What is Microsegmentation?
Microsegmentation is a network security strategy in which a network is divided into very small, logically isolated segments, so that each segment can be secured, monitored and controlled independently.
In OT networks, microsegmentation helps limit lateral movement by attackers and increases control over communication between systems such as PLCs, SCADA, HMIs and Engineering Stations.
🧠 How does microsegmentation work?
- Instead of traditional VLAN segmentation at the network level, traffic is filtered on the basis of identity, application or role
- The following are used:
- Firewalls (traditional or host-based)
- Software-Defined Networking (SDN)
- Policy engines or Zero Trust platforms
- Rules determine which systems may communicate with each other, regardless of their physical location
- Monitoring tools detect anomalies and unauthorised connection attempts
Microsegmentation is a core element of modern Defense in Depth architectures and Zero Trust models.
🏭 Application of microsegmentation in industrial networks
- PLCs communicate only with their assigned HMI and not with other zones
- Remote Access is permitted only to specific assets and only during maintenance windows
- SCADA servers cannot communicate directly with OT clients outside their zone
- An Engineering Station can only make changes to equipment within its project scope
- Critical processes are isolated from less trusted zones (e.g. wireless access, supplier networks)
Microsegmentation increases fine-grained control and reduces the risk of large-scale outages during incidents.
🔍 Microsegmentation vs. VLAN segmentation
| Aspect | Microsegmentation | VLAN/traditional segmentation |
|---|---|---|
| Scope | Per application, device or role | Based on IP/subnet |
| Management | Dynamic and policy-based | Static and network-centred |
| Access control | Fine-grained (per port, per service) | Limited – usually at the network boundary |
| OT use | Suitable for critical segmentation within zones | Fine for macro-segmentation between zones |
🔐 Security considerations
- Combine with Firewall, IAM, RBAC, SIEM and EDR
- Monitor all permitted and blocked connections between segments
- Design segments based on functions (e.g. line A, line B, remote access, support)
- Implement in phases to minimise network impact
- Supports NIS2, IEC 62443 and Zero Trust strategies
Incorrect microsegmentation can block legitimate communication – test and validate policies carefully.
📌 In summary
Microsegmentation is an advanced security measure for OT networks, restricting communication to what is strictly necessary. It is an essential part of a modern OT security architecture and prevents a single intrusion from causing widespread damage.