Certes Networks and cryptographic segmentation in industrial networks

Industrial networking (OT – Operational Technology) is one of the most challenging areas of cyber security. SCADA systems, PLCs, DCS systems and industrial IoT devices were designed for availability and determinism, not security. Many run on outdated protocols, don’t support encryption and can’t be updated without risking production downtime. Certes Networks offers an approach to protecting these environments that does not require modification or replacement of existing devices – cryptographic segmentation.

Table of contents

1. The specifics of industrial network (OT) security
2. Why don’t traditional security approaches work in OT?
3. What is cryptographic segmentation?
4. How does Certes Networks implement cryptographic segmentation?
5. Zero-Trust in OT environments with Certes
6. OT traffic visibility and monitoring
7. Use cases – energy, manufacturing, critical infrastructure
8. Key findings
9. FAQ
10. Summary

The specifics of industrial network (OT) security

OT networks differ fundamentally from IT networks in terms of security priorities. In IT, the priority is CIA (Confidentiality, Integrity, Availability) – with an emphasis on confidentiality. In OT, the priority is an inverted CIA – Availability is absolutely first, then Integrity, Confidentiality at the end. Production line downtime costs hundreds of thousands per hour – so any security action that can cause or risks downtime is rejected by OT operators.

Devices in OT networks are embedded systems often with operating systems from decades ago, without the ability to install security software, without manufacturer firmware updates, with communication protocols (Modbus, DNP3, Profibus, OPC) not designed with security in mind. IT/OT convergence – the integration of office networks with production networks for Industry 4.0 purposes – dramatically increases the attack surface of industrial environments. Certes Networks at Ramsdata offers specialized encryption and segmentation solutions for enterprise and industrial environments.

Why don’t traditional security approaches work in OT?

A firewall between the IT and OT network (the so-called industrial DMZ) is a good practice, but insufficient – it does not protect against lateral traffic inside the OT network, does not encrypt communication between devices, and does not solve the problem of unsafe protocols.

Installing security agents on OT devices is usually impossible – PLC or DCS controller does not support external software. Microsegmentation by VLAN is limited and does not provide encryption. Replacing OT devices with newer, security-enabled devices is prohibitively expensive and often impossible due to production continuity. Certes Networks offers an approach that circumvents these limitations – encryption and segmentation applied transparently, inline, without modifying OT devices.

What is cryptographic segmentation?

Cryptographic segmentation is an approach to isolating network segments by encrypting traffic between them, instead of through traditional network mechanisms (VLAN, firewall). Instead of asking “what is allowed between segments?”, cryptographic segmentation asks “who can read this traffic?”. Only devices belonging to the same cryptographic group can decrypt and read the messages – other devices see encrypted, unreadable traffic.

This model has key advantages for OT environments. Encryption is applied transparently – OT devices do not know that their communications are encrypted. No device or software modifications are required. Segmentation policies are defined centrally and applied by a dedicated Certes appliance, not by the OT devices themselves. Even if an attacker gains physical access to an OT network segment, he won’t be able to read communications between devices from other cryptographic groups.

How does Certes Networks implement cryptographic segmentation?

Certes Networks implements cryptographic segmentation through dedicated CryptoFlow Net Protector (CNP) devices installed inline in the OT network – without modifying the existing infrastructure. CNPs are transparent to network traffic: OT devices “do not know” of their existence and communicate normally. CNPs encrypt traffic based on policies defined centrally in the Certes management system (CipherTrust Manager or Certes CipherPoint).

Crypto Groups are logical segments between which traffic is allowed and encrypted. Devices assigned to the same group can communicate, devices from different groups – cannot, even if they are physically on the same network. Changing segmentation policies is done centrally and is immediately applied by all CNPs on the network – no downtime, no reconfiguration of OT devices.

Zero-Trust in OT environments with Certes

Zero Trust in OT is not simply transferring the IT model to an industrial environment – it requires adaptation to the specifics, where unavailability of devices (for agents, updates) is the norm. Certes Networks implements Zero Trust principles through cryptographic segmentation without agents on protected devices.

“Never trust, always verify” translates in the Certes environment into: every connection between segments requires cryptographic authorization, devices can only communicate within authorized cryptographic groups, every unauthorized connection is automatically encrypted and unreadable, and all data flows are centrally logged. It’s Zero Trust adapted to the reality of OT – no agents, no device modification, no risk of downtime. For more on security solutions for industrial networks, visit Ramsdata.

OT traffic visibility and monitoring

One of the biggest challenges in OT environments is the lack of visibility – you don’t know what devices exist on the network, what protocols they use, and what the normal communication patterns are. Certes Networks provides visibility without installing agents by passively analyzing network traffic.

The Certes monitoring system identifies OT devices based on their network communications, maps data flows between devices and detects anomalies – unexpected connections, unknown protocols, unauthorized traffic between segments. This visibility is the foundation of an effective crypto segmentation policy – to define the right groups, you first need to understand who is communicating with whom on the OT network.

Use cases – energy, manufacturing, critical infrastructure

Energy and utilities is a sector where OT security is critical to public safety. SCADA systems controlling power distribution, water treatment plants or gas networks must be isolated from IT networks and external threats. Certes Networks is being deployed by critical infrastructure operators to segment power substations, substations and dispatch centers.

Industrial manufacturing requires segmentation between production lines (so that an attack on one line doesn’t spread to others), between OT and IT networks, and between environments of different vendors (when external service providers have access to the OT network). Certes cryptographic segmentation allows granular control of this access without reconfiguring the entire network. Transportation infrastructure (rail, aviation, ports) is another sector where Certes Networks is deployed to protect traffic control systems and critical infrastructure.

Key findings

• OT networks have reversed security priorities over IT – availability comes absolutely first.
• Traditional security tools (agents, firewalls) do not work for OT devices, which cannot be modified.
• Certes cryptographic segmentation isolates segments by encrypting traffic, not by network mechanisms.
• The deployment is transparent to OT devices – no modifications or downtime are required.
• Cryptographic groups define who can communicate with whom and exchange readable data.
• Certes provides OT network visibility without agents and Zero Trust without device modifications.

FAQ

Does Certes cryptographic segmentation affect OT network latency? Yes, but in a minimal way. Dedicated cryptographic chips in CNPs minimize additional latency-typically less than 1 ms, which is acceptable for most OT protocols.

How does Certes deal with OT protocols (Modbus, DNP3)? Certes encrypts traffic transparently at the network level – it does not process the contents of OT protocols. Devices communicate normally via Modbus, DNP3, etc., and Certes CNP encrypts these transmissions without modifying them.

Does Certes implementation require an OT network outage? CNP inline deployment may require short maintenance outages (minutes) during physical installation. Subsequent changes to cryptographic policies are applied without downtime.

How to manage cryptographic keys in Certes environment? Certes CipherTrust Manager or Certes CipherPoint manage keys centrally. Keys are rotated automatically according to security policies, without interfering with OT devices.

Summary

Certes Networks’ cryptographic segmentation is an approach to OT security that respects the realities of industrial environments – the need for availability, non-modifiability of devices and determinism of communications. Transparent inline deployment with no downtime, Zero Trust with no agents and full OT network visibility create a practical solution for sectors where other approaches fail. Contact Certes Networks partner Ramsdata to discuss implementing cryptographic segmentation in your industrial network.