In response to the growing number of cyberattacks on critical infrastructure entities, the Department of Homeland Security (DHS) issued security directives in May 2021 and July 2021 for critical pipeline owners and operators.

The first directive requires owners and operators to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), designate a cybersecurity coordinator, and prepare reports on cybersecurity risks and mitigation procedures for CISA and the Transportation Security Administration, which works closely with CISA on pipeline security issues.

The second directive takes security a step further, mandating implementation of specific cyberthreat mitigation measures, development of cybersecurity contingency and recovery plans, and cybersecurity architecture reviews.

That task list probably leaves many pipeline owners and operators feeling overwhelmed and perhaps even confused about where to start. Network segmentation offers a focal point.

Segmentation is a critical part of cybersecurity. DHS guidance emphasizes the importance of segmenting operators’ operational technology (OT) networks from information technology (IT) networks. The ISA99 standard, which covers security for industrial automation and control systems, also considers segmentation fundamental and has developed a specific set of requirements for it. These requirements are described in SR 5.1, which states that “the control system shall provide the capability to logically segment control system networks from non-control system networks and to logically segment critical control system networks from other control system networks.”

Recent headlines have been filled with stories illustrating why segmentation is so important. But how should operators approach segmentation in the context of their overall security and business strategies?

Best Practices for Segmenting IT/OT

In the past, operators could avoid many threats by keeping critical OT networks air-gapped, meaning there was no connectivity between OT and IT networks. But with modern demands to interconnect business systems so information can be gathered and analyzed efficiently, the industry has had to move away from the air gap model. The challenge lies in enabling connectivity without compromising security.

There are two problems to be solved: segmenting OT networks from IT networks, and segmenting OT networks of higher security significance than others–such as safety systems–from lower-security OT networks.

Some data needs to be shared between segmented networks for business reasons—for example, from OT to IT, or from a safety system to a basic control system. The key is making sure it’s done without creating a two-way path through which malicious code can flow from a lower-security network into a higher-security network.

Many providers in the nuclear and electric industries solved this problem long ago by implementing hardware security mechanisms known as data diodes, which are integral to secure OT network segmentation. Data diode technology overcomes the risks inherent in software-based security solutions by limiting data transfer to one-way flows using hardware components that are incapable of transmitting data in the wrong direction. CISA’s guidance for pipeline operators and other critical infrastructure organizations supports diodes’ use. In fact, the agency specifically recommends the technology in “Seven Steps to Effectively Defend Industrial Control Systems.”

Using data diodes to create unidirectional OT-to-IT data flows, operators can carefully segment OT network traffic so that only business-critical data is shared out, and no other traffic (including anything harmful) can flow back into the OT networks.

This model brings OT infrastructure as close as possible to being air-gapped, while still allowing for improved analytics, maintenance, financial forecasting and other functional benefits that are achieved through IT solutions. Plant data can even be connected to public cloud-based systems.

Overcoming Patching Limitations

Patch management is a significant challenge for pipeline operators. In a best-case scenario, every operator would have a thorough, consistent patch management program in place, with visibility into all versions of all software used to manage their OT assets. In reality, many operators struggle to manage their broad and constantly-shifting portfolios, and are often unwilling or unable to shutdown critical systems to apply necessary patches.

As a further complication, operators frequently customize generic software programs, reducing the value of vendor-provided patches. In fact, applying a vendor-provided patch to customized code can result in a disruption that forces OT systems to be shutdown.

Network segmentation using data diodes provides an extra layer of security when OT software is out of date. When OT assets are protected from external threats by hardware-enforced security technology, they are much less likely to fall victim to zero-day exploits or other attacks. Data diodes can help bridge the gap between when vulnerabilities are identified and when patches can be deployed.

A Path Forward

The new DHS directives for pipeline security impose a short timeline for operators to implement fixes that are essential to protecting our critical infrastructure. As a nation, we cannot afford disruption to the availability of vital resources.

We saw how cyberattacks can affect our economy and logistics when the Colonial Pipeline shutdown disrupted life along much of the eastern seaboard. It’s time to take pipeline infrastructure protections to an exponentially higher level, and DHS has made that official. Data diodes and other hardware-based security technologies offer a viable solution that will help operators meet the new mandates and protect assets essential to national security.