OT Network Segmentation: A Practical Guide for Security Teams

OT Network Segmentation: A Practical Guide for Security Teams

Network segmentation is the single most effective control for protecting operational technology (OT) environments from cyber threats. By dividing networks into isolated zones with controlled interconnections, segmentation limits an attacker’s ability to move laterally — turning a potential catastrophic breach into a contained incident. Yet implementing effective OT network segmentation is far more complex than the IT equivalent, requiring deep understanding of operational requirements, safety systems, and the constraints of legacy industrial equipment.

Why OT Segmentation Is Different

In IT environments, segmentation typically involves VLANs, firewalls, and network access controls — all of which can be implemented and modified without significant operational impact. In OT, every network change carries risk. Industrial protocols like Modbus, Profinet, and EtherNet/IP were not designed with firewalls in mind. Process control systems may have hard-coded IP addresses. Making changes to production network infrastructure may require regulatory approval, vendor involvement, and scheduled maintenance windows that occur quarterly or annually.

The Purdue Model: Still Relevant

The Purdue Enterprise Reference Architecture (PERA), developed in the 1990s, remains the foundational model for OT network segmentation. It defines five levels:

• Level 0 — Physical process (sensors, actuators, field instruments)
• Level 1 — Basic control (PLCs, RTUs, safety systems)
• Level 2 — Area supervisory control (SCADA, DCS, HMIs)
• Level 3 — Site operations (historians, engineering workstations, patch servers)
• Level 3.5 — Industrial DMZ (secure data exchange between OT and IT)
• Levels 4–5 — Enterprise network and internet

The Industrial DMZ at Level 3.5 is the critical boundary — a controlled zone where data can flow between OT and IT without direct connectivity between the two environments. This is where historians publish process data to business intelligence systems, where patch servers distribute approved updates, and where remote access solutions terminate.

Implementing OT Network Segmentation

Step 1: Map Your Current Architecture

Before segmenting anything, document what exists. Conduct passive network discovery to identify every device, its communications patterns, and its dependencies. This reveals where segmentation will disrupt legitimate traffic — which must be accommodated — and where unexpected connections exist that represent security risks.

Step 2: Define Segmentation Zones

Group assets by function, criticality, and communication requirements into logical zones. Safety Instrumented Systems (SIS) should be in their own isolated zone. SCADA and DCS systems form another zone. Engineering workstations and historians occupy a separate management zone. Define the permitted communication flows between zones — everything else should be denied.

Step 3: Design the Industrial DMZ

The industrial DMZ architecture typically uses two firewalls — one facing OT, one facing IT — creating a buffer zone. Data flows from OT to IT via a unidirectional gateway or data diode where possible, or via carefully controlled firewall rules where bidirectional communication is required. Place historians, remote access concentrators, and file transfer servers in the DMZ rather than directly in the OT network.

Step 4: Implement Gradually

Attempting to implement full OT segmentation in a single project is high-risk. Start with the highest-value segmentation boundaries — particularly the IT/OT boundary and safety system isolation — and implement in phases aligned with planned maintenance windows. Monitor carefully after each change to catch unintended disruption to operational traffic.

Zero Trust in OT Environments

Zero Trust principles are increasingly being applied to OT environments, though with significant adaptations for operational constraints. OT Zero Trust focuses on: identity verification for all users accessing OT systems, microsegmentation to limit blast radius, least-privilege access for vendor and remote connections, and continuous monitoring of all OT network traffic. Full Zero Trust implementation in OT is a multi-year journey — start with the highest-risk use cases like vendor remote access and engineering workstation access.

For a CISO or a Security Architect, moving from traditional IT security to Operational Technology (OT) is often a “culture shock.” In IT, we prioritize Confidentiality; in OT, Availability and Safety are the only metrics that matter. If a security tool causes a 10-millisecond latency on a PLC (Programmable Logic Controller), a multi-million dollar assembly line could grind to a halt—or worse, a safety valve might fail to open.

