An effective technique to strengthen security, network segmentation is a physical or virtual architectural approach dividing a network into multiple segments, each acting as its own subnetwork providing additional security and control. Creating boundaries between the operational technology (OT) and information technology (IT) networks reduces many risks associated with the IT network, such as threats caused by phishing attacks. Segmentation limits access to devices, data, and applications and restricts communications between networks. Segmentation also separates and protects OT network layers to ensure industrial and other critical processes function as intended. Properly implemented Demilitarized Zones1 (DMZs) and firewalls can prevent a malicious actor’s attempts to access high-value assets by shielding the network from unauthorized access. Firewalls can be configured to block traffic from network addresses, applications, or ports while allowing necessary data through. Policies and controls should also be used to monitor and regulate system access and the movement of traffic between zones.
CISA has published an infographic to emphasize the importance of implementing network segmentation—a physical or virtual architectural approach that divides a network into multiple segments, each acting as its own subnetwork, to provide additional security and control that can help prevent or minimize the impact of a cyberattack.
CISA encourages network architects, defenders, and administrators to review the infographic, Layering Network Security Through Segmentation, and implement its recommendations where possible.