Network Segmentation

Network segmentation is the security practice of dividing a network infrastructure into separate, isolated zones using firewalls, VLANs, or physical separation. Each zone contains a defined set of resources, and traffic between zones is controlled and filtered. Segmentation limits the 'blast radius' of a security incident: if an attacker compromises a device in one zone, they cannot freely move to other zones without overcoming additional security controls. For CRA-covered products, network segmentation has two dimensions: the segmentation of the network in which the product is deployed (an operator responsibility), and the product's own network communication behaviour — whether it respects and operates safely within segmented environments, and whether it creates unnecessary network exposure that operators must compensate for.

The CRA's Annex I requires products to minimise their attack surface and support deployment in secure network configurations. From a product design perspective, this means:

• Minimal network exposure: Products should expose only the network services actually required for their function. Unnecessary open ports, discovery protocols, or management interfaces increase the attack surface that operators must segment around.
• Configurable network isolation: Industrial and enterprise products should support VLAN tagging, firewall rule configuration, and interface binding that enable operators to isolate the product within their segmented architecture.
• Protocol support: Products should support protocols designed for segmented environments (SNMPv3, secure management protocols) rather than only insecure protocols that require broad network access.
• Documentation for segmentation: Manufacturers should publish deployment guidance specifying what network access the product requires, enabling operators to correctly configure network segmentation.

For operational technology (OT) and industrial control system products — a significant portion of CRA Important Class products — network segmentation between IT and OT networks is a fundamental security architecture requirement. The Purdue Model and IEC 62443 both provide reference segmentation architectures for industrial environments. Key considerations for manufacturers of industrial CRA products:

• OT-specific protocol support: Industrial protocols (Modbus, PROFINET, EtherNet/IP) typically lack authentication and should be confined to isolated OT network segments. Products using these protocols should support network isolation features.
• Demilitarised zone (DMZ) patterns: Industrial products that need to communicate with enterprise IT systems should be designed to operate safely in DMZ configurations with controlled data flows.
• Air-gap compatibility: Some high-security industrial deployments require complete network isolation. Products should support local management interfaces (serial, USB) that function without network connectivity.

Network segmentation also plays a role in vulnerability management — it can serve as a compensating control while a patch is being developed. When a vulnerability is disclosed in a product that cannot be immediately patched (for example, because an OTA update requires extensive testing), network segmentation can limit the exploitability of the vulnerability:

• Block external access to the affected service at the network perimeter.
• Isolate the product on a restricted VLAN with only necessary communication paths.
• Apply ingress/egress filtering to limit lateral movement if the product is compromised.

Manufacturers should include network segmentation recommendations in security advisories for vulnerabilities where patch deployment will take longer than the standard SLA. These compensating controls reduce user risk during the remediation window and should be documented in the CVSS Environmental score adjustment.