Secure-by-design Networks
Updated: Mar 14
Security by design refers to the integration of security and risk management into the structure of a network, achieved through the implementation of segmentation and Agile infrastructure design.
Essentially, security measures are incorporated from the outset to ensure the network is secure from the ground up. Creating a secure environment for sensitive information is essential, as such data often needs to be moved, stored and accessed, making it vulnerable to cyber-attacks. If these systems are breached, the consequences can be significant and costly.
The following is a collection of guidelines that can assist in developing a secure-by-design network and systems that are resistant to cyber-attacks while simultaneously being simple to manage and upgrade.
Secure Design Principles
The aim of these principles is to guarantee that the networks and technologies which support modern enterprise and industrial systems are designed and built with a clear emphasis on security. The principles have been conceived to be applied to both digital and cyber-physical systems. They are divided into five categories that correspond to different stages at which a security breach can be mitigated:
Determine the Context: Define all the elements which compose your system, so your defensive measures will have no blind spots.
Make Compromise Difficult: An attacker can only target the parts of a system they can reach. Make your system as difficult to access as possible. This is called the attack surface.
Make Disruption Difficult: Design a system that is resilient to denial of service, attacks and usage spikes.
Make Threat Detection Easy: Design your system so you can spot suspicious activity as it happens and take necessary action.
Reduce the Impact: If eventually an attacker succeeds in gaining a foothold, they will then move to exploit your system. Make sure what they find is not easy to compromise, but if they do, you get your assets and data safeguarded and with proper backups.

Secure Network Design Process
The design of a secure data network is based on the following assumptions about the business and its teams:
There is a limited IT workforce and no dedicated security personnel.
The OT team is not much involved in IT and security systems/decisions.
The IT team primarily serves non-technical personnel.
The budget for security, and IT in general, is restricted or non-existent.
There is insufficient time to train numerous users on new procedures.
However, there is a strong need for making the users, operations and business data secure.
The most significant challenge faced by small and medium-sized companies in terms of security is that their networks and systems cannot be secured by a single standard solution. Due to limited personnel and budget, these businesses cannot afford to hire a security team, and they may not be aware of all the potential threats they face. This awareness gap, coupled with the fear of malicious hackers and the understanding that there is no external assistance available, makes the attractive-sounding, "black box" solutions from vendors more appealing than many would care to admit.
Nevertheless, a simple security-by-design approach would help to prevent most threats. What is crucial is to establish grounded achievable security and availability goals, in order to prevent and make risk manageable.
Key goals must include:
Protect high-value assets
Reduce the internal attack surface
Limit access to the unpatched/vulnerable devices
Few/no visible changes to end-users
The initial step for a secure-by-design network is to gain an understanding of the assets in your communications infrastructure. You can't secure what you don't see, so it is impossible to safeguard assets that have not been properly identified and characterised. As the objective is to secure the network, crucial information required will be:
Current Network Architecture and Integrations.
Servers: Applications or Server roles, OS Versions, Open Ports.
Clients: OS Versions, Number of Clients, Connection Locations.
Networking Equipment: Management IP Addresses, Software/Hardware/Firmware versions, licensing/warranty information.
OT Systems: PLCs, SCADA, MES and other Industrial Control Systems.
Connected (or to-be-Connected) Devices: Field Assets such as CNC Machinery, Robots, EAVs, Cranes, Conveyor Belts, Environmental Sensors, IP Cameras, CCTVs, Automated Access Systems, and Mobile Devices.
It is not surprising that numerous small and medium-sized companies adopt flat network architectures, as it facilitates plug-and-play operations. This means that any device connected to the network can communicate with other devices without any restrictions. While this approach benefits functionality, it poses security challenges. To address this risk, it is key to restrict open communication without disrupting network operations. With the right configuration of the network hardware and software is possible to:
Create Virtual Local Area Networks (VLANs) to segment the network.
Create Access Control Lists (ACLs) that will control what parts of the network can talk to what other parts of the network.
Reduce the attack surfaces of the network.
Virtual Local Area Networks (VLANs)
If a port is not designated as a trunk port, it can only transmit data for the VLAN it is assigned to. A trunk port encapsulates and tags VLAN traffic with the originating VLAN number so the plugged device knows what VLAN the packet is for. VLANs are treated as distinct networks that function on distinct hardware. Traffic from one VLAN will only ever reach another VLAN through a router.
Access Control Lists (ACLs)
An ACL is simply a rules-based firewall that checks outgoing or incoming packets. When a packet is being processed, the check begins with the first rule in the ACL and proceeds down the list, stopping at the first rule that matches the packet.
Network Segmentation
Effective network segmentation is likely the most cost-effective security measure in any setting. Aggressive traffic control within your network restricts an attacker's ability to move around covertly and without interaction. If attackers are unaware of traffic restrictions, they may raise red flags while attempting to understand them.
The following phased deployment will have no impact on the function of the network:
Segmentation of the network (no/minimal filtering). Segmenting the network enhances security for devices that are typically less secure, such as older or unpatched machines in the environment. Additionally, network segmentation can help prevent attackers from tampering with the network infrastructure. Managing wireless networks can be a challenging task, requiring careful planning and consideration of various factors. However, you can separate the Wi-Fi from the rest of the network as soon as possible. Both guests and employees will use the same wireless network, secured with standard measures such as WPA2-PSK, AES, and a 12-character password displayed prominently in the reception area.
Monitoring and analysing traffic to high-value or vulnerable assets. By segmenting the network into VLANs, you have effectively created distinct networks. This setup creates a convenient traffic bottleneck at the router, which we can use to monitor network activity. If the switch supports port mirroring, which copies traffic from one interface to another for analysis, then you have optimal data flows. Alternatively, you can opt for a switch that can mirror traffic specific to a VLAN. However, if these do not have any mirroring capabilities, it will be needed to place a monitoring device between our switch and router to capture and analyze traffic.
Implementing ACLs/firewalls to restrict unnecessary traffic. Designing and Deploying the ACLs or aliases substitutes in for a set of rules or addresses/protocols. You can use them as short-hand, so it isn't needed to write out a bunch of the same addresses in different places. Additionally, ML-powered, cloud-based network security leverages inline deep learning to stop unknown zero-day attacks. NGFWs make network security intelligent and proactive, so it's always a good idea to find a vendor to implement them.
Harden the network.
There is a long list of things that can be done in the interest of generally hardening the network infrastructure. We are going to focus on the things that align with what we have already done.
Most of our hardening is a matter of reducing the attack surface of the network components. Luckily, we've built a huge component of that into our CLIENTS ACL in the previous section. This protects the network infrastructure from some software vulnerabilities that they may have that would allow an attacker to change the configuration of your infrastructure.
Business Resilience Creation
Security is much more than just malware prevention. Designing a comprehensive resilient network with industrial-grade systems (long-range connectivity, routers, repeaters, and network configurations and typologies built for industrial purposes) and proper backup and recovery solutions will grant the security of your data and assets in any case, anytime. Learn more about business resilience in the next video: