Enforce Separation Between Key Areas of the Network

THE CHALLENGE 

Prevent threats ability to move laterally throughout the network and gain access to safety critical systems.

As stated in IEC-62443, an effective rolling-stock security strategy begins with segmenting by system or device type using zones, conduits, boundaries and security levels.  A mature segmentation strategy will integrate the principle of least privilege. A system should only communicate with the system, or systems, required to perform an operation, and prevent it from communicating outside of its system or device group. Any other access or communication must be restricted and controlled.

Network segmentation is a core building block of a mature cybersecurity strategy in rolling-stock, and is an integral part of defence-in-depth security. It provides greater security and resilience than a simple perimeter-only defence, of which there are no measures that prevent attackers from moving throughout the network unchallenged.

When you effectively segment an OT network, the isolation of critical systems not only makes unauthorized access and exploitation much more difficult, but it can also contain the effects of non-malicious errors and accidents.

 

THE SOLUTION  

Ensure traffic is controlled, and permitted, between network segments and protected systems. 

In order to effectively segment rolling-stock networks effectively, the first step is to determine how, what, and why systems are communicating within them. Every rolling-stock network is different, and requires a different approach. A complete understanding of asset configurations and data flows is crucial to knowing how to segment each network zone.  We begin with a robust mapping of the current network. We then use our knowledge of the underlying processes and systems to design a secure and reliable approach to to isolate systems into functional groups with similar security requirements and establish proper zones and conduits that are specific to your environment.

We recognise any requirement to physically move equipment for segmentation is not only impractical, but out of the question. The segmentation process with RazorSecure security Gateway does not require excessive network re-engineering or reconfiguration, as any changes that would take the network offline or cause disruptions to operations are unacceptable

Using the RazorSecure Gateway as platform, we can deploy open-source or a next-generation firewall of your choice, giving complete flexibility over security controls and cost, to further filter and control traffic between defined network segments 

SOLUTION OUTCOMES

  • Reduced attack surface

    Ensure a reduced attack surface by preventing threats from moving laterally across the network

  • Control authorised access

    Reduce the risk of unauthorised access and exploitation as well as contain the effects of non-malicious errors and accidents

  • Contain threats

    Isolate incidents and quickly identify threats to minimise the impact of the intrusion.