Back to blog
Best Practices

Network Segmentation in OT: The Technical Decision That Separates an Intrusion from a Plant Outage

If your OT network is still flat or only cosmetically segmented, you do not have defense in depth. Proper segmentation remains the highest-impact control for reducing lateral movement and protecting industrial continuity.

Roger
#network segmentation#OT security#security architecture#ICS#system isolation

There is an uncomfortable truth in industrial cybersecurity: too many sites buy advanced detection while ignoring baseline architecture.

They deploy NDR, tune SIEM use cases, and improve endpoint controls, but the OT network is still overly permissive. Then one IT compromise turns into a cross-domain incident.

If you force me to pick one control with the highest real-world impact in OT, I will pick network segmentation. Not because it is fashionable, but because it consistently prevents escalation.

Not “VLANs and done.” Real segmentation: zones, conduits, explicit policy, temporary exceptions that actually expire, and disciplined operations.

The attack pattern that keeps repeating

Major OT-impact incidents usually do not begin with a direct internet attack on a PLC. The recurring pattern is more ordinary and more dangerous:

  1. Initial compromise in IT (phishing, stolen credentials, weak remote access, third-party foothold).
  2. Internal discovery and privilege expansion.
  3. Pivot to IT/OT boundary systems (historians, jump hosts, update infrastructure, backups).
  4. Lateral movement toward SCADA, engineering workstations, then control assets.

This pattern aligns with incidents everyone in this industry should already know:

  • Colonial Pipeline (2021): IT compromise drove operational shutdown decisions due to business and continuity risk.
  • Oldsmar (2021): weak remote access governance exposed critical utility operations.
  • TRITON/TRISIS (2017): adversaries reached Safety Instrumented Systems (SIS), where cyber risk intersects physical safety.
  • Stuxnet: engineering and control path compromise used for precise process manipulation.

The practical lesson is simple: attackers exploit legitimate connectivity. If you do not constrain that connectivity, the network becomes their delivery system.

What OT segmentation is, and what it is not

Segmentation is not a drawing exercise. It is the deliberate removal of unnecessary trust paths.

In IEC 62443-3-2 terms:

  • Zones group assets with similar security requirements.
  • Conduits define and control communication between zones.

Operationally, that requires three non-negotiable decisions:

  1. Which assets share a trust domain.
  2. Exactly which communications are allowed between domains.
  3. Who owns and reviews every exception.

If you cannot answer those from a current communication matrix, you are not segmented. You are inheriting historical connectivity.

Purdue helps, but engineering decides

The Purdue model remains useful for structuring conversations across OT and IT teams. The mistake is treating it as a rigid template.

Modern plants are hybrid by default:

  • Legacy controllers with weak native security.
  • Vendor remote support requirements.
  • Cloud-linked analytics and maintenance workflows.
  • Longstanding undocumented dependencies.

NIST SP 800-82 is clear on intent: separate domains, minimize pathways, and protect trust boundaries. Purdue frames the conversation; actual traffic and process risk must drive the design.

Where to segment first for maximum risk reduction

If you are starting from a flat network, do not chase full microsegmentation on day one. Prioritize where one change removes the most attack path.

1) IT/OT boundary and Industrial DMZ

This is your highest ROI control.

Minimum serious design:

  • A real Industrial DMZ between enterprise and control networks.
  • No direct enterprise access to operational/control layers.
  • Only tightly justified cross-domain services: historian replication, hardened administrative jump paths, approved intermediary update services, validated time sync.
  • Deny by default, explicit allowlists.

Common failure mode: temporary broad rules created during rollout and never removed.

2) Separate engineering, operations, and support services

Many environments still place engineering workstations, SCADA/HMI runtime, and support servers in one segment. That creates unnecessary blast radius.

Recommended separation:

  • Engineering and maintenance segment.
  • Operations supervision segment.
  • Process cell control segments.
  • Shared services placed in controlled zones, not embedded in runtime segments.

A compromised engineering laptop should not have unconstrained reach across the control domain.

3) Segment by process cell or production unit

Segment by process impact, not by organizational chart.

Packaging, utilities, water treatment, and safety functions should not share equivalent lateral exposure. Cell-level segmentation limits operational contagion.

Industrial protocols: where policy quality is exposed

In ICS environments, port filtering is necessary but not sufficient.

