What is a Software Defined Perimeter (SDP)?
A Software Defined Perimeter (SDP) is a security architecture in which access to networks and systems is only granted on the basis of pre-validated identity and context. Instead of a static network perimeter (such as a Firewall), SDP creates a dynamic, invisible, and encrypted connection between users and resources.
In OT environments, SDP prevents unauthorised users or devices from even being able to see that systems such as SCADA, PLCs, or Historians exist.
🧠 Core principles of SDP
- Concealment by Default – Resources are not visible unless explicitly permitted
- Identity-Centric Access – Users and devices must be authenticated before access
- Dynamic Access Policies – Access is determined by rules based on context, risk, and role
- Mutual TLS – All communication between client and resource is encrypted end-to-end
- Visibility & control – All access is traceable and auditable
🔐 Why SDP in OT?
| OT challenge | SDP solution |
|---|---|
| Legacy systems without encryption | The SDP tunnel protects communication with older systems |
| Remote access to PLCs | Only pre-validated technicians can connect via the SDP client |
| Shadow IT / invisible tools | SDP hides OT assets from unauthorised users or scanners |
| Bridging IT/OT segments | Access without direct network connection or port forwarding |
SDP fits well with Zero Trust principles, but focuses specifically on network access and concealment.
✅ Components of an SDP architecture
| Component | Function |
|---|---|
| SDP Controller | Handles authentication and decides whether access can be granted |
| SDP Gateway | Sits close to the resource; enables access |
| SDP Client Agent | Runs on the device of the user or technician |
| Policy Engine | Applies rules based on identity, location, risk, etc. |
| Mutual TLS Tunnel | Encrypted, temporary connection between client and gateway |
🔁 SDP vs. traditional VPN
| VPN | SDP |
|---|---|
| Exposes an entire network segment | Access only to specific, allocated resources |
| Connection-oriented | Identity- and context-based |
| Hard to segment | Access policies per user, device, and resource |
| Vulnerable to credential abuse | Concealment and policy-based access provide added protection |
SDP eliminates lateral movement, a major risk in OT networks with weak segmentation.
📦 SDP for OT applications
| Use case | SDP application |
|---|---|
| External maintenance party | Access only during approved time slots via SDP |
| Remote HMI/SCADA access | Per-session access, only to specific services |
| IIoT connections | Devices can send data securely without network exposure |
| Emergency response to incidents | Temporary access to specific PLCs or Historian for forensic investigation |
📌 In summary
Software Defined Perimeter is a modern, identity-centric approach to network access. In OT, SDP helps to hide systems from unauthorised parties, restrict access to only what is needed, and keep communication encrypted and auditable.