Network segmentation is the single most effective control to prevent a targeted ransomware attack from jumping from a phished laptop in Accounting to the turbines in a power plant.

1. The Architectural North Star: The Purdue Model

To segment an OT network, you must first speak its language. The industry standard is the Purdue Model for Control Hierarchy (ISA-99/IEC 62443). Think of this as the “OSI Model” for factories.

• Level 4/5 (Enterprise Zone): The corporate network (Email, ERP, Internet). This is the highest risk zone.
• Level 3.5 (The DMZ): Critical. No direct traffic should ever go from Level 4 to Level 3. Data must terminate here (e.g., a jump server or a data historian).
• Level 3 (Site Operations): The “brain” of the plant. Human-Machine Interfaces (HMIs) and control rooms.
• Level 2 (Control Zone): Where the PLCs and Distributed Control Systems (DCS) live.
• Level 1/0 (Process Zone): The physical world. Sensors, actuators, and robotic arms.

2. Step-by-Step Practical Implementation

Phase 1: Passive Discovery (The “Do No Harm” Rule)

Never run an active Nmap scan on an OT network. Older PLCs have fragile TCP/IP stacks; a simple port scan can cause them to crash and reboot.

• Action: Use passive network monitoring tools (e.g., Claroty, Nozomi, or Dragos). These tap into “SPAN” ports to listen to traffic without injecting a single packet.
• Goal: Map every asset. You cannot segment what you don’t know exists.

Phase 2: Defining the Industrial DMZ (iDMZ)

The most common breach path is a compromised VPN or workstation in the IT office reaching into the plant.

• Action: Place an Industrial Firewall between IT and OT.
• The Rule: Deny All by Default.
• Practical Tip: Use a “Jump Host” with Multi-Factor Authentication (MFA) in the DMZ. An engineer logs into the Jump Host, and only from there can they RDP into the HMI.

Phase 3: Intra-Zone Micro-segmentation

Once the perimeter is secure, you must prevent “Lateral Movement” within the plant. If one PLC is infected, you don’t want the whole floor to go dark.

• Action: Group assets by Process Function (e.g., “Packaging Line A” is its own VLAN, “Boiler Room” is another).
• Hardware: Use “Ruggedized” switches that support Virtual LANs (VLANs) and Access Control Lists (ACLs).

3. The Technical “Must-Haves” for OT Firewalls

Standard IT firewalls (like a basic office branch office router) aren’t enough. You need Deep Packet Inspection (DPI) for industrial protocols.

• Protocol Awareness: The firewall must understand Modbus, Profinet, EtherNet/IP, and DNP3.
• Function Code Blocking: A sophisticated OT firewall doesn’t just see “Traffic on Port 502.” It sees “User is trying to Write a new program to the PLC” and blocks it, while allowing “User is Reading temperature data.”
• Physical Hardening: OT gear often lives in cabinets without AC, surrounded by electromagnetic interference. It needs to be fanless and DIN-rail mountable.

4. Common Pitfalls (The “Human Touch”)

• The “Shadow” Cell Modem: Engineers often get frustrated with strict security and plug a 4G/5G cellular modem directly into a machine to get “easy remote access.” This bypasses all your segmentation. Periodic “War Walking” or wireless signal detection is necessary.
• The “Safety” Exception: Never segment a Safety Instrumented System (SIS) in a way that could delay a “Trip” signal. Safety systems should often be on their own physically isolated fiber loop.
• The “Sneakernet”: Even with perfect segmentation, a technician with a “dirty” USB drive can bypass the firewall. USB lockdown or “Sheep Dip” stations (kiosks that scan USBs before use) are mandatory.

5. Summary Checklist for the Security Team

For comprehensive OT security guidance including network architecture, segmentation strategies, and real-world implementation, download the free book Safeguarding Industrial Operations, published in partnership with Neox Networks.