Micro-segmentation – dividing up your network and setting controls for each part – is currently the trendy solution to have for securing OT, IoT, and IoMT devices, but this belief overlooks several critical realities.
Limited Visibility
Problem: In environments with OT, IoT, and IoMT devices, installing agents is not feasible, nor do these devices always possess identifiable attributes like traditional endpoints. Consequently, micro-segmentation relies on predefined network boundaries and static rules to restrict access between devices. This approach lacks the granular visibility needed to detect and understand the behavior of each device, leading to significant blind spots.
Example: In 2017, the WannaCry ransomware attack exploited unmonitored medical devices like MRI scanners and infusion pumps in healthcare networks, causing widespread disruptions across hospitals because these devices were not adequately visible within the segmented network boundaries.
Operational Complexity
Problem: Micro-segmentation requires complex and resource-intensive implementation and maintenance, especially in environments with dynamic and diverse OT, IoT, and IoMT devices. In large corporations, these environments continuously change as new devices are added, removed, or updated. This constant flux makes it challenging to manage policies effectively, creating gaps that threat actors can exploit.
When most micro-segmentation vendors state they have solved operational complexity, they say it for systems where agents can be installed, identities can be managed or network traffic can be decrypted and granularly monitored. None of these cases are feasible in OT/IoT/IoMT cases. Does this remind you of your WAF that was always stuck in monitoring mode or needed daily care and feed?
Example: During the 2015 cyberattack on Ukraine’s power grid, attackers took advantage of poorly managed network segmentation to disable critical OT devices and disrupt power distribution, demonstrating how difficult it is to manage segmentation policies across dynamic environments.
Not Built for Wireless
Problem: Micro-segmentation was primarily designed for wired networks and data centers, not for the unique challenges presented by wireless airspace. It doesn’t account for the transient nature of wireless devices that frequently move in and out of coverage or the unpredictable communication patterns of IoT devices, which can bypass segmentation rules.
Example: The 2021 Verkada breach highlighted how attackers could gain unauthorized access to wireless security cameras, demonstrating the inadequacy of traditional segmentation techniques in controlling wireless devices that do not adhere to static network boundaries.
Doesn’t Prevent Exploitation of Vulnerable Devices
Problem: While micro-segmentation can limit lateral movement within a network, it does not stop the initial exploitation of a vulnerable OT, IoT, or IoMT device. If a device is compromised, the damage is already done, especially if it has access to sensitive data or critical operations.
Example: In 2018, a cyberattack on a casino’s network was initiated through a compromised IoT-connected fish tank thermostat. Although the network was segmented, the attackers leveraged this device to gain access and move laterally, proving that segmentation could not prevent the initial device compromise. In healthcare, the impact could be even more severe: a compromised infusion pump or ventilator could pose direct risks to patient safety.
Limited to Known Threats
Problem: Micro-segmentation typically relies on known traffic patterns and predefined policies, making it less effective against zero-day threats or new attack vectors that do not match existing rules. Attackers can still find ways to exploit devices that have not been properly secured or monitored.
Example: The 2020 SolarWinds supply chain attack showed that even with segmentation, sophisticated attackers could introduce novel attack vectors that bypassed traditional security measures. The malware used in this attack was unfamiliar to many existing security tools, allowing it to spread despite network segmentation policies.
A Proactive, Comprehensive Approach is Needed
Despite its limitations and complexities micro-segmentation plays a role in a broader security strategy, it is still far from a silver bullet for protecting OT, IoT, and IoMT devices. At best, it may help contain damage after an attack has already begun. In contrast, platforms like Aireye provide proactive defense, stopping attacks before they start and offering a comprehensive solution tailored for the unique challenges of securing your wireless airspace.