NSA Stresses Vendor Diversification in Guidance on Network Segmentation

Getty images

Robust firewalls within and around a network are especially important in environments incorporating industrial control systems, which have been targeted in Russian state-sponsored operations.

A technical cybersecurity report the National Security Agency compiled based on its experience evaluating the defense industrial base highlighted the danger associated with developing a software “monoculture” when designing network architecture. 

“Implement multiple layers of next-generation firewalls throughout the network to restrict inbound traffic, restrict outbound traffic, and examine all internal activity between disparate network regions,” reads guidance the NSA released Tuesday. “Each layer should utilize different vendors to protect against an adversary exploiting the same unpatched vulnerability in an attempt to access the internal network.”  

The detailed NSA guidance also covers the importance of administrators and encryption standards, among other aspects, for executing a zero trust approach. Zero trust is a security concept that requires constant review and permitting of access because it starts from a place of allowing minimum possible privileges for users to move around an enterprise. 

The Cybersecurity and Infrastructure Security Agency’s national cyber awareness system promoted the NSA’s guidance Thursday along with CISA’s recently released infographic on network segmentation

In January, CISA re-released its guidance for mitigating Russian state-sponsored cyber threats to U.S. critical infrastructure, which noted a proclivity for attacking the operational technology in industrial control systems like those that run in pipeline and water treatment facilities. 

“NSA recommends isolating similar systems into different subnets or virtual local area networks (VLANs), or physically separating the different subnets via firewalls or filtering routers,” the recent guidance reads. “Workstations, servers, printers, telecommunication systems, and other network peripherals should be separate from each other. Operational technology, such as industrial control systems, typically need to be isolated from other information technology and high-risk networks like the Internet. This physical separation provides stronger protection because the intermediate device between subnets must be compromised for an adversary to bypass access restrictions.”