You are Home   »   News   »   View Article

Segmentation to achieve cybersecurity

Friday, September 9, 2022

Network segmentation, using firewalls already available in operating system software, is a good way to stop hackers getting from one part of the network to another. But it can be fiddly to configure. Illumio offers software which makes it much easier

It should not be possible for a virus to hop easily from one part of your digital infrastructure to another. Many people have wondered why digital systems are built which make this so easy.

Operating systems like Windows and Linux do actually have firewalls in them which can be configured to set specific permissions of what specific users or other systems can do, and that has been the case since 2003, says Trevor Dearing, Director of Critical Infrastructure Solutions at Illumio, a cybersecurity company based in Sunnyvale, California. The problem is that 'no-one could work out how to use them.'

Illumio provides software which makes it much easier to configure native firewalls, by clicking on a map displayed on screen to set the permissions.

'We get information from the firewalls to understand what communication is happening. [Then] we can push rules to those firewalls,' he said.

'You would think that's a fairly simple thing to do. At scale it gets quite tricky.'

Compartmentalising networks in this way has become standard practise in organisations which are closely built around their IT systems, such as banking. The banking sector was one of the first to use Illumio's software.

Now it is seeing more interest from industries which have a lot of IT, even if IT is not central to what they do, such as hospitals, manufacturing, utilities, and oil and gas, he says.

Illumio has been involved in developing cybersecurity services for upstream oil and gas and other infrastructure sectors. Most of the company's upstream oil and gas clients are in the US, Asia and Australia, he says.

Hacker approaches

Mr Dearing notes that there has been something of a shift in the way hackers operate, over the past few years.

Before the pandemic, hackers were focused on stealing data and threatening to sell it if a ransom was not paid. Now, they've recognised they can make more money through 'denial of service' - cutting down people's access to their IT systems, so they cannot operate their businesses, he said.

So, ransomware is increasingly being designed to infect as much of the organisation's networks as possible, and get quickly to its highest value assets, where it can cause most disruption.

One reason the impact of the Colonial Pipeline attack were so high was that the owners saw a need to shut down all digital systems completely in order to ensure ransomware was constrained, he said.

The compartmentalisation approach

Compartmentalisation involves making a 'zero trust segmentation' in your systems, down to application and workload level.

'You stop all communication except for the bits that you know are verified and safe,' he said. 'That is effectively what zero trust does. It only allows appropriate people, applications and methods to occur. You're segmenting your environment into these closed spaces.'

The compartmentalisation is done virtually - within the software - rather than with a physical separation.

'What we do is very simple - identify who is allowed to talk to things - and let them do it or don't let them do it. It is a simple layer that we can put in place quickly.'

For example, the production part of the network can be compartmentalised from the administration part.

You can also take production systems out of the range of phishing attacks by disconnecting them from anything using e-mail. Even if the systems have passwords, they are not provided by e-mail.

'It could be that on an oil production platform there are people in admin groups who are receiving e-mails and stuff like that. We can keep that separate from the actual production part of what's going on the same platform,' he says.

Note that compartmentalisation is a different way to achieve cybersecurity than the most common approach, based on scanning communications and hard drives, to differentiate normal communications and applications from those of a hacker.

Conflicting with integration

Compartmentalisation can conflict with efforts to better connect systems together, such as operations technology being integrated with information technology, or when suppliers manage their customers' inventory.

The increased amount of cloud and remote working is also creating more integration between systems - and so more potential threats, Mr Dearing says.

We are seeing enterprise software like ERP 'creeping closer and closer to the production facilities,' he says. 'As ERP systems add more modules and more interconnectivity, then effectively that software is moving further and further down that stack.'

'Organisations see there are real benefits in being able to push integration further and further towards the edge.'

There has also been a culture for years of allowing all communication to happen everywhere. There have been many benefits to this, but it has also created hacking opportunities. Ransomware uses the same ways of connecting between systems as the legitimate software, he says.

Companies need to find the right balance between getting the benefits of closer integration and the cybersecurity benefit of compartmentalisation. Although if they make the effort to configure their firewalls at a granular level, they may be able to have both.

How the software works

Illumio's software creates a map of your network, which makes it easy to see how the different parts within it are connected, and how they are communicating.

Using Illumio's software, it is possible to show the map on a screen, and click on it to determine what you do or don't allow. For example, if you want to allow a pump to communicate data with a certain Windows machine, you can explicitly allow that. 'You can click on things and apply security policy to them. Allow certain communications, ringfence certain applications, put that boundary in to stop certain things.'

To create the map, Illumio works in alliance with companies which offer services to 'scan' the OT environment and build up a picture of all the objects - and this data can be imported into Illumio's map.

It can also collect data from vulnerability scanners. These scan your networks to determine which machines do not have certain patches installed, or which have certain other vulnerabilities. These can be shown on the map.

Illumio's software can be used to connect certain identities, or people, with certain permissions. Identity management, connecting a person with an 'identity' on the network is handled separately.

The software also has an option to close off communications between compartments immediately, such as if you detect ransomware in one compartment. There's a 'virtual big red button that says, stop almost all communication until we've found where it is and where it's got to.'

comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition May June 2022
Jun 2022

Download latest and back issues


Learn more about supporting Digital Energy Journal