SIS air-gapped or strongly segmented
Demonstrate that Safety Instrumented Systems are either physically air-gapped from all other networks or protected by multiple layers of segmentation controls that enforce unidirectional or tightly restricted bidirectional communication with documented business justification.
Description
What this control does
Safety Instrumented Systems (SIS) in industrial control environments must be physically or logically isolated from enterprise IT networks and other operational technology (OT) zones to prevent unauthorized access and cyber threats. Air-gapping creates a complete physical separation with no network connectivity, while strong segmentation employs multiple layers of network security controls (firewalls, unidirectional gateways, data diodes) with strict allow-list policies. This control is critical because SIS manages emergency shutdown functions, pressure relief, and other safety-critical processes where compromise could result in loss of life, environmental damage, or catastrophic equipment failure. Isolation prevents malware propagation from corporate networks and limits attacker lateral movement within OT environments.
Control objective
What auditing this proves
Demonstrate that Safety Instrumented Systems are either physically air-gapped from all other networks or protected by multiple layers of segmentation controls that enforce unidirectional or tightly restricted bidirectional communication with documented business justification.
Associated risks
Risks this control addresses
- Lateral movement of malware from enterprise IT networks into safety systems, disabling emergency shutdown capabilities during process incidents
- Remote exploitation of SIS controller vulnerabilities via network connectivity, allowing attackers to manipulate safety logic or setpoints
- Unauthorized modification of safety instrumented function (SIF) logic by compromised engineering workstations connected to both enterprise and SIS networks
- Denial-of-service attacks against SIS controllers or safety PLCs degrading response time during hazardous conditions
- Insider threats leveraging enterprise network access to reconnaissance SIS topology and operational parameters for sabotage
- Supply chain compromises in enterprise systems propagating to safety layers through inadequate network boundaries
- Accidental configuration changes pushed from enterprise management systems to SIS devices due to lack of segregation
Testing procedure
How an auditor verifies this control
- Obtain current network architecture diagrams, zone maps, and data flow diagrams showing all connections to and from SIS networks and devices.
- Inventory all SIS controllers, safety PLCs, engineering workstations, HMI stations, and associated network infrastructure with their network interface configurations.
- Review firewall rule sets, access control lists, and unidirectional gateway configurations governing traffic between SIS zones and adjacent networks (Level 1 process control, enterprise IT, remote access).
- Physically trace network cable paths from a sample of SIS devices to verify claimed air-gap status or validate connection only to authorized segmentation devices.
- Conduct vulnerability scans or port enumeration from adjacent network zones toward SIS network addresses to validate effective blocking of unauthorized protocols.
- Interview SIS engineers and review change management records to confirm no dual-homed workstations or unauthorized network bridges exist for operational convenience.
- Examine logs from segmentation devices (firewalls, unidirectional gateways) for denied connection attempts, unauthorized traffic patterns, or allow-list violations over a representative period (90 days minimum).
- Validate that remote access paths to SIS (vendor support, engineering access) transit through dedicated jump hosts or secure gateways with multi-factor authentication and session logging, not direct enterprise VPN connections.
Where this control is tested