```html

Critical Infrastructure Protection (CISA Guidelines): Segmentation and Air-Gapped Network Architecture

Overview and Regulatory Context

The Cybersecurity and Infrastructure Security Agency (CISA) identifies 16 critical infrastructure sectors—including energy, water, transportation, and communications—whose disruption would have debilitating effects on national security and public health. CISA's Zero Trust Maturity Model (2023, v2.0) and its companion guidance on network segmentation explicitly recommend physical and logical isolation strategies as foundational defenses against lateral movement by threat actors. For network engineers responsible for these environments, understanding the physical layer requirements that underpin segmentation and air-gapped architecture is as important as the logical policy framework above it.

What Is Network Segmentation and Why It Matters for CIP

Network segmentation divides a larger network into discrete zones—often called security domains or enclaves—with controlled, monitored pathways between them. An air-gapped network is the extreme form: a segment with no electronic or electromagnetic pathway to any external or lower-trust network. CISA's advisory Layering Network Security Through Segmentation (AA21-265A) states that segmentation limits an adversary's ability to pivot from an initial foothold to high-value operational technology (OT) or industrial control system (ICS) assets.

"Properly implemented network segmentation is one of the most effective ways to limit the impact of a network intrusion. Physical separation of OT and IT networks should be the baseline, with all electronic bridging points rigorously controlled and continuously monitored."
— CISA, ICS-CERT Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies

For compliance-driven environments—NERC CIP (energy), NIST SP 800-82 (ICS), DoD RMF, and CMMC—the physical cabling plant is not an afterthought. It is the first line of defense.

Physical Layer Standards Governing Segmented and Air-Gapped Architectures

The structured cabling standards from TIA and ISO/IEC set the performance and design baselines that secure, auditable infrastructure must meet. Key references include:

ANSI/TIA-568.2-D — Balanced Twisted-Pair Telecommunications Cabling and Components Standard. Defines channel performance for Cat5e, Cat6, Cat6A, and Cat8; mandates permanent link insertion loss limits (e.g., Cat6A: ≤20.8 dB at 500 MHz) and alien crosstalk (ANEXT) requirements critical for high-density, high-security runs.
ANSI/TIA-942-B — Telecommunications Infrastructure Standard for Data Centers. Classifies data center tiers (Tier I–IV) and mandates physical access control zones, redundant pathways, and cable routing that supports separation of network enclaves.
ISO/IEC 11801-1:2017 — International cabling standard aligned with TIA-568, providing Class EA (Cat6A equivalent) and Class FA (Cat8 equivalent) channel specifications; widely referenced in federal and multinational deployments.
IEEE 802.3-2022 — Governs Ethernet physical layer specs including 10GBASE-T (Cat6A), 25GBASE-T, and 40GBASE-T (Cat8), setting maximum channel length of 30 m for Cat8/40GBASE-T and 100 m for Cat6A/10GBASE-T.
NFPA 70 (NEC), Article 770 — Governs installation of optical fiber cables, including plenum (OFNP) and riser (OFNR) ratings mandatory for life-safety compliance in air-gapped runs through environmental air-handling spaces.

Fiber Optic Architecture for Air-Gapped Segments

Air-gapped and high-security segments increasingly rely on fiber optic cabling because fiber is immune to electromagnetic eavesdropping (no RF emission), eliminates ground loop vulnerabilities, and supports the longer intra-campus runs between isolated enclosures. Performance specifications matter:

OM3 multimode fiber: supports 10GbE up to 300 m; attenuation ≤3.5 dB/km at 850 nm per TIA-568.3-D.
OM4 multimode fiber: supports 10GbE up to 400 m and 40/100GbE up to 150 m; attenuation ≤3.0 dB/km at 850 nm per TIA-568.3-D; the preferred choice for inter-enclave backbone links in secure data centers.
OM5 (Wideband Multimode Fiber): specified in TIA-568.3-D to support shortwave wavelength division multiplexing (SWDM) from 850–953 nm, enabling 100GbE over existing OM5 runs at distances up to 150 m.
