Cybersicherheit: Mikrosegmentierung und Zero-Trust als Schlüssel zur Effektiven Risikomanagement und OT-Sicherheit

Claroty has expanded its cyber-physical system (CPS) security platform with new micro-segmentation capabilities designed to restrict lateral movement across industrial and healthcare networks. By integrating automated policy enforcement with deep packet inspection of proprietary OT (operational technology) protocols, the platform aims to isolate compromised assets without disrupting time-sensitive industrial processes.

Engineering the Shift from Perimeter Defense to Granular Isolation

The core challenge in industrial cybersecurity has long been the “flat network” architecture. In most manufacturing and clinical environments, once a threat actor gains access to a single programmable logic controller (PLC) or medical device, they can often traverse the entire subnet. Claroty’s latest update shifts this paradigm by implementing what the firm terms “Adaptive Micro-segmentation.”

Unlike traditional IT-centric firewalls that rely on simple IP-to-IP rules, this approach leverages the platform’s ability to decode industrial-grade traffic. It identifies the specific function—such as a “write” command to a motor controller or a telemetry request from a patient monitor—and creates a policy based on that granular activity. If a device attempts an unauthorized function, the platform triggers an automated isolation protocol.

This is a significant departure from legacy VLAN-based segmentation, which often requires manual re-architecting of the network. By shifting the enforcement logic to the application layer, Claroty is effectively attempting to decouple security policy from physical network topology.

The Technical Hurdle: Latency and Determinism

In the world of OT, security cannot come at the cost of uptime. A micro-segmentation rule that introduces even a few milliseconds of latency can trigger a “fail-safe” shutdown in a chemical plant or a power grid, leading to massive operational losses. The technical difficulty lies in performing deep packet inspection (DPI) at line speed on legacy hardware that lacks modern encryption offloading capabilities.

According to documentation from the Institute of Electrical and Electronics Engineers (IEEE) regarding industrial network security, the primary risk in implementing automated segmenting is the potential for “false-positive blocking” of critical control traffic. Claroty’s strategy appears to mitigate this by utilizing its existing asset discovery engine to baseline normal traffic patterns for months before the system is allowed to move from “monitor” to “enforce” mode.

Why Micro-segmentation Matters for Zero-Trust Adoption

The industry is moving toward a Zero-Trust architecture, a security framework where no entity is trusted by default. While this is standard in cloud-native software environments, it has been notoriously difficult to implement in environments running protocols like Modbus, DNP3, or BACnet. These protocols were designed for reliability, not authentication or encryption.

By layering micro-segmentation over these legacy systems, organizations can simulate a Zero-Trust environment. This prevents ransomware—which often relies on scanning the network for SMB or RDP vulnerabilities—from moving from a compromised workstation into the safety-instrumented systems (SIS) of a refinery or a hospital’s imaging network.

As noted by cybersecurity analyst Gartner in their research on cyber-physical systems, effective risk management in these sectors now requires visibility that spans both the digital and physical domains. The ability to automatically segment these environments is arguably the most critical step in preventing the “cascading failure” scenario seen in high-profile attacks like the Colonial Pipeline breach.

Operational Impact and Ecosystem Integration

For the enterprise IT department, the integration of these features means less time spent manually configuring Access Control Lists (ACLs) on switches. Claroty’s platform exposes these policies via API, allowing for potential integration with broader orchestration tools like HashiCorp Terraform or various Security Orchestration, Automation, and Response (SOAR) platforms.

  • Protocol Support: Deep visibility into proprietary OT protocols that standard firewalls ignore.
  • Automated Baselines: Uses machine learning to profile “normal” communication, reducing the risk of blocking legitimate control traffic.
  • Policy Orchestration: Centralized management of network segments across hybrid environments (cloud, on-prem, and edge).

However, the efficacy of this system remains dependent on the quality of the underlying asset data. If the platform fails to identify a rogue device due to obscure firmware, the micro-segmentation policy will be incomplete. This places a heavy burden on the initial deployment phase, where the platform must be tuned to the specific environment of the facility.

The 30-Second Verdict

Claroty is betting that the path to securing critical infrastructure is not through replacing legacy hardware, but by wrapping it in an intelligent, software-defined security layer. This update is a pragmatic move for CISOs struggling with the complexity of converged IT/OT networks. If the automated policy enforcement holds up under high-load industrial conditions, it could provide a viable path to hardening systems that were never designed to be connected to the internet in the first place. The real-world performance—specifically the impact on jitter and packet loss—will be the true test as these features reach broader deployment in the coming months.

Photo of author

Sophie Lin - Technology Editor

Sophie is a tech innovator and acclaimed tech writer recognized by the Online News Association. She translates the fast-paced world of technology, AI, and digital trends into compelling stories for readers of all backgrounds.

Share Your Videos With the World

Medicare Proposes Slashing 340B Drug Payments to Hospitals by Over a Third

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.