IoT/OT device security is increasingly important in a range of industries, including manufacturing, healthcare, education, energy, hospitality, life sciences, and more.

Historically, many organizations have relied solely on network segmentation techniques to manage the cyber risk posed by connected devices. However, this approach can be hugely time and cost-intensive, particularly when relying heavily on microsegmentation. While segmentation technologies are getting better, they still can require time, coordination, and meticulous planning. Complex, segmented networks also put a management burden on future network teams with each new change to maintain.

This article looks at an alternative strategy—targeted segmentation—and explains how it can help organizations dramatically reduce cyber risk from IoT/OT devices with a fraction of the time and resource output.

What is Targeted Segmentation?

Targeted segmentation is a network segmentation technique that targets IoT/OT devices by exploit vector, using the MITRE ATT&CK framework as a base.

While an organization could have thousands of connected devices, there may only be a few dozen potential attack vectors. For example, one Asimily customer with around 3,500 IoT/OT devices has just 45 attack vectors to manage. Targeted segmentation enables organizations to group IoT/OT devices by those vectors and apply mitigation strategies to each.

In this way, organizations can mitigate cyber risk across thousands of IoT/OT devices in a relatively short period of time—far quicker than if they used microsegmentation as a first-choice strategy.

Implementing Targeted Segmentation

The targeted segmentation process is simple:

1. Analyze all IoT/OT devices to understand their model, OS version, configuration, connectivity, neighbors, and other capabilities.
2. Identify which attack vectors each device is vulnerable to. E.g., abuse of a remote code execution vulnerability using Windows Remote Desktop Protocol (RDP).
3. Identify the simplest remediation option. E.g.,  Since RDP typically works over TCP port 3389, the simplest solution might be to use a NAC to block that port across all affected devices.

This process can be done manually using a combination of risk assessments, security log reviews, penetration testing, and threat intelligence analysis. However, using a specifically designed IoT/OT security solution like Asimily is much faster, more efficient, and less risky.

Of course, you have to be sure that network-based remediations won’t negatively impact a device’s operation. This requires two further steps:

• Review manufacturer-provided guidance on device functionality, requirements, etc. Many IoT/OT devices are sold with additional guidance on their functionality and configuration requirements that may inform your decision-making.
• Involve IoT/OT device owners. While remediation may not have obvious operational consequences, it could still have functional consequences. For example, some manufacturers use certain ports and services to provide updates and identify faults—blocking these wouldn’t affect a device’s main operational purpose, but could still have negative consequences during the device’s life.

Applying remediations to some or all devices affected by an attack vector is a simple and low-cost way to eliminate that risk. Targeted segmentation directly blocks the attacker’s path to devices susceptible to a specific attack vector, as defined by the MITRE ATT&CK Framework, making it ideal for cyber risk management.

For example, blocking standard FTP ports (20, 21) for all devices that…

1. Default to those ports being open; and,
2. Don’t need them for function

… is a very logical, targeted segmentation. Of course, turning off FTP access for those same devices is equivalent or better, if allowed by the manufacturer.

Mitigations can leverage a range of network security technologies, including firewalls, intrusion detection and prevention systems (IDS/IPS), and other security measures that help monitor and control network traffic.

Unlike microsegmentation, which might take hundreds of hours to apply across numerous IoT/OT devices, targeted segmentation can be applied in just a few days or less. Similarly, targeted segmentation rules can be assessed and updated across any number of devices simultaneously, saving a huge amount of time and cost.

Targeted Segmentation vs. Other Types of Network Segmentation

Targeted segmentation offers several advantages compared to other forms of network segmentation, most notably microsementation and macrosegmentation. However, it’s important to understand that a complete IoT/OT security strategy will often involve all three types of segmentation to account for the fact that some IoT/OT devices require highly tailored risk mitigation approaches.

Macrosegmentation

When you’re designing and implementing security controls, it’s logical to begin with those that are fastest, cheapest, and easiest to implement. Macrosegmentation checks these boxes and should be among the first steps an organization takes to mitigate IoT/OT device risk.

Macrosegmentation requires organizations to “break up” their network into broad segments to ensure threats—and threat actors—can’t access one segment from another. For instance, if an attacker is able to compromise a device, they won’t be able to use that foothold to gain access to other IT assets located in different network segments. This process is often used to isolate IoT/OT devices from the rest of the network to:

1. Limit the impact of a compromised device.
2. Prevent attacks against other network segments from affecting IoT/OT devices.

We’ll use ransomware as an example. Many ransomware attacks begin on an endpoint—usually because a user has accidentally clicked on a malicious link or attachment. By isolating IoT/OT devices from the rest of the network using macrosegmentation, organizations can ensure such an attack will not be able to infect their IoT/OT devices.

Similarly, if an attacker manages to gain access to an IoT/OT device, macrosegmentation will prevent them from leveraging that access to infiltrate other critical IT assets.

Microsegmentation

Microsegmentation sits at the opposite end of the spectrum from macrosegmentation. It focuses on granular risk-mitigation strategies such as limiting the access of individual servers, devices, or applications to only the specific devices and services required for their operation.

For example, an organization might determine that—for proper operation—an IoT or OT device only needs access to a small handful of services and a single port. Under a microsegmentation strategy, the organization could manually configure the local network hardware to ensure the device is restricted from accessing all other devices, services, and ports.

Unsurprisingly, microsegmentation is extremely resource- and time-intensive. A full microsegmentation strategy can take months (or even years) to implement and requires constant maintenance and improvements to account for new threats. It also requires a fully implemented NAC to be viable.

Despite these limitations, microsegmentation can be an important part of a comprehensive IoT/OT security strategy because there are often at least some devices that can’t be secured in other ways.

Where Does Targeted Segmentation Fit?

Targeted segmentation sits between microsegmentation and macrosegmentation in an effective IoT/OT security program:

• Macrosegmentation takes care of the easy wins with the least amount of effort.
• Targeted segmentation does the bulk of the work.
• Microsegmentation takes care of devices that can’t be secured any other way.

Of course, a comprehensive IoT/OT strategy also includes a variety of other mitigation techniques, including security governance, patching, device configuration management, upgrading or replacing insecure devices, and—if all else fails—accepting and carefully monitoring certain risks.

Mitigate IoT/OT Risk with Asimily

Targeted segmentation requires a programmatic approach to identifying attack vectors. While all of the necessary work to implement targeted segmentation can be done manually, it would represent a huge undertaking in practice.

Asimily automatically identifies which IoT/OT devices are vulnerable to each MITRE ATT&CK exploit vector, determines the simplest and fastest remediation strategy, and verifies that it won’t affect device operations.

By combining machine analysis of manufacturer-provided information with profiling data from millions of IoT/OT devices, Asimily allows you to make informed decisions about risk remediation.

Asimily also automates the entire IoT/OT device security lifecycle, including:

• Maintaining a real-time inventory of all devices using safe, passive traffic monitoring.
• Identifying and applying the appropriate mitigation strategy for IoT/OT device vulnerabilities.
• Monitoring IoT/OT devices for anomalous behavior and alerting the security team.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.