  • Modbus/TCP has no native authentication.
  • S7comm and similar protocols assume trusted internal networks.
  • Legacy OPC deployments often inherit weak trust models.

Practical control expectations:

  • Source/destination allowlists at endpoint-pair granularity.
  • Directional restrictions where feasible.
  • Strict separation of engineering traffic from routine operations traffic.
  • Bastion-mediated privileged access with MFA.
  • Session recording and change audit trails.

Where technically feasible, standardize critical integrations on OPC UA with certificates and encryption. But protocol modernization without segmentation still leaves lateral movement pathways intact.

Using IEC 62443 and NIST 800-82 without compliance theater

When teams say “we need to be compliant,” the right answer is: first make the architecture defensible.

Practical alignment:

  • IEC 62443-3-2: risk-based zone and conduit model.
  • IEC 62443-3-3: enforce technical requirements by zone/conduit.
  • NIST SP 800-82: harden ICS/IT boundaries, remote access, and monitoring.

Frameworks do not replace engineering judgment. They force consistency and accountability.

Mistakes that still cause preventable incidents

  1. IT/OT “temporary” any-any rules that become permanent.
  2. Shared vendor jump hosts with no individual session accountability.
  3. Engineering and operations traffic mixed for convenience.
  4. Firewall policies with no owner or review cadence.
  5. Outdated asset inventories driving wrong policy decisions.

If two or more apply to your environment, this is not optimization work. It is technical debt containment.

A realistic 90-day execution plan

Weeks 1-3: Baseline and criticality mapping

  • Validate OT asset inventory with plant teams.
  • Build passive traffic baseline.
  • Identify crown jewels (SIS, central SCADA, critical controllers, key historians).
  • Map third-party and remote access pathways.

Weeks 4-6: Zone and conduit design

  • Define zones by function and criticality.
  • Build explicit communication matrix by protocol/port/path.
  • Design or harden Industrial DMZ.
  • Establish exception process with owner, rationale, and expiry.

Weeks 7-9: Controlled pilot

  • Apply policies in a scoped area.
  • Measure blocked traffic and validate process impact.
  • Tune rules using evidence, not convenience.
  • Validate rollback end-to-end.

Weeks 10-12: First wave rollout

  • Prioritize highest-risk boundaries and assets.
  • Execute coordinated OT/IT/operations changes.
  • Perform post-change functional validation.
  • Preserve implementation evidence for audit and incident readiness.

Expected outcome: visible reduction in lateral pathways and better containment posture.

Metrics that reflect reality

Do not measure “number of firewalls.” Measure control effectiveness:

  • Percentage of critical assets inside dedicated policy-enforced segments.
  • Number of allowed OT flows without business ownership.
  • Mean time to close temporary policy exceptions.
  • Count of blocked inter-zone lateral attempts.
  • Logging coverage across critical conduits.

These metrics connect cybersecurity work to operational resilience.

Segmentation and Zero Trust: correct sequence

The market often presents Zero Trust as a replacement for network architecture. In OT, that is wrong.

Sound sequence:

  1. Build strong segmentation and constrained pathways.
  2. Enforce identity and session control for privileged access.
  3. Apply continuous context-based verification.

Skip step one and Zero Trust becomes policy language without technical grounding.

Direct recommendations for plant teams

  • Refuse permanent “urgent” exceptions without expiry.
  • Eliminate shared privileged vendor accounts.
  • Require business justification and ownership for every IT-to-OT flow.
  • Where a pathway cannot be removed yet, add compensating controls: bastion access, MFA, full session logging, narrow time windows.
  • Run incident exercises for IT-to-OT pivot scenarios. They expose architectural truth quickly.

Bottom line

In industrial operations, flat networks are not simplicity. They are fragility.

The difference between a contained incident and a site-wide outage is usually decided before the incident starts: by architecture, policy boundaries, and operational discipline.

Proper segmentation is not a cosmetic project or a compliance checkbox. It is a continuity and safety decision.

If your OT environment is still only lightly segmented, you are not “accepting risk.” You are accumulating impact debt.

Start at the IT/OT boundary, define zones by process criticality, enforce default-deny, and govern exceptions ruthlessly. Other controls help. This one prevents escalation.

Want to talk about your industrial security?

Free initial assessment, no commitment.

Contact us
See all articles