Making Micro-Segmentation a Reality for IIoT Environments

Large Factory
Share on facebook
Share on twitter
Share on linkedin
Share on email

Micro-segmentation enhances the efficiency of a security network by reducing the number of nodes to just two – a switch and a computer. This concept of point-to-point security with only two nodes in a network is the ultimate cybersecurity strategy which dates back to the 1960’s, and recently SDN has made it possible for modern architectures.

Unfortunately, it doesn’t work everywhere. For industrial sectors and critical infrastructure operations, think power plants and water treatment facilities, where networks are physically expended and co-located with onsite equipment, there is no way of aggregating all of the necessary elements into one SDN platform.

What does this all mean? Some of the most advanced security features can’t be implemented at the poorly defended components of our society’s critical infrastructure – at least not with SDN alone.

IIoT – A Different Beast Entirely

Micro-segmentation in the ultimate sense is a great idea, but only if one can pull it off well. With traditional SDN, everything is virtualized – but it requires a large-scale infrastructure to function properly.

In a secure environment this works well, but consider situations where users need to collect data points in a factory or aggregate data from SCADA networks in an oil field where users aren’t co-located with their large-scale cloud infrastructure. These organizations are rapidly extending sensors and measurements, and they want to stream their data to the cloud to report on analytics and uncover insights. However, getting the information there and back, introduces all sorts of security risks – to and from the cloud.

The virtualized nature of SDN does not work in this situation because IIoT operations cannot be divorced from the physicality of a network. In short – what you do inside the cloud, won’t help at the edge.

Fortunately, there is an existing practical solution to this massive problem. Blue Ridge Networks uses the LinkGuard platform to segment two or more network elements using cryptographic isolation. This technique maintains the economic benefits of shared LAN or WAN networks, but with a very strong mechanism preventing outside/in or inside/out communications.

Today, our RemoteLink appliances, which provide truly robust hardware segments, can be placed on extended networks and provide the protection, segmentation all the way upstream to the ultimate server environment.

All of this isn’t to say that SDN is not a good solution for the enterprise, In fact, perhaps one of the most important features of RemoteLink is that it enables us to apply mandatory labels like VLAN tags, which can be handed off to the SDN infrastructure. However, it’s important for industrial and critical infrastructure enterprises to be aware that it is not feasible for securing extended networks – and there is an immediately practical solution.

Introducing a complementary solution to the existing network combines the best of both worlds, by enabling organizations to work with the cloud rather than against it, enhancing security with robust cryptographic separation, and ensuring that when data is handed off to the SDN infrastructure it cannot be altered or manipulated.

Want to learn more about this? Set up a time to chat with one of our cybersecurity experts.