NSE7_OTS-7.2 Segmentation

Segmentation Detailed Explanation

Segmentation is an essential concept in OT security, ensuring that network traffic is managed, monitored, and controlled by dividing the network into distinct zones. This minimizes risks, isolates potential threats, and maintains the integrity of critical systems.

Definition

Segmentation involves dividing the OT network into smaller, logical or physical segments. Each segment operates independently, and communication between segments is carefully controlled. This approach:

1. Limits traffic flow to necessary paths.
2. Protects network zones from unauthorized access or interference.
3. Enhances overall network security by isolating threats.

Core Concepts

1. Zone-Based Segmentation

This method divides the network into zones based on the functions and security levels of devices or systems. It follows the ISA-99/IEC 62443 framework.

Key Components of Zone-Based Segmentation

1. Zones:

   • Logical segments of the network, grouped by functionality or security requirements.
   • Example:
     • A zone for SCADA systems.
     • A zone for PLCs controlling machinery.
   • Zones can have varying security levels, such as "trusted" and "untrusted."

2. Conduits:

   • Communication pathways between zones.
   • Example:
     • A conduit may connect a PLC zone to an HMI zone, allowing only specific types of data traffic (e.g., Modbus commands).

Benefits

• Reduces the attack surface by isolating systems.
• Controls inter-zone communication to prevent unauthorized access or data leaks.

2. Micro-Segmentation

Micro-segmentation further divides zones into smaller units for more granular control.

Types of Micro-Segmentation

1. VLAN Segmentation:

   • VLAN (Virtual Local Area Network) isolates devices or functional modules within a single network.
   • Example:
     • PLCs and HMIs are grouped into separate VLANs to restrict communication between them.

2. IP-Based Segmentation:

   • Subnets are used to divide the OT network into distinct IP ranges.
   • Example:
     • Assign a unique subnet to devices in different production lines.

Benefits

• Prevents lateral movement of threats within the network.
• Enhances traffic visibility and control.

3. Zero Trust Architecture

Zero Trust is a security model where:

1. No connection is trusted by default, whether it originates inside or outside the network.
2. Every connection must be authenticated and authorized dynamically.

Implementing Zero Trust in OT Segmentation

• Dynamic Access Controls:
  • Continuously verify access requests based on identity, location, and behavior.
• Granular Permissions:
  • Limit permissions to specific actions or protocols.
  • Example:
    • Even devices within the same zone must authenticate to communicate.

Benefits

• Eliminates implicit trust in the network.
• Reduces the risk of insider threats and compromised devices.

4. Industrial Protocol Protection

OT environments rely on industrial protocols like Modbus, DNP3, and BACnet for communication. Segmentation helps restrict and secure these protocols.

Key Practices for Protocol Protection

1. Restrict Cross-Zone Communication:

   • Ensure that specific protocols can only pass between designated zones.
   • Example:
     • Only allow Modbus traffic from PLCs to SCADA servers.

2. Source Validation:

   • Allow protocol requests only from authorized sources.
   • Example:
     • A command to a robotic arm is only accepted from the central control server.

Benefits

• Prevents unauthorized or malicious protocol usage.
• Protects against attacks exploiting industrial protocol vulnerabilities.

Key Technologies

1. FortiGate Policy Routing

• Define rules for communication between zones.
• Example:
  • Allow HTTP traffic from the operator’s workstation to the SCADA zone but block all other protocols.

2. Industrial Switches and Routers

• Configure VLANs to separate traffic.
• Apply firewall rules to control inter-zone communication.

Practical Applications

1. Isolate IT and OT Networks

• IT networks (used for office applications) and OT networks (used for industrial processes) often have different security requirements. Isolating them ensures:
  • Sensitive OT systems are not exposed to internet-based threats.
  • IT systems do not interfere with OT operations.

2. Configure VLANs for Separation

• Example:
  • Production zones (e.g., manufacturing floor devices) are separated from office zones (e.g., employee workstations).
  • This prevents non-authorized access from office devices to production systems.

