Segregation of IT and OT Networks across organization

Executive Summary
This whitepaper elaborates steps for segregating OT and IT infrastructures and creating definitive airgaps and protocol breakers for eliminating
sustained communication and only allowing the protocols needed for smooth working of IACS devices.
It also highlights the importance of choosing the right product for the creating the optimum Airgap for minimizing the attack surface for Industrial
infrastructure. Multiple products and solutions were reviewed and the ones from Waterfall Security Solutions© were highlighted in the
whitepaper.
Waterfall Security Solutions© are world leaders in providing mission critical security solutions for most sensitive infrastructures across the
globe. They have presence in all continents. Having more than 1000 sites and growing across 20 verticals of Industries ranging from Power, Oil and
railways and mining to say the least. They have widest range of products and services to cater to the needs of ever-changing Industrial needs and
protocols.
They have recently announced release of HERA® – Hardware Enforced Remote Access, a new technology designed to enable safe and secure
remote access into cyber-physical systems and OT networks. HERA allows organizations to reap the operational and economical value of remotely
accessing and controlling OT devices and workstations, without introducing the risks that come with external connectivity.
WHITEPAER 2

Steps to Segregate IT and OT Infrastructure
ZAAIAI
RA SL&PS
O&MPI
•Asset Identification [AI]
•Zoning the Assets [ZA]
•Risk Analysis [RA]
•Security Levels & Protocol Segregation [PS]
•Product Identification [PI]
•Installation and Testing [I&T]
•Operations and Maintenance [O&M]
WHITEPAER 3

Asset Identification
Assets for any organization are broadly classified under three categories that are People, Process and
Technology. The holistic approach for identification and classification of assets in OT environment is primarily to
make them secure till the point they are safe.
Accurate asset identification is the first step to ensure the correct risk assessment, risk mitigation and
governance of the asset. Compliance is another aspect which is dependent on the correct asset identification
and classification process.
Given below are brief descriptions of assets to the OT environment
People – Human safety and well being should be on top priority in the Industrial setup. These assets can be
either the employees, users or virtual users.
Process – Policies, Processes and Procedures form the backbone of the working of any organization and this
assets needs to be identified and classified accurately.
Technology – The above two assets work in conjunction with the technology assets. All the three types of assets
work closely and interdependent.
Apart from the broader classification the assets are moreover tangible which can be seen, touched and felt] and
intangible [that cannot be seen or calibrated on monitory level].
Asset identification and classification is a periodic activity and should have a regular cycle which syncs with the
Risk Management process in an Organization. Asset Management describes the entire lifecycle of the Asset in
which five stages are followed viz Plan, Acquire, Use, Maintain and Dispose.
WHITEPAER 4
People
Process
Technology

Zoning the Assets
Some important concepts for zoning the assets:
•System Under Consideration (SuC) – A defined collection of IACS and related assets for the purpose of performing a security risk analysis.
•Zones – A Zone is defined as a grouping of logical or physical assets based upon risk or other criteria such as criticality of assets, operational
function, physical or logical location, required access, or responsible organization.
•Conduits – A Conduit is defined as a logical grouping of communication channels that share common security requirements connecting two or
more zones.
•Foundational Requirements (FRs) – Categories forming the basis for technical requirements throughout the IEC 62443 family of standards. All
aspects associated with meeting a desired IACS security level (people, processes, and technology) is derived through meeting the requirements
associated with the seven following foundational Requirements of IEC 62443:
• FR 1 – Identification and Authentication Control (IAC)
• FR 2 – Use Control (UC)
• FR 3 – System Integrity (SI)
• FR 4 – Data Confidentiality (DC)
• FR 5 – Restricted Data Flow (RDF)
• FR 6 – Timely Response to Events (TRE)
• FR 7 – Resource Availability (RA)
WHITEPAER 5

Risk Assessment
Risk Assessment is the next step after asset identification and classification. Multiple methods and standards could be deployed for assessing the
Risk on the IT and OT environment. Risk assessment is major activity in multiple security framework and standards like NIST [National Institute of
Standards and Technology] Risk Management Framework., ISO 27001, HITRUST Common Security Framework, COSO Enterprise Risk Management,
Federal Information Security Modernization Act [FISMA] which aligns closely with Risk Management Framework of NIST and IEC 62443 standard.
IEC [International Electrotechnical Commission] 62443 is a series of standards that addresses cybersecurity for IACS [Industrial Automation and
Control Systems] most of the initial work for it is being done by ISA [Internation Society for Automation].
IEC 62443 risk assessments components and process
•Risk is a function of Threat [potential harm] , Vulnerability [weakness in system] and Impact [consequence] financial and business etc.
•Risk assessment methodology should analyze all involved systems in a layered approach, starting with systems closest to thereat and working
inward
•The risk assessment process consists of three steps
1.Assess initial risk
2.Assess risk mitigation countermeasures
3.Assess residual risk
•Steps 2 and 3 are repeated till residual risk is reduced to acceptable level
•The outcome of Risk assessment done using IEC ‘62443 standard is report which gives clarity on present state of the IT and OT network and
controls required to reduce the risks.
WHITEPAER 6

