to security zones and assets

Using the ISA/IEC 62443 Standards for Planning OT Segmentation

The Purdue Enterprise Reference Architecture (PERA) framework guides segmentation planning. While each organization is different, typically there are three levels of segmentation that can be implemented:

IT/OT Segmentation

Separating OT and IT assets via a DMZ helps increase the likelihood that any cyber attack on the IT infrastructure can be prevented from reaching or significantly impacting OT processes. IT-facing or external-facing systems can reside in the DMZ with a safe connection and limited access between the two environments.
IT OT Segmentation

Zone or Cell Segmentation

OT infrastructure can be segmented into smaller zones based on safety, functionality, or data types. Another way to segment is by cells specifically related to steps in critical physical processes.
Zone or Cell Segmentation

Micro-Segmentation

Isolating individual assets, such as sensors, batch controllers, or HMI devices. Microsegmentation allows you to “cloak” specific assets that cannot be upgraded or replaced, making them invisible to potential attackers conducting discovery on the OT network. Some organizations combine zone or cell segmentation with micro-segmentation for this reason.
Micro Segmentation

4 Easy Steps to OT Segmentation

Non-invasive OT segmentation is possible—and more successful—with collaboration and alignment between the IT and OT teams. Each brings a unique perspective to the challenge of securing critical infrastructure and data. You also need a partner with proven experience who can help you achieve OT segmentation without disruption. These four steps smooth the journey.

Step 1: Combine Perspectives

The first—and most critical step—of segmentation planning is to bring IT and OT infrastructure and security teams together to actually see how the OT environment works. Unlike securing data movement, physical products—beer, potato chips, car parts, liquefied natural gas—move through processes with completely different sets of implications if something goes wrong. Walk the IT team through the plant or manufacturing floor and describe the roles of the systems involved with their associated risk levels.

Step 2: Define Security Challenges

Second, bring the IT team up to speed on the security challenges of existing OT technology. For example, an IT director might be astounded by the fact that an HMI running on Windows XP can’t be simply swapped out to a new interface and operating system.

Step 3: Align Implementation Objectives

Third, align on objectives. Prioritize the criticality of each process and the implications of a breach – especially the cost of downtime – for these processes. Highlight the zones or assets that would most benefit from cloaking.
As you walk through your home, think about the spaces and things you would want to make impenetrable or, better yet, invisible to intruders. That’s segmentation and micro-segmentation.
Collaborate and strategize on ways to achieve the needed security objectives within the existing constraints. Build plans around taking the project one bite at a time and adding capabilities as you grow.

Step 4: Leverage Experience

Fourth, work with an experienced OT segmentation partner. Ask them how to make this as light as possible and yet still achieve the necessary segmentation.

Bonus Step: Software-Defined Networking (SDN)

Software-defined networking (SDN)-based solutions create a virtual overlay of the OT network. This enables organizations to implement non-invasive, virtual OT segmentation tailored to their business needs and security requirements—quickly and without downtime or disruption.  By decoupling network control and forwarding functions from physical hardware, such as routers and switches, you can not only create a more manageable and dynamic network infrastructure, but also limit the lateral movement of hackers who take control of specific OT assets.

How Opscura can Help

Successful OT segmentation projects in manufacturing, energy, transportation and other critical industries are relying on the Opscura OT Security Protection Platform for their lightweight yet effective segmentation and Software Defined Network (SDN) implementations.

These customers have gained:

 

      • Software-based solutions: Opscura functions as an SDN overlay to existing networks, eliminating the cost and disruption associated with adding or re-engineering systems, IP addressing, or networks.

      • Rapid deployment without disruption: Deployment takes just hours—instead of weeks—without requiring committed IT networking experts. Protection is immediate and automatic with no downtime or impact on shop floors or processes.

      • Leading-edge security for OT assets: Opscura provides immediate, automatic zero trust access to OT assets through segmentation with complete transparency to existing OT and IT systems. Organizations can authenticate access by zone or cell with highly specific granularity. Patented data stream encryption technology secures OT network data traveling over the network with <1ms latency. Opscura’s patented network device security system and methodology also enable network appliances to self heal. For the first time, organizations have a unified, consistent way to secure every zone and asset.

      • Asset cloaking: Bad actors can’t attack what they can’t see. For systems that can’t be patched or updated, Opscura cloaks traffic from observation to thwart attacker discovery and reconnaissance. Organizations can still protect their environments even though vulnerabilities might remain.

A Couple Real-Life OT Segmentation Case Examples

Brownfield Implementation

An automotive manufacturing organization needs to segment its OT assets. Opscura showed them how our OT/ICS Security Protection Platform can quickly and cost-effectively provide the company’s visibility solution with critical OT network traffic flow data to power visibility for threat detection. With 300 locations, the new roadmap will avoid at least three days of downtime per location – estimated at  $1.25 billion in downtime costs.

Greenfield Implementation

A new manufacturing plant wants to enable OT micro-segmentation at the outsetThe Opscura OT/ICS Security Protection Platform lets them easily move from a flat network architecture to a Zero Trust model with micro-segmentation and encryption—with less than four man hours added to their build schedule. Because the company is critical to national defense, it will also benefit from Opscura’s Post Quantum Encryption (PQE) technology. PQE makes it much harder for hackers to break the encryption using quantum computers.

Start Your OT Segmentation Plan Today

There’s no need to wait any longer to protect your OT assets. Contact us today to book a meeting.