I’ve read and heard recommendations of network segmentation for years, and have made my living segmenting networks from time to time. Recently I’ve realized that segmenting the network services are just a subset of segmenting other services for the system.

We’ve watched for a while as a centralized Active Directory service is compromised and then used to propogate malware throughout the domain. The same bad actors sometimes target backup (or recovery) systems; if a backup system provides recovery services for a large or critical group of systems then it itself becomes a significant point of failure.

In industrial control systems one of the unacknowledged strengths has been the distributed (or segmented) nature of the systems, as they have traditionally been deployed without taking ‘advantage’ of centralized corporate Information Technology (IT) services. It seems that there is now a push to provide centralized management of Operational Technology (OT) systems for all kinds of useful things. Inventory management, vulnerability management, malicious code protection (anti-virus, whitelisting, or intrusion detection), log management, performance management, and so on. In many cases these services aren’t implemented well or at all in the OT environments and so the centralized provision of these services seems like an easy improvement. The local facilities are enticed into participation because the cost is often borne by the greater corporation and not directly by the local budgets.

To what degree should these services be segmented across the enterprise? It doesn’t make sense to have a standalone solution for each service at every one of hundreds of sites; but it also doesn’t make sense to have a single solution for all services for the entire enterprise either. The challenge is to define the balance between the cost to maintain (unacceptable with many small site solutions) versus the cost of compromise (unacceptable with a single enterprise solution).

One approach is to evaluate the business by functional blocks, from an OT perspective. A business segment can be defined as the group of facilities that are required to provide a product or service to the customer; the impact of a failure could be limited to a product, service, or group of similar products or services. Another approach is to define groups of facilities and to plan for the failure of any one group of facilities. The other groups should be able to increase capacity or contribute inventory to cover the failure.

Network segmentation tends to be at two levels. Segmentation of the OT environments from the IT environments, and segmentation of the OT networks within a facility. This provides a series of network bulkheads as in a ship where the failure of one compartment does not cause the entire ship to sink. What is the necessary balance to achieve the same benefit to risk reduction for other services?