Security Levels & Protocol Segregation
Security Level – A Security Level is defined as the measure of confidence that the SuC [System under Consideration], a Zone or a Conduit is free
from vulnerabilities and functions in the intended manner. Security Levels can have a value between 1 and 4 accordingly to the following table
associated to each Foundational Requirement
Protocol Segregation - IT and OT networks work in conjunction, while OT devices work closest to the Industrial equipment in industries like Mining,
Railways, Transport, Assembly lines, Warehouse controllers, Robotics, Aviation etc. IT devices work in providing the control, monitoring and security
for the OT devices. Below services and subsequent TCP/IP based protocols to be enabled across the segregated OT/IT boundaries
Authentication / Authorization
Antimalware / Antivirus
Monitoring and Logging
Time Protocol
WHITEPAER 7
Security LevelExplanation
SL1 Protection against casual or coincidental violation
SL2 Protection against intentional violation using simple means with low resources,
SL3
Protection against intentional violation using sophisticated means with moderate resources, IACS-specific skills and moderate
motivation
SL4
Protection against intentional violation using sophisticated means with extended resources, IACS-specific skills and high
motivation

Product Identification for Segregation
Product Identification or System integrator selection is very import aspect of segregation of OT network from IT network as there are multiple vendors and
products available which provide variety of product and services attached to the said products. Given below are various types of products that can be deployed
to create an Airgap and physically separate the OT and IT environment.
Basic Data Diode – A basic data diode consist of a pair of hardware based unidirectional devices with one or more redundant connections. One of either side is
always a receiver of data and the other side as sender. It can either have a ethernet connectors or fiber optic ports to accept the connections from connecting
network devices. This type of Data Diode may not provide a proxy server on bother sides and the system owner may have to facilitate the installation for the
same.
Unidirectional Gateway – A combination of hardware and software enforced gateway solution to segregate OT network from IT and allowing selective protocols
to transfer through the gateway devices. This is assured to provide complete protection to OT network while stopping any sustained TCP/IP based
communication through it. The unidirectional gateway enforced security at site perimeter reduces the treat surface to substantial level. In summary all
communication would flow from OT network to IT network and no communication flow back to OT network. This arrangement deny any attacks from IT network to
laterally flow to OT networks. Vendors providing such gateways support wide variety of interoperable connectors, applications and protocols.
Hardware Enforced Remote Access for OT environment – When enabled at site perimeter this implements robust hardware to ensure OT network security. The
communication between client and Site is completely isolated. Application security is also provided within this framework and have also implemented TPM
[Trusted Platform Module] for thwarting any man-in-the middle and other attacks.
Waterfall Security Solutions is the only organization providing with advance level of unidirectional gateway solutions and other products like hardware
enforced remote access and industry specific solutions catering to multi sectors. They have maximum number of industry specific and open protocol support
for enhanced connectivity between OT and IT networks.
WHITEPAER 8

Installation & Testing
Initiation of setup of greenfield industrial architecture or Installation of new devices In working industrial infrastructure is through exhaustive process
with various components as given below:
Design Document Submission – The first stage of installation is submission of the initial design or blueprint of the architecture with a high-level
understanding of the IT and OT networks. The risk documentation and outcome of the Risk assessment is another document that needs to be
submitted with initial design. Detailed designing follow the initial architecture which have all the interconnectivities between various systems and
industrial components.
Factory Acceptance Test - is a process in which a manufacturer tests a machine or system before it is delivered to the customer. The purpose is to
ensure that the machine or system meets the requirements that were ordered by the customer. A Factory Acceptance Test (FAT), is usually
conducted at the manufacturer's facility and may include functional testing and performance testing. The Factory Acceptance Test (FAT) is usually
followed by the Site Acceptance Test (SAT), where acceptance takes place directly at the customer's site. A Factory Acceptance Test (FAT) is required
to ensure that the customer's requirements are met before a plant or machine is delivered. During the FAT, faults and problems can be identified and
rectified before handover to the customer takes place
Site Acceptance Test – happens at the customer site to check systems is installed and configured as per requirements and ready for operations. Site
acceptance test is to accept the device at the plant or site and compliant with the current site configurations. \
Vulnerability and Penetration Testing – One iteration of Vulnerability & Penetration testing needs to be performed and mitigated for the findings
which affects OT and IT environment. The handover and operations can only be signed off when there are no vulnerabilities in the environment.
WHITEPAER 9

