How to implement security segmentation using Perygee
The National Institute of Standards and Technology (NIST) recently published a white paper titled “Security Segmentation in a Small Manufacturing Environment.” They define security segmentation as a cost-effective and efficient security design approach for protecting cyber assets by grouping them based on both their communication and security requirements. Although the paper is focused on small manufacturing environments, the principles outlined in the framework are applicable to other industries that seek to protect their business operations by segmenting their critical devices.
The NIST presents a six-step approach to security segmentation that lays the foundation for an effective and efficient cybersecurity strategy. We’ll break down each of the steps and show how you can use Perygee to implement this strategy at your company and improve your cybersecurity posture.
Step 1: Identify List of Assets
The first step in the security segmentation process is to inventory the hardware, software, and sensitive data or information assets involved in the operation of the business. Hardware assets include IT (e.g., office computers, workstations, servers, phones, tablets) and OT (e.g., cobots, sensors, PLCs). Software includes operating systems, and off-the-shelf or custom code used by your hardware devices. Data or information assets include sensitive business, product, or customer information typically stored in hardware assets and accessed by software assets.
With Perygee, there are four ways you can create an asset inventory:
-
Install a Perygee Hub, a hardware or software appliance that connects the Perygee platform to your local network. The Hub allows for passive monitoring and active scanning.
-
Integrate with your existing asset discovery tool. Perygee offers out-of-the-box integrations and custom integrations that can be easily configured and require no additional fees.
-
Import a spreadsheet containing a list of your assets using Perygee’s best-in-class CSV import tool. Our import tool can help clean up your existing data by catching duplicates or misspellings, which are common with spreadsheet-managed inventories.
-
Manually input your assets into Perygee
The paper also provides guidance for the attributes that you should include, at a minimum, in your asset inventory. They mention device identification number, manufacturer, model number, version number, license or warranty information, date created or installed, and location of the asset. We would also suggest including attributes like asset owner, image, and lifecycle information (e.g. status and firmware version) wherever possible. A more detailed asset inventory will make it easier to create risk profiles and make accurate segmentation decisions. Through automated data extraction and integrations, customers of Perygee have access to an extensible IoT/OT knowledge graph with all of the attributes listed above. Once your assets are in Perygee, our open-source intelligence kicks into gear to enrich your inventory so you don’t have to waste time tracking down information from manufacturer websites and other public sources.
Step 2: Assess Risk and Create Security Zones
This step involves conducting an informal assessment of the risk associated with hardware assets. Assets that have similar operational functions, mission criticality levels, or data sensitivity levels generally also share common cybersecurity requirements. The manufacturer can use these operational similarities to group their assets and these groups of assets become security zones. The business should use criteria for grouping assets based on their specific environment.
Many security solutions in the market are rigid and don’t adapt easily to varying environments. Perygee, on the other hand, is built on a highly customizable data layer that is designed to meet the expectations of small or large enterprises from any industry. Our no-code query builder also makes it easy to build workflows and automations around all the data that is relevant to your most critical assets.
Let’s look at the example used in the paper – the primary operational function of an asset – for which they provide five different groupings or zones: business applications, administrative systems, connectivity services, manufacturing applications, and industrial control systems (ICS). Assets identified in step one can be classified into operational function zones, and in Perygee you can define the zones that make the most sense for your organization by creating new items within the Security Zone item type (see image above).
For example, if you work in a Hospital environment you will not have a zone dedicated to ICS. Instead, you could define a zone for “Medical Systems” with the same attributes shown in the image: Name, Description, Risk Level, and Risk Level Rationale (more on risk in step three). The Security Zone item type is linked to the Asset item type, which means that for any asset in your environment you can query for its security zone. Similarly, for any security zone you can query for the assets it contains. These queries can be used in native Perygee spreadsheets, automations, and dashboards, and as your asset inventory changes, whether through manual or observed (network monitoring) methods, your security zones and associated workflows will automatically update in real-time.
Step 3: Determine the Risk Level for the Security Zones
A risk level must be determined for each security zone. The more risk associated with the assets in a security zone, as found in step 2, the higher the protection needed. Each business must determine their own categories of risk with definitions for each; the example in this document uses the categories of Low, Moderate, High, and ICS.
