NERC facilitates many forums to advance industry practices and grid reliability. "Segmentation and Control Systems - It's a Good Thing!" by Dustin Cornelius from the 2014 Monitoring and Situational Awareness Conference caught my attention as worth reading.

 

Here are a few observations and comments:

 

  • Although compliance motivated, Dustin's strategy goes beyond NERC CIP minimal compliance.  More cases like this could be reason for optimism about industry lead approaches to critical infrastructure protection.

 

  • Back to basics. Microsoft's immutable laws go back to 2001. "Law #8: The difficulty of defending a network is directly proportional to its complexity". I like the way Dustin turns this around to less segmentation is more complex and more risk.

 

  • Future prediction. While too soon to call a trend, an increasing number of you are implementing host based security perimeters. Whether this approach finds enough momentum to overcome a shinny new NxGen firewall is a tough call. OTOH I wouldn't bet against virtualization.