Operations and Maintenance
Operations and Maintenance also known as O&M is comprise of multiple components as listed below which are required for smooth
working of the OT and IT networks:
Training Plan – a well documented training plan need to be created and enacted at the customer site to give insights of operations and
maintenance activities of the IT and OT environment. The training plan effectively should cater to the activities performed at regular
intervals.
Maintenance - Assets and devices should be maintained in the asst list with timelines of Defect Liability Period and their expiration dates
and renewal details of the software licenses. The maintenance reports should have details of Service Level Agreements with the vendors
and Systems Integrators.
Monitoring , Event Management and Incident Handling – Appropriate monitoring mechanism for OT devices using protocols like SNMP
[Simple Network Management Protocol] and log and event forwarding to IT network should be setup to keep track of events in the network.
IT network should be enabled with SIEM [Security Incident and Event Management] applications should be used to track security events
and take actions accordingly to protect IT and OT network.
Business Continuity and Disaster Management – All aspects of business continuity and disaster recovery like impact analysis, planning and
response management, backup/redundancy, roles and responsibilities, communication and testing/training should be well documents and worked
upon. As Industrial systems cannot tolerate downtime, Availability is topmost priority for OT network above Confidentiality and Integrity it is
imperative to document and test parameters like MTD [Maximum Tolerable Downtime], RPO [Recovery Point Objectives] for backup and recovery,
RTO [Recovery Time Objective] and MTO [Maximum Tolerable Outage]
WHITEPAER 10

Conclusion
With growing influx of automation, remote connectivity and IIOT [Industrial Internet of Things] on Industrial equipment’s, there are increased
number of external threats on these equipment. IIOT devices are collection of sensors, instruments and autonomous devices connected through
the internet to industrial applications. Industrial equipment also known as IACS [Industrial Automation and Control Systems] or Operational
Technology devices are directly related to health, safety and financial well being of the people. Small to medium level disruptions on IACS devices
could impact health, safety and availability of the people around it.
Unlike IT [Information technology] infrastructure which uses COTS [commercial of the shelf] devices OT infrastructure uses proprietary software
and hardware components. The frequency of patching, update and upgrade is solely based on the discretion of the device providers and is not
driven by the cybersecurity threat assessments. The priority of IACS or OT environment is Availability then comes Integrity and last is
Confidentiality unlike IT environment which have Confidentiality, Integrity and Availability in the order of priority.
With their most innovative and next generation solutions Waterfall Security stand out as the biggest hope for Industrial world to secure their
critical and sensitive infrastructure thereby reducing the risk on human safety and assuring availability by reducing cybersecurity threats.
This document is relevant to security professionals working to secure mission critical Industrial sites like Nuclear sites, Government
Defense facilities, Oil & Gas, Mining, Train, Aviation, Power generation and distribution facilities, Manufacturing, Warehouses and Water
treatment plants etc.
WHITEPAER 11

About the Author

Naveed Quadri
IT & OT Security Expert
Hitachirail STS

Naveed is a Cybersecurity expert working in the field of security,
compliance, risk and architecture from last 13 years. He is CISSP,
CISM, CCSK, ISO 27001 LA and IEC 62443 certified. He have been
a System and Network Architect in his earlier days before moving
to cybersecurity leadership.
He has been instrumental in working on challenging projects
across the globe on Cybersecurity. He has worked on projects at
various stages from proof of concepts to contract till operations
and maintenance. He have been a thought leader and mentor for
many in his industry and have been instrumental in shaping career
of people around him in Cybersecurity and data privacy.
Naveed would like to leverage his skills and experiences to help
people get more awareness on Cybersecurity and data privacy to
make things simpler which may otherwise look complex.
- www.linkedin.com/in/naveed-q-36678a19
WHITEPAER 12
References
SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and
Organizations | CSRC (nist.gov)
ISA/IEC 62443 Series of Standards – ISA
NIST Risk Management Framework | CSRC
ISO/IEC 27001:2022 - Information security management systems — Requirements
Waterfall Security | OT security solutions (waterfall-security.com)
Global Integrated Rail Solutions | Rail Products | Hitachi Rail