IT Security day topic for roundtable: Zscaler's new acquisition, Airgap™
DR
Last week Nextrust got the opportunity from Zscaler and NTT data to participate as a speaker on the IT security day event where over 1000 professionals joined in to hear the latest technology updates in the security world. I went on stage together with Sven Kutzer from Zscaler to talk about the challenges of IT/OT micro segmentation, and what are the new technology on the horizon to solve this complex in a more simple way.
I worked for a large global manufacturing company for almost a decade. When I joined, security around connectivity was in a very basic state, a big flat network with very little to almost no investment in network security. It wasn't even in the mindset, nobody would talk about the need. We had our few central internet gateways, but that is about it. Surprisingly remembering back when we entered into a merger with an other large manufacturing company there were a few sites that had some basic firewalling between IT and OT, and our first thought was that we need to remove these, it just adds additional complexity.
Well as many others in the manufacturing industry we have learned that this mindset need to change the hard way being hit by a major ransomware attack that has crippled production for several weeks and netted in a loss of around €100 Million not talking about the reputational and legal damage.
The response program that followed the cyber event has enhanced security in many ways and one of the main topics were IT/OT separation, and OT micro segmentation to move from this flat network setup to productions sites with a smaller blast radius operating as independent islands in case of a cyber incident.
This topic was not something we had a lot of experience and knowledge about, even our mindset was not right at the time, so we started out as anybody else would done, let's throw a pair of firewalls on every production site, then move the OT stuff behind that. Even as it started as this simple, during the years it actully became comprehensive and adding multiple teams just focusing on this area.
What turned out very fast is that there are two main factors that slow down OT segmentation projects:
- With classical firewall architecture and introducing Purdue model, almost every device on the shopfloor needs to be re-IP-ed. This requires a maintenance window which in a 24/7 main facility is hard to acquire especially if critical production services are going to be disrupted. In many cases this slow down projects many months and even years per site
- The other concern is that the network communication flows are not documented as it was never a requirement in the past to segment these devices. To get visibility of the flows is a problem because in most of the cases these production cells have been there for 10-20 years therefore most of the time nobody knows what is going to break.
We have approached these problem by placing a firewall and network traffic analyzers next to the core switches and try to map the flows this way. This has been useful to a degree, unfortunately it doesn’t capture all network traffic because most of the communications doesn’t traverse to the gateway it stays local within the same VLAN. A firewall only captures parts of the traffic that hits the SVI-s, the remainer traffic will still be invisible. With a network traffic analyzer tool, you have the same problem that the span mirroring only happens at the core switch level, if you would want to have full visibility every switch would need a span port mirroring, which means more NTA hardware and a very expensive outcome. There are some other NTAs where the NetFlow is analyzed and running on the switches, which is more comprehensive tool, however the reIP-ing issue remains. For the IP address problem software defined networking technologies worked on ways to overcome the need for reIP-ing with tags and advanced protocols, however the complexity and the management overhead of such solutions becomes overwhelming and very resource demanding.
While already working on Nextrust our company specialized to guide enterprises on their Zero Trust Journey, I encountered the news that Zscaler has acquired Airgap™, a very promising company on this field. What is mind-blowing to see how simple of a solution did they use to solve these very complex problems.
They have created a firewall like device that uses a simple trick to overcome the problems related to reIP-ing and the visibility of all flows. The concept is that instead of reIP-ing devices in OT which is always tricky and risky, you only need to change the subnet mask to /32 and default gateway to be the Airgap device. This way all endpoints are automatically put into a “network of one” the smallest possible network segment by default, resulting into positive benefits that all traffic needs to traverse the Airgap firewall, and because of that it truly mapping all the traffic that you have on the site without anything breaking.
It's that simple? Yes, with a lot of additional features like the built ransomware kill switch, where you can isolate your site or parts of your site within seconds, automatically profiling OT devices with artificial intelligence and more.
First time I was seeing this, it seem too good to be true, but then I looked into the references and companies like Flex, a large US based manufacturing site with more than 100.000 employees and hundreds of productions sites has deployed this technology fully, and where able to reach micro segmentation in a fraction of time it used to take other companies, I said there is hope that finally we can successfully do micro segmentation in OT, in an acceptable timeframe.
To learn more about the technology download our whitepaper around Airgap™, or contact us here