The Foundation: Why Segmentation in OT Differs from IT

Network segmentation is arguably the most impactful control available to OT security practitioners. Unlike IT environments where segmentation primarily limits lateral movement after breach, in OT the goal is to prevent cyberattacks from becoming physical events. A compromised PLC or safety controller can damage equipment, injure workers, and disrupt communities. Segmentation buys detection time and limits the blast radius when—not if—a breach occurs.

The challenge is that OT segmentation must accommodate the operational realities of industrial systems: vendors require remote access for maintenance, historians must replicate real-time process data to business systems, and aging equipment that cannot be patched must still participate in the network. Security cannot be retrofitted thoughtlessly onto these constraints.

The Purdue Reference Model

The Purdue Enterprise Reference Architecture (PERA), developed by Theodore Williams and the Purdue Industrial Consortium in the 1990s, remains the dominant framework for understanding OT network layering. Despite its age, it maps cleanly to how most industrial facilities are actually built and provides a useful vocabulary for segmentation discussions.

Level 0: The Physical Process

Field devices: sensors, actuators, transmitters, valves, motors. Communication at this level is often hard-wired (4–20mA loops, discrete I/O) or uses field buses (HART, PROFIBUS, Foundation Fieldbus). Security focus: physical access control, device firmware integrity.

Level 1: Basic Control

PLCs, RTUs, and DCS field controllers that execute the logic governing Level 0 devices. This is where Modbus, DNP3, EtherNet/IP, and IEC 61850 GOOSE traffic originates. Segmentation objective: these devices should never communicate directly with Level 3 or above.

Level 2: Supervisory Control

SCADA servers, HMI workstations, and engineering workstations (EWS). Operators interact with the process from this level. HMIs communicate down to Level 1; historian servers at this level collect process data. This layer represents the highest-value target for adversaries seeking to manipulate the process.

Level 3: Operations Management

Data historians (OSIsoft PI, Aspentech IP.21, GE Proficy), manufacturing execution systems (MES), batch management, and operations-level reporting. Level 3 must communicate bidirectionally with Level 2 (to collect data) and upward to Level 4 (to deliver data to business systems). This bidirectional requirement is the source of most OT segmentation complexity.

Levels 4–5: Enterprise and External Networks

ERP systems (SAP, Oracle), corporate IT infrastructure, and internet access. This is the IT domain. The connection between Level 3 and Level 4 is the most critical boundary in the entire architecture—it is where the majority of OT breaches originate.

The Industrial DMZ

The industrial DMZ (IDMZ) sits between Level 3 (operations) and Level 4 (enterprise). Its purpose is to ensure that no direct IP connection ever exists between the OT process network and the IT enterprise network. Without a DMZ, a single firewall misconfiguration or compromised IT host provides a direct path to Level 2.

Core IDMZ Architecture

A properly designed IDMZ contains:

Dual-firewall architecture: An outer firewall (enterprise-facing) and an inner firewall (OT-facing). Both firewalls should be from different vendors to prevent a single zero-day from compromising both simultaneously. All traffic between IT and OT transits the DMZ; no traffic passes directly through.

Data replication servers: A dedicated server in the DMZ receives historian data pushed from Level 3 and makes it available to Level 4 on request. Business users query the DMZ replica, not the production historian. This is the most common pattern for PI System deployments.

Jump servers and remote access proxies: All remote access to OT networks—including vendor VPNs—terminates in the DMZ. An engineer connecting from the internet first authenticates to a jump server in the DMZ, then from there to the OT network. The jump server enforces MFA, session recording, and access controls.

Patch management and AV update servers: OT devices that cannot download updates directly from the internet receive them from mirror servers in the DMZ. This eliminates direct internet connectivity from OT network hosts.

Historian Isolation

The data historian is among the most attacked systems in OT environments precisely because it must communicate in both directions: down to Level 1/2 process data and up to Level 4 business intelligence. Historians with direct IT connectivity are a common initial access path in OT breaches.

PI System Segmentation (OSIsoft/AVEVA)

For PI System deployments—the most common historian in energy and manufacturing—the recommended architecture is:

  1. PI Data Archive in the Level 3 OT network, collecting data via PI Interface nodes at Level 1/2
  2. PI-to-PI replication from the production archive to a shadow archive in the DMZ
  3. PI AF Server and PI Web API deployed in the DMZ for business user access
  4. No direct PI Client connections from Level 4 into the Level 3 archive

This ensures the production archive is never directly queried from the IT network. The shadow archive in the DMZ is a read-only replica—even if it is compromised, an attacker cannot manipulate production process data through it.

One-Way Data Flows: Data Diodes

For high-security environments (nuclear, chemical, critical infrastructure under regulatory mandates), hardware data diodes (Waterfall Security, Owl Cyber Defense) provide a physically enforced one-way data path. Data diodes use fiber optic transmit-only connections that are physically incapable of transmitting data in the upstream direction.

Data diodes are appropriate for networks where the risk of bidirectional communication is unacceptable even with software controls—particularly for Level 1 and Level 2 networks in environments where a cybersecurity compromise could have mass-casualty consequences.

Common Segmentation Failures

Temporary connections left permanent: Vendor remote access channels installed for a commissioning project that were never removed. Often discovered years later during security assessments.

Historian with dual-homed NICs: A historian workstation with one NIC connected to the OT process network and another to the corporate LAN—effectively creating a direct bridge between the two environments, bypassing all firewall controls.

Flat OT networks: Many older industrial facilities have no segmentation within Level 1/2 at all—all PLCs, HMIs, and engineering workstations share a single flat switch fabric. An attacker who reaches any device can reach all devices.

Firewall rules allowing IT→OT initiated connections: Legitimate data replication should use OT-initiated or DMZ-brokered connections only. Rules permitting IT hosts to initiate connections into Level 2 are architectural errors that should be corrected.

Implementation Priorities

For practitioners looking to improve segmentation posture, prioritize in this order:

  1. Eliminate all direct IP connectivity between IT and OT networks—establish an IDMZ
  2. Isolate historian replication through the DMZ; remove direct IT connections to production historians
  3. Move all remote access to a DMZ-based jump server with MFA and session recording
  4. Segment Level 1/2 internally; at minimum, separate PLCs controlling different processes or safety systems
  5. Implement network monitoring on all inter-zone traffic; alert on any new connection type or previously unseen communication pair
Tags
network-segmentationpurdue-modeldmzhistorianarchitecturedefense-in-depth