Network Segmentation

Network segmentation forms the foundation of cybersecurity architecture for organizations operating both Information Technology (IT) and Operational Technology (OT) environments. The C2M2 framework specifically mandates that organizations "define and enforce network boundaries between IT and OT environments through network segmentation" (C2M2 v2.1 ARCHITECTURE-1.B).

For energy sector organizations and critical infrastructure operators, this requirement addresses the fundamental risk of lateral movement between corporate IT systems and industrial control systems. A compromised email server should never provide a pathway to power generation controls. Yet without proper segmentation, attackers routinely pivot from business networks into operational environments, as demonstrated in attacks on Ukrainian power grids and U.S. water treatment facilities.

This guide provides step-by-step implementation guidance for achieving C2M2 compliance while building practical, maintainable network segmentation that aligns with operational needs.

Regulatory text

The C2M2 Version 2.1 ARCHITECTURE-1.B requirement states: "IT and OT network boundaries are defined and enforced through appropriate network segmentation."

This mandate requires organizations to establish clear separation between corporate IT networks (email, file shares, business applications) and operational technology networks (SCADA systems, PLCs, industrial control systems). The regulation emphasizes both definition (documenting boundaries) and enforcement (implementing technical controls).

Who This Applies To

This requirement applies to:

• Energy sector organizations including electric utilities, oil and gas companies, and renewable energy operators
• Critical infrastructure operators with industrial control systems
• Organizations pursuing C2M2 maturity level certification
• Any entity with converged IT/OT environments

The requirement scales based on organizational complexity. A small municipal utility might achieve compliance through basic VLAN separation, while a major grid operator requires defense-in-depth architecture with multiple DMZ layers.

What You Actually Need to Do

1. Document Current State Architecture (Days 1-14)

Create detailed network diagrams showing:

• All connections between IT and OT networks
• Data flows across network boundaries
• Remote access points into OT networks
• Wireless networks that bridge environments
• Third-party connections (especially managed service providers)

Use automated discovery tools where possible, but validate findings through physical inspection. OT environments often contain undocumented connections established years ago.

2. Define Segmentation Strategy (Days 15-30)

Establish your segmentation approach based on operational requirements:

Air Gap: Complete physical separation with no electronic connections. Suitable for highest-risk OT environments but operationally challenging.

Unidirectional Gateways: Hardware-enforced one-way data flow from OT to IT. Allows monitoring while preventing control commands.

DMZ Architecture: Intermediate network zone between IT and OT with strict firewall rules. Most common approach for organizations needing bidirectional communication.

VLAN Segmentation: Logical separation within shared physical infrastructure. Minimum acceptable approach, requires robust access control lists.

3. Implement Technical Controls (Days 31-60)

Deploy segmentation controls progressively:

• Configure firewalls with explicit deny-by-default rules
• Implement jump servers for administrative access
• Deploy intrusion detection systems at segment boundaries
• Configure network access control (NAC) to prevent unauthorized devices
• Enable logging for all cross-segment traffic

Start with monitoring mode to understand legitimate traffic patterns before enforcing restrictions.

4. Establish Monitoring and Maintenance (Days 61-90)

Build sustainable operations:

• Configure SIEM correlation rules for cross-segment traffic anomalies
• Schedule quarterly penetration tests specifically targeting segmentation
• Implement change control procedures for firewall rule modifications
• Create runbooks for investigating segmentation violations
• Train SOC analysts on IT/OT traffic patterns

Required Evidence and Artifacts

Maintain these artifacts for audit readiness:

1. Network Architecture Documentation

   • Current network diagrams showing all segments
   • Data flow diagrams between segments
   • Asset inventories for each segment
   • Network device configurations

2. Policy and Procedure Documents

   • Network segmentation policy defining standards
   • Firewall rule review procedures
   • Change management process for network modifications
   • Incident response procedures addressing segmentation breaches

3. Technical Evidence

   • Firewall rule sets with business justification for each rule
   • Network scan results showing segmentation effectiveness
   • Penetration test reports validating controls
   • Log samples showing monitoring capabilities

4. Operational Records

   • Quarterly firewall rule reviews
   • Change tickets for network modifications
   • Incident reports related to segmentation violations
   • Training records for network administrators

Common Exam/Audit Questions and Hangups

Auditors consistently focus on these areas:

"Show me how data moves between IT and OT networks." Have data flow diagrams ready showing every connection point. Include both authorized paths and potential unauthorized routes (like dual-homed workstations).

