Implementing Network Segmentation for OT

When to Use

• When an OT security assessment reveals a flat network with no segmentation between Purdue levels
• When implementing IEC 62443 zone/conduit architecture after completing risk assessment (IEC 62443-3-2)
• When separating IT and OT networks as part of an IT/OT convergence security initiative
• When deploying a DMZ between corporate IT and OT to protect industrial systems from IT-originating threats
• When segmenting safety instrumented systems (SIS) from basic process control systems (BPCS)

Do not use for IT-only microsegmentation without OT components (see implementing-zero-trust-in-cloud), or for initial zone design without prior traffic analysis (see performing-ot-network-security-assessment first).

Prerequisites

• Complete traffic baseline from passive monitoring (minimum 2-4 weeks of capture data)
• Asset inventory with Purdue level classifications for all OT devices
• Industrial-grade network switches with VLAN support and port security
• OT-aware firewalls (Cisco ISA-3000, Fortinet FortiGate Rugged, Palo Alto with OT Security)
• Maintenance window schedule for network changes