Extending Micro-Segmentation to physical world of OT & Non-authenticating devices


Recent OT & IT convergence have made OT devices ubiquitous, more and more connected to the mainstream, and thereby has redefined the frontline of cyber-attacks.

Devices in OT realm are often characterized by closed/proprietary architecture, running legacy/unsupported operating system and often performing mission critical tasks such as patient treatment at hospitals, maintaining temperature at a nuclear installation or pressure monitoring at an oil and gas facility.

As more and more such devices from health care to Industrial Control Systems connect to the enterprise IT, the surface area for attack has broadened exponentially, giving attackers easy access to these devices that were not built with security in mind.

In OT networks, often availability, reliability and data integrity prevail over confidentiality. They are purpose -built for uninterrupted service and have a high availability requirement.  These systems are often characterized by components that are static in nature and undergo little or no modifications. This result in an operating environment that is highly deterministic with behaviors that are predictable and repeatable.

Traditional endpoint detection and response workflows used in IT networks doesn’t work in OT environments for the following reasons:

  • It is not possible to have an agent installed on these devices due to purpose-built systems with limited processing capability.

  • Many of these devices are non-authenticating in nature and require open ports.

  • Discovering potential indicators of compromise are often difficult as they mostly interact in an east- west mode, providing no visibility to tools that are on a distribution or core network layer.

  • Policy enforcement at switches and firewalls using centralized management tools often end up being weak due to lack of understanding about these devices.

The question is, how to provide total protection to these critical devices, keeping in mind their innate operating constraints?

Hmatix approach to OT security is real-world and practical.

Start by doing what’s necessary; then do what’s possible; and suddenly you are doing the impossible
— Francis Assisi

When it comes to protecting OT networks, it is important to do what is necessary – providing protection that guarantees availability of services and ensuring data integrity. Hmatix solution is service-aware, resilient to failures and non-intrusive.

Critical availability requirements of OT network add restrictions in applying any security countermeasures such as enforcing complex password requirements and need to change them regularly. Applying them can limit operator’s ability to act without delay in the event of an emergency and access the system under duress.

Adding to this, the legacy nature of OT systems with no built-in security, lack of opportunity to update the system due to high availability demands, and the prohibitive cost associated with retrofitting them with mandatory security measures, can make OT systems a perfect candidate for attackers to target.  

Hence the goal should be to have an effective cybersecurity solution that is practical and at the same time doesn’t impede OT operations.

By extending the concepts of micro-segmentation to OT networks, Hmatix does what’s possible. Critical OT endpoints can be protected with a behavior based, fully automated 1to1 micro firewall that can whitelist repetitive and predictable behaviors at service, port, protocol and MAC level. Any deviation from this learned behavior can be blocked and flagged as an anomaly. This mode of preemptive protection mitigates the lack of entropy in OT systems operation. We call it Nano segmentation that is endpoint agnostic.

In summary, in-line protection that is tolerant to failures, built-in ability to automatically whitelist allowed traffic, an intelligence to behaviorally finger print actors interacting with OT systems at the port, protocol and MAC address level, it is now possible to achieve an advanced security for OT that was previously thought impossible.

For more information on how Hmatix can protect OT and other non-authenticating devices in health care, ICS, manufacturing and smart building automation environment, please contact us at info@hmatix.com for a demo of Hmatix solution.