What is Network Segmentation?
Network segmentation is the process of dividing a computer network into smaller, logically separated parts (segments or Zones), so that traffic between these parts can be better managed, secured and controlled.
In industrial environments, network segmentation is used, for example, to separate the IT network from the OT network, or to shield critical systems (such as PLCs or SCADA) from less trusted Zones such as the internet or a guest network.
🧠 Why apply network segmentation?
Network segmentation helps to:
- Limit the impact of cyber attacks (e.g. Ransomware cannot easily spread)
- Increase security by managing access on a per-segment basis
- Improve performance by isolating traffic per segment
- Support Compliance with standards such as IEC 62443 or ISO 27001
🔧 How is network segmentation implemented technically?
| Method | Description |
|---|---|
| VLANs (Virtual LANs) | Logical grouping of network devices via switches |
| Subnets | Use of IP addresses to form logical groups |
| Firewall | Inspecting/blocking traffic between segments |
| DMZ (Demilitarized Zone) | Controlled buffer zone between internal and external networks |
| VPN and access lists | Restrict access based on identity, source or time |
🏭 Examples in an industrial environment
| Segment | Contents |
|---|---|
| OT network | PLCs, Sensors, Actuators |
| SCADA/HMI network | Visualisation and control |
| MES Zone | Production management, data analysis |
| IT/ERP network | Administration, stock, planning |
| Guest network | External access for suppliers or maintenance |
🔄 Relationship with the Zone and Conduits model
Network segmentation is an essential element of the zone and conduits model, in which each segment is treated as a Zone. Communication between Zones passes through Conduits that are protected and controlled (e.g. with Firewalls or data diodes).
📌 In summary
Network segmentation is a fundamental cybersecurity measure that splits networks into protected Zones to limit risks and improve control. In OT environments, it is crucial to keep IT, OT and guest traffic strictly separate.