Network Segmentation

From attackics
Jump to navigation Jump to search
Network Segmentation
Mitigation
ID M1030
NIST SP 800-53 Rev. 4 AC-3
IEC 62443-3-3:2013 SR 5.1
IEC 62443-4-2:2019 CR 5.1

Description

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a "zone", and access to that zone is restricted by a "conduit", or mechanism to restrict data flows between zones by segmenting the network.12


Techniques Addressed by Mitigation

NameUse
Activate Firmware Update ModeSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Alarm SuppressionSegment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.4536
Automated CollectionPrevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).
Block Serial COMRestrict unauthorized devices from accessing serial comm ports.
Brute Force I/OSegment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.4536
Change Program StateSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Commonly Used PortConfigure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.
Control Device IdentificationSegment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.4536
Data Historian CompromiseConsider placing the historian into a demilitarized zone (DMZ) to allow access from enterprise networks, while protecting the control system network53.
Detect Operating ModeSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Detect Program StateSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Device Restart/ShutdownSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Engineering Workstation CompromiseSegment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks.7
Exploit Public-Facing ApplicationSegment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.
Exploitation of Remote ServicesSegment networks and systems appropriately to reduce access to critical system and services communications.
External Remote ServicesDeny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access.5
Internet Accessible DeviceDeny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.
Man in the MiddleNetwork segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of MiTM activity.
Modify Alarm SettingsSegment operational network and systems to restrict access to critical system functions to predetermined management systems.38
Module FirmwareSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Network Service ScanningEnsure proper network segmentation is followed to protect critical servers and devices.
Network SniffingSegment networks and systems appropriately to reduce access to critical system and services communications.
Point & Tag IdentificationSegment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.4536
Program DownloadSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Program UploadSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Rogue Master DeviceSegment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.4536
Role IdentificationPrevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).
Service StopSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Spoof Reporting MessageSegment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.4536
Standard Application Layer ProtocolEnsure proper network segmentation between higher level corporate resources and the control process environment.
System FirmwareSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3
Unauthorized Command MessageSegment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.4536
Utilize/Change Operating ModeSegment operational network and systems to restrict access to critical system functions to predetermined management systems.3