Page 215 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 215

For  the  Management,  network  segmentation  makes  it  easier  to  monitor  traffic  between  zones  and
            empowers  administrators  to  deal  with  a  massive  amount  of  IoT  devices.  As  new  communication
            technologies are added to worksite environments, network segmentation will be the first line of defense
            and the foundation for keeping risk low.




            Building up zero trust OT environments

            While the core of zero trust is network segmentation, stakeholders who want to bulletproof their worksite
            and keep the operation running should also implement virtual patching, trust lists, hardening of critical
            assets, and security inspections.

            To support policy management, maintenance, and event log review, solutions used to implement these
            practices  should  be  centralized.  In  addition,  ideal  network  segmentation  solutions  for  OT  and  ICS
            environments  must  be  OT-native  and  need  to  come  in  different  form  factors  for
            different  purposes.  The  two  key  form  factors  are  OT-native  IPSs  for  micro-segmentation  and  1-to-1
            protection  of  critical  assets,  and  OT-native  firewalls  for  transparently  creating  segmentation  with
            broader definition of network security policy. IPSs can also come as an “array”, where many of them are
            included in one appliance for ease of management.

            In order, to create advanced configurations at the command level, these appliances should have the
            ability to support the OT protocols that the work site’s assets use. Thus, micro-segmentation can be
            conducted using trust lists set at the network level and OT-native IPSs or firewalls at the protocol level.
            In addition, support for virtual patching is necessary as well and critical assets should be hardened using
            trust lists deployed within the device, at the level of applications and processes.



            Creating trust lists
            Firstly, for fixed-use legacy assets, it’s as simple as creating a trust list that only allows applications and
            processes necessary to the asset’s purpose to run, which also prevents malware from running. Secondly,
            for modernized machines that have more resources and must conduct a variety of tasks, hardening must
            be based on trust lists with a library of approved ICS applications and certificates, as well as machine
            learning. In addition, security inspections for stand-alone or air- gapped systems as well as inbound and
            outbound devices prevent insider threats from affecting company operations. The concept of zero trust
            has shown OT security intelligence specialists that network trust awareness is critical to maintaining
            operational integrity.


            Conclusion
            Implementing zero trust in OT and ICS environments is much easier with network segmentation and
            therefore network segmentation has become a byword in work site cyberdefense. However, when IT-
            based solutions are deployed in operational technology and ICS environments, their large demands on
            resources and lack of sensitivity to OT protocols are just as likely to interfere with operations as they are
            to protect them. For this reason, TXOne Networks has developed OT-native solutions, supported by the





                                                                                                            215
   210   211   212   213   214   215   216   217   218   219   220