Segmentation
Segmentation is the division of networks, systems, applications or infrastructures into separate logical or physical parts in order to control communication, limit risks and optimise performance. Within OT and industrial automation environments, segmentation is a fundamental principle for both operational stability and Cybersecurity.
By dividing systems into separate segments, organisations can:
- Reduce attack surface
- Isolate failures
- Limit network load
- Improve real-time performance
- Enforce access control
- Support Compliance
Segmentation forms a core component of modern industrial architectures such as:
Within IT OT Convergence, segmentation is becoming increasingly important because OT networks are becoming ever more connected to IT, cloud and IIoT platforms.
⚙️ Purpose of segmentation
Segmentation has multiple operational and security objectives.
Key objectives:
| Goal | Description |
|---|---|
| Security | Limit attack surface |
| Stability | Isolate failures |
| Performance | Limit network load |
| Compliance | Support regulations |
| Manageability | Reduce complexity |
| Availability | Limit impact of outages |
In industrial environments, segmentation prevents problems from spreading uncontrolled across the network.
🏭 Segmentation in Industrial Automation
OT environments often contain systems with differing criticality, protocols and lifecycle requirements.
Examples:
| System | Criticality |
|---|---|
| PLC | High |
| SCADA | High |
| Historian | Medium |
| Engineering workstation | High |
| IoT sensors | Variable |
| Guest networks | Low |
Through segmentation, these systems can communicate in a controlled way.
Without segmentation:
- Malware outbreaks can spread
- Broadcast storms can develop
- Unwanted access can occur
- Real-time performance can deteriorate
🌐 Network Segmentation
Network segmentation divides networks into separate subnets or zones.
Frequently used techniques:
| Technology | Function |
|---|---|
| VLAN | Logical separation |
| Routing | Traffic control |
| Firewall | Traffic filtering |
| ACLs | Access restriction |
| NAT | Address isolation |
Within OT networks, separate segments are often created for:
- Production lines
- Safety systems
- Engineering
- Historian systems
- Remote Access
- Guest access
🧠 Purdue Model and OT segmentation
The Purdue Model is a widely used reference architecture for segmentation within industrial environments.
Key levels:
| Level | Function |
|---|---|
| Level 0 | Field equipment |
| Level 1 | Control |
| Level 2 | Supervision |
| Level 3 | Operations |
| Level 4 | Enterprise IT |
Communication between levels is controlled through:
- Firewall
- IDMZ
- Jump servers
- Proxies
- Protocol Filtering
This prevents uncontrolled lateral movement between IT and OT.
🔐 Zones and Conduits Model
The Zones and Conduits Model from IEC 62443 is an important OT security concept.
Zones
A zone groups systems with similar:
- Risk profiles
- Functionality
- Security requirements
Examples:
Conduits
Conduits are controlled communication paths between zones.
Examples:
- Firewalls
- Data gateways
- Secure proxies
This model supports controlled and auditable communication.
⚡ Microsegmentation
Microsegmentation is a fine-grained form of segmentation in which individual systems or workloads are protected separately.
Properties:
- Highly granular
- Policy-driven
- Dynamic access control
- Minimal lateral movement
Microsegmentation is increasingly applied within:
- Virtualisation
- Cloud environments
- Data centres
- Modern OT platforms
Within industrial networks, implementation remains complex due to legacy systems and real-time requirements.
📡 Segmentation of industrial protocols
Many industrial protocols were originally designed without security.
Examples:
| Protocol | Risk |
|---|---|
| Modbus TCP | No authentication |
| S7 Comm | Unsecured communication |
| DNP3 | Legacy security |
| BACnet | Broadcast-based |
Segmentation limits the exposure of these protocols.
Typical controls:
- OT firewalls
- Protocol filtering
- Whitelisting
- Dedicated VLANs
🔄 IT/OT segmentation
One of the most important applications is separation between IT and OT.
Key reasons:
- Different security requirements
- Different lifecycle models
- Different performance requirements
- Different risk profiles
Typical separations:
| Segment | Example |
|---|---|
| Enterprise IT | ERP, email |
| IDMZ | Data exchange |
| OT Operations | SCADA |
| Control Network | PLC networks |
Communication flows in a controlled way via secure conduits.
🚨 IDMZ and secure intermediate layers
An IDMZ forms a buffer zone between IT and OT.
Typical components:
- Historian replication
- Patch servers
- Antivirus updates
- Remote access gateways
- Data brokers
Advantages:
- Controlling traffic
- Centralising monitoring
- Isolating attacks
- Supporting compliance
IDMZs are an important component of modern industrial segmentation architectures.
📈 Segmentation and performance
Segmentation often improves network performance.
Advantages:
- Less broadcast traffic
- Lower network load
- Less congestion
- Better real-time performance
Important in OT:
- Low Latency
- Limited Jitter
- Deterministic Behaviour
- High availability
Poor segmentation can lead to:
- Network Congestion
- Unstable communication
- Delayed HMIs
- PLC timeouts
🧩 Segmentation of wireless OT networks
Wireless industrial networks require additional segmentation.
Examples:
Key controls:
- Separate SSIDs
- VLAN isolation
- NAC solutions
- Firewalling
- Device Authentication
Wireless segmentation prevents uncontrolled access to OT Assets.
🔍 Monitoring segmented networks
Segmentation requires good visibility.
Key monitoring components:
| Component | Function |
|---|---|
| IDS | Detection |
| SIEM | Correlation |
| Network Monitoring | Traffic analysis |
| Passive Monitoring | OT visibility |
Monitoring helps with:
- Detecting lateral movement
- Traffic analysis
- Policy validation
- Incident Response
⚠️ Challenges of segmentation
Although segmentation is essential, it brings complexity.
Common challenges:
| Issue | Consequence |
|---|---|
| Legacy systems | No modern security |
| Poor documentation | Incorrect policies |
| Flat networks | High risks |
| Vendor dependencies | Integration problems |
| Real-time requirements | Limited filtering |
Within OT, segmentation changes must be carefully tested to avoid production impact.
🧪 Practical example: production environment
A modern factory can apply segmentation as follows:
| Segment | Components |
|---|---|
| Enterprise | ERP, Office IT |
| IDMZ | Historian, jump servers |
| Operations | SCADA, HMI |
| Control | PLCs |
| Safety | Safety PLC |
| IoT | Sensor gateways |
Communication is restricted by:
- Firewalls
- ACLs
- Protocol filtering
- Whitelisting
This keeps a Ransomware infection in IT isolated from OT systems in many cases.
☁️ Cloud and hybrid segmentation
Cloud integration introduces new segmentation challenges.
Key considerations:
- Secure gateways
- API security
- VPN segmentation
- Identity-based access
- Edge isolation
Within hybrid architectures, critical real-time systems are usually still segmented locally.
🔄 Segmentation versus isolation
Segmentation and full isolation differ fundamentally.
| Aspect | Segmentation | Isolation |
|---|---|---|
| Connectivity | Limited | None |
| Flexibility | High | Low |
| Data sharing | Possible | Difficult |
| Security | Strong | Very strong |
| Manageability | More complex | Simpler |
Fully Air gap architectures still occur, but modern OT environments more often use controlled segmentation.
🏗️ Segmentation in IT/OT convergence
Within IT OT Convergence, segmentation forms one of the most important architectural principles.
Segmentation supports:
- Secure data exchange
- Cloud integration
- IIoT connectivity
- Predictive Maintenance
- Remote operations
Key modern concepts:
Segmentation thus forms the foundation for secure, scalable and manageable industrial networks and Cyber-Physical Systems.