Outdated network security can pose risks for any operation, but it is especially concerning if that operation deals with life-threatening materials. That was the case for this global manufacturer, which serves industries ranging from government to aerospace and produces advanced H1 hazardous materials with an explosive element. 24/7 monitoring was crucial — any disruption could be catastrophic to both the plant and the surrounding community.
Despite these high stakes, the manufacturer was still on a flat, Layer 2 MPLS network, employing traditional technologies such as switches and routers for local networking, and firewalls and VPNs for security. The network attack surface was significant, as malware was able to breach, traverse, and persist despite security controls such as VLANs, firewall rules, ACLs, VPNs, 802.1x authentication, and security certificates.
To make things worse, every building had thousands of live data jacks, all of which were opportunities for malicious actors to enter the network and attack critical industrial controls and sensitive resources.
One particularly vulnerable division was unable to remove a persistent malware threat on its own, requiring the Department of Homeland Security (DHS) to lead the months-long removal process. The malware threat exposed the company and its customers to theft of intellectual property, including customer designs and specifications of proprietary components and parts.
Unsurprisingly, the company failed internal security audits. As a result, the Chief Information Security Officer (CISO) issued a mandate to implement network segmentation for all business units in compliance with NIST network security standards.
A small IT team explored alternatives to existing configurations, but their findings presented additional challenges: initial estimates for segmenting via internal firewalls and ACLs were about $1 million and two months’ deployment time per plant, plus additional headcount.
“Rearchitecting our network with any of these traditional tools would have been prohibitively expensive, time-consuming to deploy, and difficult to manage,” explained the manufacturer’s Manager of Networking Systems. “Having to re-IP our hard-coded applications and devices was a total showstopper. We needed a better way to segment and secure our network.”