Before you jump and buy a technology from an ICS vendor, you must ask your self this question : Do I know my network well ? This is very important and the reason why is if you dont know what assets you have, how they talk to each other, are they exposed to the business network, are they exposed to the internet or who has access to them, then you are surely going to choose the wrong technology and not get any benefit from it.
This topic is about one of the concepts used to secure a network which is network segregation or segmentation. It is the partitioning of an ICS network into security domains and separating the ICS from other networks such as the corporate network. The goal of segmentation is to control the level of access to ICS network from other networks, by developing rule sets using security technologies, thus protecting sensitive information from flowing to the wrong places or people.
Here is a list of common technologies and methods that are used to achieve secure segmentation/segregation:
- Logical network separation such as VLANs, VPNs or unidirectional devices. Those technologies enforce separation by encryption or device-enforced partitioning.
- Physical separation.
- Network traffic filtering . Filtering can occur at: network layer, state-based, port/protocol level or application level (firewalls).
We now know a brief knowledge and an introduction about building a secure architecture. Make sure you identify your assets and your network first. I will post more in-depth articles about the rule sets and how to implement the technologies that I mentioned in this article.
Stouffer, K., Falco, J. and Scarfone, K., 2011. Guide to industrial control systems (ICS) security. NIST special publication, 800(82), pp.16-16.