Legacy OT networks were built for reliability, not security—and retrofitting segmentation onto systems that were never designed for it is one of the hardest problems in industrial cybersecurity. Outdated protocols, undocumented architectures, and fragile devices mean that standard IT segmentation approaches will fail or cause harm. Here is what actually works when segmenting OT networks in production environments.
Why Segmenting OT Networks Is Different
Most industrial operators inherited OT infrastructure built decades before cybersecurity was a consideration. These environments often lack VLANs, firewalls, or even basic network monitoring. A PLC running on a 20-year-old DNP3 implementation may be directly connected to a production line with no isolation from the broader network—meaning a ransomware infection on a shared server can propagate directly to critical control systems.
OT devices are frequently older, specialized, and tightly coupled to process performance. Unlike IT assets, they cannot simply be rebooted, patched, or replaced on short notice. Any segmentation effort that introduces latency, disrupts communication timing, or triggers unexpected behavior can cause unplanned downtime—violating safety protocols and potentially regulatory requirements like NERC CIP.
The stakes are different here. IT protects data. OT controls physical equipment, and a poorly placed firewall rule can stop a conveyor belt, close a valve, or silence a safety interlock.
Start with Asset Visibility, Not Firewall Rules
Segmentation without asset visibility is guesswork. Many industrial operators lack complete inventories of what devices exist on their networks, what firmware versions are running, and which systems communicate with what. Without that foundation, segmentation efforts risk isolating a critical safety system or blocking a legitimate process communication.
Before drawing zone boundaries, operators need to understand actual traffic flows—not what the design documents say, but what is happening on the wire today. Passive network monitoring tools built for OT environments can capture Modbus, DNP3, EtherNet/IP, and other industrial protocol traffic without touching the devices themselves. This behavioral baseline becomes the basis for every segmentation decision that follows.
This is a prerequisite, not a parallel workstream. Attempting to segment before achieving visibility consistently produces rules that either block legitimate traffic or leave meaningful gaps.
Apply the Zone and Conduit Model Practically
IEC 62443 provides the conceptual framework most commonly applied to OT segmentation: divide the network into zones based on asset criticality and function, then control traffic between zones through defined conduits. In practice, this means grouping assets that share a common security level and operational purpose—safety systems in one zone, process control in another, historian and data aggregation in a third—and then enforcing what communications are permitted between them.
The ISA/IEC 62443 series does not prescribe a specific technology. The zone and conduit model can be implemented with hardware firewalls, managed switches with ACLs, protocol-aware gateways, or in some cases physical separation. What matters is that the boundaries are defined, enforced, and documented—and that the conduits explicitly limit which protocols and which endpoints can communicate.
Prioritize high-consequence zones first. Safety instrumented systems and emergency shutdown logic should be isolated before anything else. These assets have the least tolerance for interference and the highest consequences if compromised.
Key Challenges in Legacy OT Environments
Segmenting systems that were never designed for it surfaces predictable problems. Understanding them in advance avoids the most common failures.
Legacy Device Limitations
Many OT devices have no support for modern segmentation mechanisms. A controller from the 1990s may not support IP filtering, VLAN tagging, or any authentication mechanism. This forces operators to segment at the network layer—using switches, firewalls, or data diodes positioned around the device—rather than on the device itself.
Operational Dependencies and Latency Sensitivity
Real-time process control depends on deterministic communication. Inserting a stateful firewall between a PLC and a SCADA system without accounting for inspection latency can disrupt control loops. Protocol-aware firewalls designed for OT environments handle this better than general-purpose IT firewalls, but the timing implications still need to be validated before any rule goes live in production.
Incomplete Documentation
Network diagrams in OT environments are frequently out of date. Systems added during expansions, workarounds installed during emergencies, and vendor-installed remote access connections often go undocumented. Segmentation planning must account for what is actually present, not what is on paper. This is one reason the passive discovery phase cannot be skipped.
Segmentation Strategies That Work in Practice
There is no single architecture that fits every OT environment, but several approaches consistently reduce risk without disrupting operations.
Protocol-Specific Isolation
Industrial protocol behaviors can be used to create logical separation without wholesale network redesign. Separating Modbus TCP traffic from DNP3 traffic using protocol-aware firewalls, or restricting EtherNet/IP traffic to known source and destination pairs, limits exposure without requiring hardware changes on legacy devices. This approach works within the constraints of what the existing infrastructure can support.
Incremental Deployment with Simulation
Segmentation rules should never go live in production without prior validation. Use network simulation or test environments to confirm that proposed firewall rules do not block legitimate communications before deploying them. Where simulation is not possible, deploy rules in monitor-only mode first, review alerts for false positives, and cut over only after the rule set is confirmed clean. False positives in OT are not just nuisances—they can stop production.
Purdue Model as a Reference Architecture
The Purdue Enterprise Reference Architecture, described in NIST SP 800-82, provides a layered model for separating enterprise IT from OT networks. While no real-world environment maps perfectly to the Purdue model, it provides a useful structure for identifying where IT-OT boundaries should exist, where data historians sit, and where remote access should terminate. Most organizations doing segmentation work use a simplified version of this model as a target state.
Maintaining Segmentation Over Time
Segmentation is not a project with a completion date. OT environments change—new devices are added, processes are modified, vendors gain remote access, and control system upgrades alter communication patterns. Each change is an opportunity for a segmentation boundary to erode without anyone noticing.
Ongoing network monitoring is what makes segmentation durable. When a new device appears on a segment, or when traffic begins crossing a boundary it should not, monitoring surfaces that deviation before it becomes an incident. This is where OT-specific monitoring tools earn their keep: they understand the protocols, recognize normal baselines, and flag anomalies without generating the alert noise that causes operators to tune out.
Regular audits of firewall rule sets and zone definitions—at minimum annually, and after any significant process or equipment change—are also essential. Rule sets accumulate technical debt just like any other configuration artifact, and unused or overly permissive rules are a consistent finding in OT security assessments.
Conclusion
Segmenting OT networks that were never designed for it requires a different discipline than IT network segmentation. It starts with visibility, proceeds through careful zone design, relies on OT-aware tools and incremental validation, and requires ongoing monitoring to remain effective. The goal is not a perfect architecture achieved all at once—it is meaningful risk reduction, done in a sequence that keeps operations running throughout.
Ready to assess your OT network segmentation posture? Red Trident works with industrial operators to develop and implement segmentation strategies grounded in operational reality. Contact us to start the conversation.