Why Segmentation is Critical

• Minimizes Risks: If one zone is compromised, others remain unaffected.
• Enhances Security: By controlling communication pathways, segmentation reduces unauthorized access.
• Simplifies Management: Organizing the network into zones makes it easier to monitor and maintain.

Summary

Segmentation is a powerful strategy to secure OT networks by dividing them into logical or physical zones. Whether it’s using VLANs, subnets, or a Zero Trust model, segmentation helps protect critical systems and control traffic. Tools like FortiGate and industrial switches make implementation efficient and scalable. Start with broad zones and gradually refine them for maximum protection.

Segmentation (Additional Content)

1. Inter-Zone Policy Enforcement with Firewall and IPS

While VLANs and routing policies form the foundation of segmentation, fine-grained control between zones requires the enforcement of security policies using advanced tools like FortiGate firewalls and IPS (Intrusion Prevention System).

Using FortiGate with VDOMs

• VDOM (Virtual Domain) allows a single FortiGate appliance to function as multiple independent firewalls.
• This is useful for both logical segmentation (different business units, processes) and physical segmentation (air-gapped zones or dedicated network tiers).
• Each VDOM can enforce its own access policies, NAT rules, and inspection profiles, ideal for OT environments with different trust zones (e.g., SCADA, PLCs, DMZ).

IPS Integration Between Zones

IPS adds deep-layer defense, especially useful between critical communication conduits such as:

• SCADA to PLCs: Use IPS to detect and block unauthorized Modbus function codes (e.g., writes when only reads are allowed).
• Zone-to-Internet communications:
  • Implement time-based policies allowing only scheduled updates or maintenance windows.
  • Block all outbound traffic by default, unless explicitly permitted.

Why It Matters

• Prevents protocol-level attacks, not just port-based or IP-based exploits.
• Enables defense in depth across zone boundaries, fulfilling both technical and compliance expectations.
• Frequently appears in exam questions where candidates must select proper segmentation enforcement strategies based on given topologies.

2. Segmentation with FortiNAC

While FortiGate handles traffic flow and enforcement, FortiNAC offers dynamic, identity-based segmentation and access control—critical for networks with variable or unmanaged endpoints.

Key Capabilities of FortiNAC in OT Segmentation

1. Dynamic VLAN Assignment

• Based on device profile (e.g., MAC address, OS type, communication behavior), FortiNAC assigns the appropriate VLAN upon connection.
• Supports zero-touch segmentation for known devices, reducing manual overhead.

2. Access Upon Authentication

• Unknown or rogue devices are placed into a quarantine VLAN or guest zone until reviewed or authenticated.
• Prevents early-stage lateral movement or device spoofing.

3. FortiGate Integration

• FortiNAC can trigger firewall rule changes in FortiGate based on device status or policy violations.
• Enables automated, cross-platform enforcement of segmentation policies across the OT environment.

Why It Matters

• Enhances segmentation with real-time behavioral enforcement.
• Essential in dynamic OT environments where assets may move or be replaced frequently.
• Strong exam relevance in questions related to device onboarding, rogue detection, and dynamic zone enforcement.

3. Compliance-Based Cross-Zone Communication Design

Effective segmentation is not only a technical best practice—it is a compliance requirement in many OT environments, especially under frameworks like IEC 62443.

Policy-Driven Conduit Design

• Conduits are the defined communication paths between zones.
• For each conduit, there should be a formal policy document that specifies:
  • Allowed protocols (e.g., Modbus, OPC UA).
  • Permitted source and destination IPs/MACs.
  • Time-of-day or use-case-specific access rules.

Periodic Policy Auditing

• Organizations should schedule regular reviews (e.g., quarterly or after major changes) to ensure:
  • Conduits still align with operational needs.
  • No new unauthorized paths have emerged (e.g., via misconfiguration or vendor access).
• Tools like FortiAnalyzer and FortiSIEM can assist in:
  • Generating audit reports.
  • Comparing live policy enforcement against design baselines.

Why It Matters

• Aligns technical configuration with regulatory requirements.
• Supports audit-readiness, which is a common concern in OT-specific exams like NSE7_OTS-7.2.
• Promotes accountability for zone-based communication.