Network Segregation

Network Segregation

Nexus IT Solutions specializes on design and implementation of network segregation - technique which allows accessing to process network resources from within organizational network or the internet, without risk of information theft, cyber attacks or data leakage.


Combining production floor control system networks with the organization network is a natural combination and is self-evident. Indeed, it leverages productivity and makes common tasks, such as data acquisition and analysis much easier than before. Furthermore, such a combination on the long run may lower costs of maintenance. Just think of remote management capabilities, helpdesk support online, easier information access and processing are not the only benefits of merging organizational network resources with the industrial network. 

However, the combination of networks also involves a high risk, which is not always recognized by the users and industrial plant engineers. The popularity of the internet business network increases the exposure of network attacks and intrusions threats of viruses and hackers.  This is especially true, when the internal industrial network security is sacrificed for the ease of maintenance. For example, many industrial devices, such as PLCs and other network-enabled agents, provide easy way of managing it via common protocols, such as Telnet, HTTP and SNMP, and rare are the cases where this access is limited by passwords. Moreover, information such as documentation of production processes should be confidential and must be protected from being stolen or modified by malicious attacker.

For this, and much other reasons, the approach must be completely different - instead of "connecting" those network segments together, they should be "segregated" - e.g. there should not be a completely free and open access from one network to another. In opposite, the networks should be separated by some sort of security system, which would eventually allow certain types of information to be transferred from one network segment to the other, while maintaining strict policy of allowed types of information, trusted sources and destinations of that information.

The common approach of starting a new network segregation project usually consists of several phases. On each stage, vulnerability assessment and risk management should be done for the particular stage, which would help the engineer to understand the necessity of resources investment in order to obtain the desired level of security.

Security Policy

The first step in securing the control system is actually a definition of desired security policy. Administrative level within the organization, along with the IT department, should define common security policies, the resources required for its implementation and the level of control required to implement and enforce. In particular, the following elements should be clearly defined:

  • User roles. It is obvious that there is some sort of hierarchy in the organization, while the responsibilities (and permissions) would significantly differ between regular workers, process engineers and managers.
  • Responsibility areas. Usually, these should be straightly aligned with the organizational structure. For example, the factory may usually be divided into several independent departments or workshops. Besides access to shared organizational data, usually a little to no access should be required from worker to systems not belonging to his own department. 
  • Security policy itself. This means, actually, assigning each person in the organization the desired role for each responsibility area.
  • It is important to strictly define type of permissions, actions and level of activities permitted for each role separately. That is, it is important to determine who has permission to access monitoring viewing production data in read-only mode, who could change parameters and thresholds, and who should not have access at all.
  • Audit rules. One of the most important factors of securing the network is extensive logging of activities for further reference.

Risk Assessment

The second stage is a vulnerability risk assessment. Different possibilities of system breach should be considered, for each one the following aspects should be analysed:

  1. Identify, characterize, and assess threats. Usually those are computer virus attacks, malicious attack from outside OR within the network, information theft etc.
  2. Assess the vulnerability of the system to those threats. Are there any unprotected systems with open access? What is the organizational culture of data safety?
  3. Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets). What could be the chance, for example, for a malicious user to intrude the plant and gain access to the protected network resource?
  4. Identify ways to reduce those risks. Which measures should be taken in order to minimize vulnerabilities? What could be done in order to protect system which level of security cannot be raised?
  5. Prioritize. Unlike money, time and other resources, there is no upper limit to information security level. Obviously, higher risks are object for handling them with highest priority.

Vulnerability assessment is an excellent mechanism for identifying defects or "holes" in the design structure of the network and of course, locating points within the system that may produce threats.
After mapping and documentation of all equipment and plant floor control, computing and communication, a thogough scheme should be prepared, which describes the infrastructure in accordance with the desired system design.

The Internet is considered the largest and less secure network. Making the system accessible from the Internet leverages management capabilities (for example, process may be tuned by the process engineer from home, without actual need to get to the plant). But the risk of attack through Internet connectivity is especially high, for that reason it is not recommended to allow external access to critical systems. 

Moreover, if Internet connectivity is required, the exposure of the system towards the internet (including encrypted channels) should be minimized.

Network design

The network must be designed so that it is as simple as possible. The number of points of contact between network segments should be brought to minimum. Usually, only 1 or 2 points of contact between should be left between networks, where the connection is performed by either firewall (network device which allows strict control, inspection and audit of traffic passing through in both directions) or uni-directional gateway (where information may be only transferred in one way, with complete galvanic separation between those networks)

As you may see, a significant part of the work must be done yet before starting the procurement process.

Nexus IT Solutions assists you through the whole process, from gathering the project definitions till the complete integration and ongoing support and maintenance.

Related Articles

Firewall Out, WaterFall In

There are some cases, which the best firewall systems are not good enough. Such example may be computerized...