"How do you prevent an IT compromise from reaching OT systems?" Demonstrate defense-in-depth: network segmentation plus endpoint protection, access controls, and monitoring. Show specific firewall rules blocking common attack vectors.

"What happens when segmentation fails?" Document incident response procedures specific to segmentation breaches. Include detection mechanisms, containment steps, and communication protocols.

"How do administrators access OT systems?" Detail jump server architecture, multi-factor authentication, privileged access management, and session recording. Show that direct connections from IT to OT are technically prohibited.

Common audit findings include:

• Overly permissive firewall rules ("any-any" rules)
• Undocumented connections discovered during testing
• Shared credentials between IT and OT systems
• Missing logs for cross-segment traffic
• Outdated network diagrams

Frequent Implementation Mistakes and How to Avoid Them

Mistake 1: Implementing Segmentation Without Understanding Data Flows

Teams often deploy firewalls then discover critical applications break. Map all data flows first through packet capture and application dependency mapping. Work with OT engineers to understand historian data collection, alarm forwarding, and remote monitoring requirements.

Mistake 2: Creating Segmentation That Operations Bypasses

Overly restrictive controls lead to shadow IT solutions. Involve operations teams in design. Provide secure methods for legitimate needs like patch deployment and vendor support. Monitor for unauthorized workarounds like cellular modems.

Mistake 3: Treating Segmentation as One-Time Project

Network segmentation degrades without maintenance. Firewall rules accumulate exceptions. New connections bypass controls. Build continuous validation through automated testing and regular architecture reviews.

Mistake 4: Ignoring East-West Traffic Within Segments

Segmenting IT from OT isn't sufficient. Implement micro-segmentation within OT networks to limit impact of compromises. Critical processes should be isolated from general OT infrastructure.

Practical 30/60/90-Day Execution Plan

Immediate Actions (First 30 Days)

• Assemble cross-functional team including IT, OT, and security representatives
• Document current network architecture using automated discovery supplemented by interviews
• Identify and document all IT-OT connection points
• Conduct risk assessment of current segmentation gaps
• Define target segmentation architecture aligned with business requirements

Near-term Implementation (Days 31-60)

• Deploy monitoring at existing network boundaries to baseline traffic
• Implement quick wins like disabling unnecessary services and closing unused ports
• Configure firewalls in monitor mode to understand communication patterns
• Begin access control improvements starting with privileged accounts
• Develop formal segmentation policy and standards

Ongoing Maturation (Days 61-90)

• Transition firewalls from monitoring to enforcement mode
• Implement network access control to prevent unauthorized devices
• Deploy security monitoring with correlation rules for segmentation violations
• Conduct penetration test to validate segmentation effectiveness
• Establish quarterly review cycle for rules and architecture

Frequently Asked Questions

Can we use VLANs alone to meet this requirement?

VLANs provide logical separation but aren't sufficient for C2M2 compliance in most cases. Combine VLANs with firewalls, access control lists, and monitoring. Physical separation or unidirectional gateways provide stronger security for critical OT systems.

How do we handle vendor remote access while maintaining segmentation?

Implement a vendor access management system with temporary, monitored connections through a secured jump server. Require multi-factor authentication, limit access to specific assets, and automatically terminate sessions after defined periods. Never allow direct VPN connections into OT networks.

What if our historians need real-time data from OT systems?

Use data diodes or unidirectional gateways to push OT data to historians in the IT network. If bidirectional communication is essential, implement a DMZ with application-layer proxies that validate and sanitize all traffic. Never allow direct database connections across segments.

How often should we test segmentation effectiveness?

Conduct formal penetration tests quarterly, focusing on attempting lateral movement between segments. Perform automated scans monthly to detect new connections or misconfigurations. Review firewall logs weekly for policy violations.

Should we segment different OT systems from each other?

Yes, implement defense-in-depth through micro-segmentation within OT networks. Separate safety systems, critical control systems, and general OT infrastructure. This limits blast radius if one OT segment is compromised.

How do we maintain network diagrams as infrastructure changes?

Integrate network documentation into change management processes. Require diagram updates before approving network changes. Use automated discovery tools monthly to detect undocumented changes. Assign clear ownership for maintaining documentation accuracy.