Converged OT and IT networks, and the proliferation of connected IoT devices, requires a new approach to micro-segmentation.
An administrator is tasked with securing access to OT devices on the network, and blocking all traffic from IoT to OT devices on the network. To meet this requirement, we can build identity-based policies that limit traffic to specific industrial protocols for these OT devices. There are two primary ways to build a policy - using the Graphical Policy Visualization Matrix to reference existing Policy Groups, or by manually deploying a policy and creating Policy Groups on the fly. For a refresher on policy constructs like Policy Groups, you can reference this article.
Lets first look at defining a Policy Group that can be referenced on the Graphical Policy Visualization Matrix. Any device that we want to apply policy towards must be attached to a policy group. Lets create a Policy Group for our OT PLC Controllers.
Navigate to Policies -> Policy Groups and click Add Policy Group
Name your Policy Group, and select your match criteria. First we will match on Device Genre -> OT. Then we will match on Device Type -> PLC Controller.
(click image to expand)
The Policy group will look like this before deploying. Here we can see the (AND) logic meaning devices must meet both of these criteria to match to this Policy Group.
This Policy Group will then be referenceable on the Graphical Policy Visualization Matrix. Here we can create a set of policies that restrict user and device access to the PLC Controllers, and only allow MODBUS protocol between PLC Controllers and Sensors located throughout the network. Lets create our policy between PLC Controllers and MODBUS sensors. We simply find the intersection between these two Policy Groups, click the square, and create your security rules. Here's what that looks like:
Step 1: Click Intersection between Policy Groups
Step 2: Define Security Rules
You can now see your policy is active on the Graphical Policy Visualization Matrix.
You can also manually deploy the same policy and create the Policy Groups on the fly. Below is an example of this workflow.
To create the policy, navigate to the policy section on the left pane of Cloud Control Center and select Add Policy (figure 1).
Figure 1. Creating a new policy by clicking the Add Policy button.
Give the policy a name and define your source by selecting Add New Source (figure 2). Unless specified by clicking “Make it a Policy Group” Cloud Control Center will automatically create a policy group with an auto generated name based on the policy name. To reference this policy group in different policy it is necessary to custom name the policy group by selecting “Make it a Policy Group” (figure 3).
Figure 2. Specify a policy name, and select a source.
Figure 3. To specify IoT and OT devices, select the source as Devices, Device Genre.
Add the destination in the same way the source was added (figure 4).
Figure 4. Select a destination, in this example, we are using an asset group of critical-servers.
Specifying the security rules are not required in this instance since the IP and protocols the server communicates on were defined during application onboarding (figure 5).
The resulting policy should look like this:
Figure 5. Specify a security rule, in this case, custom application, and specific destination of dc-jumphost, server2, and server1 set to Deny traffic.
Select deploy and the policy will be immediately enforced across all edges of the network.
To review or edit the policy select the policy name. You can also delete the asset group by selecting the three dots (more options) next to the asset group name.