An effective technique for enhancing security, network segmentation is a physical or virtual architectural approach dividing a network into multiple segments, each acting as its own subnet providing additional security and control. Creating boundaries between operational technology (OT) and information technology (IT) networks reduces many risks associated with the IT network, such as threats caused by phishing attacks. Segmentation limits access to devices, data, and applications and restricts communications between networks. Segmentation also separates and protects layers of the OT network to ensure that industrial and other critical processes operate as expected. Properly implemented demilitarized zones1 (DMZs) and firewalls can prevent a malicious actor’s attempts to gain access to high-value assets by protecting the network from unauthorized access. Firewalls can be configured to block traffic from network addresses, applications, or ports while allowing necessary data to pass. Policies and controls should also be used to monitor and regulate system access and the movement of traffic between zones.
CISA published an infographic to emphasize the importance of implementing network segmentation – a physical or virtual architectural approach that divides a network into multiple segments, each acting as its own subnet, to provide additional security and control that can help prevent or minimize the impact of a cyberattack.
CISA encourages network architects, advocates, and administrators to review the infographic, Overlay network security with segmentationand implement its recommendations to the extent possible.