One of the most important steps industrial asset owners can take to protect their operational technology (OT) networks from cyberattacks is implementing a network segmentation program. We are referring to micro-segmentation within the OT network, not simply a DMZ or another segmentation strategy separating IT and OT networks. However, segmentation projects can require lengthy design and implementation periods, may require expensive network hardware upgrades, and may not be possible at the lower (Purdue Model) layers of your OT network.
Claroty can now help! We recently released a unique, industry-first capability called Virtual Zones within our Continuous Threat Detection product.
Utilizing Virtual Zones, we enable you to implement a very cost-effective virtual segmentation program which can significantly enhance the security posture of your OT networks. Alternatively, leveraging the same Virtual Zones capability, plus integrations we have developed for key firewall, network access control (NAC), and VLAN providers, you can automate the enforcement of micro-segmentation with your OT environment–leveraging your existing investments in network infrastructure.
For a quick overview of the new functionality, watch this short video:
Virtual Zones automatically generates and maintains a “current state” view of your OT/ICS process-level communications. This is not simplistic net-flow. It is a deep understanding about how the industrial assets in the environment are communicating and the actual process automation “conversations” taking place between assets–the OSI Layer7 level interactions.
With this understanding of how your industrial automation system is configured and communicating, our proprietary algorithms create logical groupings of assets and add new assets to the appropriate groups. Thus, Claroty is able to automatically generate an ideal segmentation strategy for your OT network and implement “virtual segmentation”.
Virtual segmentation is a very cost-effective way to rapidly enhance the security of your plant or operational environment. Virtual segmentation can be used across the entire OT network and is really the only practical option for segmentation in the lower layers of your OT network where blocking is prohibited because of the very negative impact it can have on operational processes (e.g., between Layer2 & Layer1 of the Purdue model). With virtual segmentation, alerts based on cross-zone violations, receive high-risk status so your SOC team can prioritize them appropriately.
In addition to virtual segmentation, Claroty can also enforce traditional network segmentation by automatically creating policies for Firewalls and Network Access Control (NAC) products and defining an asset grouping strategy for VLANs. These policies enable you to enforce segmentation using your existing network infrastructure without impacting how your industrial automation systems are working. We have already developed integrations for vendors such as Palo Alto Networks, Check Point, Cisco (ISE) and ForeScout for this purpose. Details on all of our technology integrations is available here.
Beyond enforcing proactive, policy-based segmentation, our alert-based integrations with firewalls enables customers to mitigate active attacks. For example, Claroty can send real-time alerts about unapproved devices or compromised assets on the network, and your firewall can automatically quarantine or otherwise isolate the device's communications until it is investigated and approved or fixed.
Virtual zones and network segmentation enforcement provide an active, automated and integrated method of rapidly building defense in depth to your most critical systems and preserving the investments you have already made in NW infrastructure.