Subscribe to the Non-Human & AI Identity Journal

Disconnectable Conduit

A disconnectable conduit is a controlled communication path that can be deliberately shut down without collapsing the entire operational environment. In OT security, it limits how far a compromise can travel and gives responders a fast isolation option during an incident or maintenance event.

Expanded Definition

A disconnectable conduit is more than a network segment that happens to be switchable. It is an intentionally designed communication path in operational technology environments that can be isolated on demand while preserving safe and known system behaviour. The concept is closely related to industrial segmentation and containment, but it adds an operational requirement: the conduit must be interruptible without forcing a total shutdown or creating uncontrolled fallback behaviour. That distinction matters because availability and safety often outweigh convenience in OT, yet responders still need a fast way to stop lateral movement during an incident.

In practice, the term is used where controls must support planned maintenance, emergency containment, or staged recovery. Definitions vary across vendors and engineering disciplines, but the security intent is consistent: build a path that can be closed deliberately, verified quickly, and reopened under change control. NIST’s NIST Cybersecurity Framework 2.0 is useful here because it frames resilience, recovery, and protective controls as part of a broader security outcome rather than a single device setting.

The most common misapplication is treating any firewall rule, VLAN, or maintenance shutdown as a disconnectable conduit, which occurs when the path cannot be isolated quickly and safely without disrupting unrelated plant functions.

Examples and Use Cases

Implementing a disconnectable conduit rigorously often introduces operational constraints, requiring organisations to weigh isolation speed against uptime, process stability, and safety interlocks.

  • A remote vendor access path to a PLC network is placed behind a controlled break-glass mechanism so it can be cut off during suspicious activity without affecting the control room.
  • An engineering workstation route to a historian or SCADA segment is designed with approved maintenance windows, documented shutdown steps, and tested restoration procedures.
  • A plant-to-plant communications link is segmented so an incident in one site does not automatically propagate to the other, aligning with containment principles described in NIST Cybersecurity Framework 2.0.
  • An OT demilitarized zone is configured so an emergency command path can be disabled while core safety instrumentation continues operating locally.
  • A third-party service tunnel is engineered with explicit approval, logging, and timed expiry so access can be disconnected immediately after maintenance or when anomalous behaviour is detected.

In these scenarios, the conduit is valuable because it separates routine operations from emergency isolation. It gives incident responders a predictable path to sever communications without improvising under pressure, which is often where errors occur.

Why It Matters for Security Teams

Security teams need to understand disconnectable conduits because OT compromise is rarely contained by conventional IT assumptions. A path that looks segmented on paper may still permit unsafe traversal if it cannot be predictably shut down, if dependencies are undocumented, or if restoration requires manual work that nobody has rehearsed. In those cases, the organisation may have a theoretical control and no practical containment option.

The concept also matters for governance. A disconnectable conduit should have an owner, an approved trigger for disconnection, logging for each activation, and a tested recovery plan. Those requirements connect naturally to resilience thinking in NIST Cybersecurity Framework 2.0, especially where recoverability and protective safeguards must be demonstrated rather than assumed. For OT environments that support digital identity or remote operations, the conduit may also be the only practical boundary for vendor credentials, service accounts, and privileged sessions.

Organisations typically encounter the full operational cost of a disconnectable conduit only after an intrusion, failed maintenance cutover, or unsafe process anomaly, at which point the ability to isolate communication becomes operationally unavoidable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022, NIS2 and DORA define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC Access control and segmentation support the ability to isolate communication paths.
NIST SP 800-53 Rev 5 SC-7 Boundary protection and segmentation underpin controlled, disconnectable paths.
ISO/IEC 27001:2022 A.8.20 Network security controls address managed separation between operational zones.
NIS2 NIS2 drives resilience and incident response expectations for critical environments.
DORA DORA emphasises ICT resilience and controlled recovery, which maps to disconnectable conduits.

Ensure critical service paths can be isolated and recovered in a way that supports resilience obligations.