As mentioned in step two, the risk levels and corresponding rationale can be modeled in Perygee as attributes on the Security Zone item type. Perygee’s value extends beyond just the data modeling and into the maintenance of your asset inventory too. Using Perygee automations you can systematically keep your assets up to date with the appropriate zones and risk profiles as your inventory changes over time. For example, imagine you have the Perygee Hub installed and it discovers a new device connected to your network, which you classify the product type as “Printer.” With Perygee, you can create an automation that assigns a security zone to an asset any time the asset’s product type changes (in this case it changes from null to “Printer”). For a small or medium-sized business maintaining the integrity of the data is an even larger task than implementing a new framework, so a solution like Perygee with automated workflows can significantly ease the burden.
Step 4: Map Communication between the Security Zones
To understand and configure the trusted communication between security zones, the communication requirements between assets must be determined based on a deep understanding of the existing traffic flows between all the assets in the plant or using a network monitoring tool.
There are two ways that Perygee can help establish the communication requirements between assets:
-
If a Perygee Hub was installed in step one, you can monitor the traffic flow from each asset and between assets.
-
If you have an existing network monitoring tool, you can create a custom integration that pulls in the necessary information to map out the communication patterns on your network.
Once the communication requirements are understood, you can apply rules at the security zone level. Using Perygee’s visual automation builder, you can create a series of automations that permit or deny the flow of traffic between zones by sharing the configurations with your firewalls. Perygee won’t enforce the rules, but the policies, permissions, and change history can all be managed from the platform.
Step 5: Determine Security Controls for the Security Zones
Once assets are classified and grouped into security zones, risk levels have been assigned to the security zones, and communication requirements between these security zones have been identified, the next step is to determine and apply security controls.
NIST provides a comprehensive list of cybersecurity practices that are relevant for a manufacturing environment. Organizations will need to determine the practices they want to use based on their desired risk reduction (implementing all of them is probably not needed or possible given limited resources). Once a list of practices is determined, an organization will need to figure out the right solution(s) to implement the proper controls. Complete coverage of an organization’s desired practices can often lead to fragmentation, high costs, and underused tools so it’s important to consider what’s already in your technology stack, where there are gaps, and if you are required to purchase new software, can it replace one or more of your existing solutions.
Perygee is not a silver bullet solution for all of the recommended manufacturing practices, however, many controls can be implemented using the platform. Because this post is not specifically about Perygee’s alignment to NIST’s manufacturing profile framework, we won’t go into too much detail. However, below you can see a high level overview of Perygee’s capabilities and how they map to the CSF manufacturing profile.
| Perygee Alignment to CSF manufacturing profile framework | ||
| Function | Category | Subcategory Mappings |
| Identity | Asset Management | Yes |
| Business Environment | Yes | |
| Governance | Yes | |
| Risk Assessment | Yes | |
| Risk Management Strategy | No | |
| Protect | Identity Management, Authentication and Access Control | Yes |
| Awareness and Training | No | |
| Data Security | Yes | |
| Information Protection Processes and Procedures | Yes | |
| Maintenance | No | |
| Protective Technology | Yes | |
| Detect | Anomalies and Events | Yes |
| Security Continuous Monitoring | Yes | |
| Detection Processes | Yes | |
| Respond | Response Planning | No |
| Communications | Yes | |
| Analysis | Yes | |
| Mitigation | Yes | |
| Improvements | No | |
| Recover | Recovery Planning | No |
| Improvements | No | |
| Communications | No | |
Step 6: Create Logical Security Architecture Diagram
When you apply these building blocks of the security segmentation to the target environment, it results in a logical security architecture. It should show the security zones, inter-zone communication requirements, color indicating the risk level, and notations for security solutions that are implemented inside each zone.
The logical security architecture diagram is a visual representation of the relationship between all the components in your security segmentation. You have asset types which are contained within security zones. Security zones which have an associated risk level, controls, and communication requirements. Using Perygee, you can view these components and their relationships on a graph editor with convenient drag and drop controls. Also, rather than a static image of your architecture, in Perygee the components are interactive so you can add/remove, edit, or drill in for more details.
The NIST framework for security segmentation in a small manufacturing environment is a great strategy for companies to adopt. However, without the right tools, the overhead can be too much for security teams. If you’re thinking about implementing this framework in your organization we’d love to talk about how Perygee can help! Drop us a line at hello@perygee.com.
Are you ready to securely embrace IoT/OT?
Start exploring the platform and sign up for your free trial or contact us to chat about your IoT/OT challenges and upcoming projects.
No email or credit card required to try out the platform.