Deftec
All Posts

OT Network Segmentation: The Foundation of Industrial Cybersecurity

By Deftec
OT Security Networking ICS Cybersecurity

Why segmentation matters

Most industrial cyber incidents don’t start in the OT network. They start in IT — a phishing email, a compromised remote access session, a vulnerable internet-facing system. From there, attackers move laterally into OT environments through flat, unsegmented networks where IT and OT traffic flows freely.

Network segmentation changes this equation. By separating OT networks from IT networks — and separating different zones within the OT environment — you limit the blast radius of any breach and make lateral movement significantly harder.

The Purdue Model in practice

The Purdue Enterprise Reference Architecture provides a useful framework for thinking about OT network segmentation. It defines distinct levels:

  • Level 0-1: Field devices — PLCs, sensors, actuators
  • Level 2: Control systems — SCADA, DCS, HMI
  • Level 3: Operations — MES, historians, operational data
  • Level 3.5: DMZ — the critical boundary between IT and OT
  • Level 4-5: Enterprise IT — business systems, internet

Traffic between levels should be controlled, logged, and limited to what’s operationally necessary. The DMZ (Level 3.5) is particularly important — it provides a buffer zone where data can be exchanged between IT and OT without direct connectivity between the two environments.

What effective segmentation looks like

Effective network segmentation in an industrial environment involves:

Firewalls with OT-aware rule sets. Industrial firewalls should inspect traffic at the application layer and understand industrial protocols — Modbus, DNP3, EtherNet/IP, and others. Generic IT firewalls often can’t inspect these protocols effectively.

Separate network infrastructure. Where possible, OT networks should run on physically separate switches and cabling infrastructure, not just VLANs on shared equipment.

Strict inter-zone policies. Traffic rules between zones should follow the principle of least privilege — only permitting the specific flows that are operationally necessary. Everything else should be denied by default.

Monitoring at zone boundaries. Traffic crossing zone boundaries should be logged and monitored. Unusual patterns — unexpected protocols, new connections, high volumes — should trigger alerts.

Common pitfalls

Overly permissive rules. “We’ll tighten it up later” rules have a way of becoming permanent. Start with least privilege and add exceptions as needed.

Vendor access. Remote access for vendors and integrators is a common entry point for attackers. Ensure vendor access is segmented, logged, time-limited, and requires multi-factor authentication.

Legacy systems. Old PLCs and control systems often can’t support modern security controls. Segmentation is particularly important for protecting these systems — a robust perimeter compensates for what the device itself can’t do.

Treating segmentation as a one-time project. Networks change. Segmentation needs to be reviewed regularly as new systems are added and operational requirements evolve.

Getting started

A segmentation project starts with understanding what you have — a network audit that maps your current topology, identifies existing zones (formal or informal), and highlights gaps. From there, a segmentation architecture can be designed that meets both your security requirements and your operational needs.

Deftec’s OT cybersecurity team works with mining and industrial operations across Queensland to design and implement practical segmentation architectures. Contact us to discuss your environment.