When stories about Internet based attacks on control systems, like the 60 Minutes story, appear on sites like Slashdot, most people question the need to attach the control network to another network. In my previous position at a National Laboratory, I have seen proper network segregation implemented successfully, though at times it can be a pain to work with. The Labs place a high value on security and have the financial means to implement it. In an optimal setting, there would be no need to have the control network connected to any other network. There are often business reasons that make it necessary at times to connect the control network to another network.
Information is often shared from the control network to the corporate network for various reasons. In this case, the optimum way to share that data would be to give those employees who need the control network data a separate workstation on a network not connected, physically and logically, to the corporate network. These systems would connect to a DMZ in between the control network and this control data sharing network. This setup is similar to what we see in some of the better implemented control networks where the control system employees are given a separate workstation connected to the corporate network. The difference is that this configuration would provide limited control system data access to those on the corporate side. The systems could be very lightweight, possibly thin clients or older computer systems that would normally be discarded.
Remote access is difficult to assess as there are times employees may be required to connect to control network when out of the office. This of course is a business / risk management decision that needs to be determined internally. If remote access is allowed, even if only for emergency situations, it may be appropriate to have a physical separation between the remote access server and the control network. One option is a KVM over IP setup that is physically put in place by a local technician when access is needed, then removed once access is no longer required.
Another big reason control networks are connected to external networks is information sharing with partners. This is possibly the most difficult situation to protect against as there must be some trust between the two networks. If the data is a one way outbound connection and the data is being sent over a stateless protocol (e.g. UDP) physical countermeasures, like cutting the receive wire in an ethernet cable, can be taken. When the data is not stateless but still one way outbound, one way gateways can be used to provide the data with significantly less risk. When data is being shared in both directions proper firewalling is paramount.
In all of the situations listed above, proper authentication and access control should be implemented. In all situations, it should be easy to disconnect the control network from outside networks and there should be a process in place that allows that to happen.