Single-mode OS2: attenuation ≤0.4 dB/km at 1310 nm; mandatory for inter-building and campus-scale air-gapped segment interconnects exceeding multimode distance limits.

For secure facilities, fiber optical loss budgets must be formally documented. A typical OM4 link budget for an intra-data-center air-gapped segment: connector loss (0.75 dB max per mated pair per TIA-568.3-D) × number of connectors + splice loss (0.3 dB max per splice) + cable attenuation. Total channel attenuation must remain below the transceiver's receiver sensitivity threshold, with a minimum 3 dB margin recommended for long-term reliability.

Copper Cabling: Segmentation Within Secure Enclaves

Within a secured enclave—such as a SCIF (Sensitive Compartmented Information Facility) or an OT network closet—structured copper cabling remains the standard for device-level connectivity. Cat6A is the minimum recommended category for new installations under TIA-942-B for data centers and per NSA/CSS EPL guidelines for classified environments. Cat8 (Class II, ANSI/TIA-568.2-D) supports 40GBASE-T at up to 30 m, making it suitable for top-of-rack direct connections within isolated server clusters.

Shielded cabling (F/UTP, S/FTP) is recommended or required in OT and ICS environments per IEC 61918 (Industrial Communication Networks) to reduce susceptibility to electromagnetic interference from motors, VFDs, and power infrastructure co-located in industrial settings.

Segmentation Architecture: Tiered Zone Model

CISA and NIST SP 800-82r3 recommend a tiered zone model for ICS/OT environments. The table below maps physical layer requirements to each zone:

Zone	Description	Recommended Cabling	Key Standard	Physical Isolation Mechanism
Zone 0 — Air-Gapped OT Core	PLCs, RTUs, safety instrumented systems	OS2 single-mode or OM4 fiber; shielded Cat6A for device drops	IEC 62443-3-3; NIST SP 800-82r3	No electronic pathway to external networks; dedicated locked enclosures per TIA-942-B
Zone 1 — Control Network DMZ	Historian servers, data diodes, unidirectional gateways	OM4 multimode fiber backbone; Cat6A horizontal	ANSI/TIA-568.2-D; TIA-942-B	Data diode hardware; separate patch panels; color-coded cable management per BICSI TDMM
Zone 2 — Secure IT Enclave	Jump servers, security monitoring, SIEM	Cat6A or Cat8; OM4/OM5 fiber uplinks	IEEE 802.3-2022; ISO/IEC 11801-1	VLAN + firewall; dedicated rack/enclosure; access control per TIA-942-B Tier II+
Zone 3 — Enterprise IT	Corporate LAN, user endpoints	Cat6A minimum; OM3/OM4 backbone	ANSI/TIA-568.2-D	Firewall/IDS segmentation; standard rack infrastructure

Testing, Certification, and Documentation Requirements

For CISA-regulated and federal environments, cabling plant certification is not optional—it is an audit artifact. BICSI's Telecommunications Distribution Methods Manual (TDMM), 14th Edition requires that all installed cabling be tested against the applicable TIA or ISO/IEC performance standard using a field tester calibrated to the appropriate accuracy level (Level IV for Cat6A per TIA-1152-A). Fluke Networks DSX-series cable analyzers, for example, are widely used to produce TIA-568.2-D compliant pass/fail reports with permanent link and channel test results, which become part of the as-built documentation package required for Authority to Operate (ATO) submissions under NIST RMF.

For fiber, OTDR (Optical Time-Domain Reflectometer) testing per TIA-526-7 (multimode) and TIA-526-14 (single-mode) is required to verify link loss, locate splice points, and document the optical signature of each secure segment—establishing a baseline against which future anomalies (indicating physical tampering) can be detected.

"The physical infrastructure audit trail—cabling test reports, rack diagrams, and fiber OTDR traces—is the foundation of defens