In response to the growing number of cyberattacks on critical infrastructure entities, the Department of Homeland Security (DHS) issued security directives in May 2021 and July 2021 for critical pipeline owners and operators.
The first directive requires owners and operators to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), designate a cybersecurity coordinator, and prepare reports on cybersecurity risks and mitigation procedures for CISA and the Transportation Security Administration, which works closely with CISA on pipeline security issues.
The second directive takes security a step further, mandating implementation of specific cyberthreat mitigation measures, development of cybersecurity contingency and recovery plans, and cybersecurity architecture reviews.
That task list probably leaves many pipeline owners and operators feeling overwhelmed and perhaps even confused about where to start. Network segmentation offers a focal point.
Segmentation is a critical part of cybersecurity. DHS guidance emphasizes the importance of segmenting operators’ operational technology (OT) networks from information technology (IT) networks. The ISA99 standard, which covers security for industrial automation and control systems, also considers segmentation fundamental and has developed a specific set of requirements for it. These requirements are described in SR 5.1, which states that “the control system shall provide the capability to logically segment control system networks from non-control system networks and to logically segment critical control system networks from other control system networks.”
Recent headlines have been filled with stories illustrating why segmentation is so important. But how should operators approach segmentation in the context of their overall security and business strategies?