Network Segmentation
Network segmentation is one of the most critical security controls for protecting energy infrastructure. ISO 27019 emphasizes defense-in-depth through proper network architecture and zone separation.
The Purdue Model for Energy
Traditional Levels
The standard reference architecture for industrial control systems:
Level 4 - Enterprise Network
- Corporate IT systems
- Business applications (ERP, email)
- Internet connectivity
- Standard IT security controls apply
Level 3.5 - DMZ/Demilitarized Zone
- Data exchange between IT and OT
- Historians for operations data
- Reporting and business intelligence
- Strict access controls both directions
Level 3 - Site Operations
- Plant-level systems
- Manufacturing execution systems (MES)
- Asset management applications
- Engineering workstations
Level 2 - Control Systems
- SCADA servers
- DCS controllers
- HMI workstations
- Supervisory control
Level 1 - Basic Control
- PLCs and RTUs
- Intelligent devices
- Local control loops
Level 0 - Process
- Sensors and actuators
- Physical equipment
- Measurement devices
Segmentation Strategies
Vertical Segmentation (Between Levels)
Separate IT from OT with controlled pathways:
Air Gap
Complete physical separation:
- Advantages: Maximum security, no network-based attacks possible
- Disadvantages: Operational inefficiency, data transfer challenges
- Use Cases: Safety systems, critical control systems
- Data Transfer: Removable media, unidirectional gateways
Unidirectional Gateways (Data Diodes)
Hardware-enforced one-way communication:
- Technology: Physical hardware allows data out, prevents data in
- Use Case: OT data to IT for monitoring and reporting
- Limitation: No remote control or bidirectional communication
- Benefit: Protects OT from IT network compromises
Firewalls with DMZ
Controlled bidirectional communication:
- Architecture: Dual firewalls with DMZ in between
- Rules: Whitelist-only (deny all, permit specific)
- Inspection: Deep packet inspection for allowed protocols
- Monitoring: Comprehensive logging of all cross-zone traffic
Horizontal Segmentation (Within Levels)
Separate different operational areas:
By Functional Area
- Generation systems separate from transmission
- Substation A network isolated from Substation B
- Control systems separate from safety systems
- Each area operates independently
By Criticality
- Critical systems in most protected zones
- Non-critical systems with less restrictive controls
- Safety systems with highest protection
- Guest and vendor networks completely separate
ISO 27019 Segmentation Requirements
Conduit and Zone Model
Zones
Groupings of assets with similar security requirements:
- Enterprise Zone: Business systems
- DMZ Zone: Data exchange
- Control Zone: SCADA and DCS
- Safety Zone: Emergency shutdown systems
- Field Zone: PLCs and field devices
Conduits
Controlled communication paths between zones:
- Explicitly defined and documented
- Specific protocols only
- Monitored and logged
- Protected with appropriate technology
Security Levels Per Zone
| Zone | Security Level | Controls |
|---|---|---|
| Safety Systems | Highest | Air gap, unidirectional only, strict physical security |
| Control Systems | High | Firewalls, limited protocols, MFA for access |
| Operations | Medium-High | Network segmentation, access controls, monitoring |
| DMZ | Medium | Dual firewalls, data sanitization, logging |
| Enterprise | Standard | Standard IT security controls |
Implementation Technologies
Firewalls for OT
Different requirements than IT firewalls:
Stateful Inspection
- Understand OT protocols (DNP3, Modbus, IEC 61850)
- Protocol validation and filtering
- Anomaly detection for control commands
- Minimal latency for real-time communications
Application-Layer Firewalls
- Deep packet inspection of OT protocols
- Validate command sequences
- Block malformed packets
- Filter based on function codes
Recommended Features
- OT protocol awareness
- High availability (redundant pairs)
- Fail-open or fail-closed configuration options
- Passive monitoring modes
- Minimal performance impact
VLANs (Virtual LANs)
Logical segmentation on shared physical infrastructure:
- Advantages: Cost-effective, flexible
- Limitations: Relies on proper configuration, vulnerable to switch compromise
- Use Cases: Segmentation within trusted zones
- Caution: Not sufficient as sole control between IT and OT
Micro-Segmentation
Granular segmentation within zones:
- Isolate individual devices or small groups
- Zero-trust model within control networks
- Requires modern network infrastructure
- Reduces lateral movement for attackers
Network Architecture Patterns
Screened Subnet Architecture
Two-firewall design with DMZ:
Enterprise Network → Firewall 1 → DMZ Zone → Firewall 2 → Control Network
- OT data flows to DMZ historians
- Enterprise can query historians
- No direct access to control systems
- Additional inspection at both boundaries
Defense-in-Depth Layers
Layer 1: Perimeter
- Internet firewalls
- Remote access gateways
- Email and web filtering
Layer 2: IT/OT Boundary
- Unidirectional gateways
- Industrial DMZ
- Deep packet inspection
Layer 3: Control Network
- Segmented control zones
- Internal firewalls
- Network access control (802.1X)
Layer 4: Device Level
- Host-based firewalls
- Application whitelisting
- Endpoint protection
Remote Access Architecture
Jump Box Design
Secure remote access through intermediary:
- Remote users connect to jump box only
- Jump box connects to control systems
- All activity monitored and recorded
- Jump box hardened and regularly updated
VPN Segmentation
Separate VPN infrastructure for OT:
- Dedicated VPN concentrators for OT access
- Different authentication (higher requirements)
- Limited to specific source IP addresses
- Time-based access restrictions
Monitoring and Visibility
Network Traffic Analysis
Continuous monitoring of segmentation effectiveness:
- Baseline normal communication patterns
- Alert on unexpected cross-zone traffic
- Detect lateral movement attempts
- Identify policy violations
Security Information and Event Management (SIEM)
Centralized logging and correlation:
- Firewall logs from all zones
- Switch and router logs
- Authentication events
- Correlate with IT security events
Common Implementation Challenges
Challenge: "We need IT access to all OT systems for monitoring"
Solution: Implement unidirectional gateways to push OT data to IT historians without allowing IT-to-OT connections
Challenge: "Our systems are all on one flat network"
Solution: Phased approach - start with critical assets, implement DMZ, gradually segment further
Challenge: "Segmentation breaks our operational workflows"
Solution: Document legitimate communication needs, implement conduits for approved paths, adjust workflows where necessary
Challenge: "We can't afford downtime to implement segmentation"
Solution: Plan segmentation during scheduled outages, use phased implementation, implement monitoring before blocking
Validation and Testing
Segmentation Testing
Regular verification of controls:
- Penetration testing from IT to OT
- Attempt unauthorized protocols
- Verify firewall rules are working
- Test fail-safe behaviors
- Document all conduits
Next Lesson: Securing remote access to operational technology systems.