𖠿 > Services > Engineering > OT Network Segmentation & Optimization
If implemented correctly, network segmentation / segregation is one of the most effective t steps you can take to strengthen your OT cybersecurity posture. It involves dividing your operational technology network into smaller, isolated zones and restricting inter-zone communications. With network segmentation / segregation in place you will effectively reduce the attack surface, limit threat propagation, and improving overall resilience. However, not all segmentation strategies are equal.
Armexa can help you move from a flat network to an industry best-practice design based on the ISA/IEC 62443 zones and conduits model.
Our Approach
Armexa’s proven methodology is built on four foundational pillars—each critical for robust OT network security. Here’s how we guide you from assessment to secure operations:
1. Separation
Physical separation lays the groundwork for all subsequent security controls. By ensuring OT assets are physically connected to a dedicated network infrastructure, you reduce risk and simplify compliance.
Objective: Establish clear boundaries between IT and OT environments by deploying dedicated OT network hardware.
Industry Reference: NIST CSF 1.1 – PR.AC-5 / NIST CSF 2.0 – PR.IR-01
NIST SP 800-82 Rev. 2 Sec. 5.4
Logically Separated Control Network: The ICS network should, at a minimum, be logically separated from the corporate network on physically separate network devices. Based on the ICS network configuration, additional separation needs to be considered for Safety Instrumented Systems and Security Systems
Key Steps:
- Asset Discovery: Passively identify and inventory all network-connected devices, leveraging both system configuration analysis and site walkdowns as needed.
- Asset Classification: Work with IT and Operations to classify each asset as IT or OT, based on system type, function, and data flow analysis.
- Network Mapping: Document the current (“as-is”) network architecture and data flows between assets.
- Design & Planning: Develop a “to-be” physical network drawing, hardware bill of materials (BoM), and a remediation plan for separating OT assets.
Deliverables:
- Comprehensive asset inventory (with IT/OT classification and named asset owners)
- Physical network diagrams (“as-is” and “to-be”)
- Data flow workbook (source/destination, protocol for each conversation)
- Hardware BoM and remediation plan
2. Logical Segmentation
Logical segmentation limits the spread of threats and enables granular control over OT communications. It’s essential for aligning with ISA/IEC 62443 and other industry standards.
Objective: Organize OT assets into functional groups (zones) and design secure communication pathways (conduits).
Industry Reference: NIST CSF 1.1 – PR.AC-5 / NIST CSF 2.0 PR.IR-01
ISA 62443-3-3:2013 – SR.5.1
The control system shall provide the capability to logically segment control system networks from non-control system networks and to logically segment critical control system networks from other control system networks.
Key Steps:
- Zone Definition: Group OT assets by function and communication needs, referencing the data flow workbook.
- Design Documentation: Update asset inventory with zone assignments and create logical network drawings showing the “to-be” OT zones.
- Implementation Planning: Develop a detailed segmentation implementation plan, including configuration changes, acceptance testing, and rollback procedures.
- Stakeholder Coordination: Collaborate with IT and Operations to schedule implementation during maintenance windows.
Deliverables:
- Updated asset inventory with zone assignments and new IP addresses
- Logical network diagrams
- Network segmentation implementation plan
- Acceptance testing and rollback procedures
3. Network Segregation
Segregation is where security becomes enforceable. Without proper firewall rules, segmentation alone cannot prevent unauthorized communications or lateral movement.
Objective: Enforce strict controls on data flows between zones using firewalls and access policies.
Industry Reference: NIST CSF 1.1 – PR.PT-4 / NIST CSF 2.0 PR.IR-01
ISA 62443-3-3:2013 – SR.5.2
The control system shall provide the capability to monitor and control communications at zone boundaries to enforce the compartmentalization defined in the risk-based zones and conduits model.
Key Steps:
- Data Flow Analysis: Review and rationalize all OT data flows, correlating with firewall rules and logs.
- Rule Creation: Develop and document a comprehensive firewall rule set based on approved OT data flows.
- Implementation & Testing: Update firewalls, enforce new rules, and validate with acceptance testing and rollback plans.
- Ongoing Management: Provide guidance for maintaining and updating rules as your environment evolves.
Deliverables:
- Correlated OT data flow list
- Approved firewall rule set
- Segregated OT infrastructure
- Acceptance testing and rollback documentation
4. Micro segmentation (Advanced/Optional)
Microsegmentation is best implemented after robust segmentation and segregation are in place. It’s valuable for protecting high-value assets or meeting advanced compliance requirements, but it can introduce larger complexity and cost. Armexa can help you weigh the benefits and challenges to ensure the right fit for your OT environment.
Objective: Apply granular, device-level controls to restrict communications within zones—typically for the most critical assets or environments with unique security requirements.
Industry Use Case:
In some cases, organizations are using micro-segmentation or Software Defined Segmentaton technologies to logically segment/segregate large, flat networks so that a wide-spread IP address change effort can be avoided.
Key Steps:
- Assessment of Need: Evaluate whether microsegmentation is appropriate based on risk, asset criticality, and operational complexity.
- Solution Selection: Identify technology partners with solutions proven in OT environments.
- Policy Design: Define communication rules for individual devices or small groups. Plan for host-based or proxy enforcement mechanisms.
- Implementation & Management:
- Deploy microsegmentation technology in targeted zones or for specific assets.
- Develop processes for ongoing rule management, monitoring, and troubleshooting.
Deliverables:
- Microsegmentation policy set and enforcement plan
- Updated network and data flow documentation
- Operational guidelines for ongoing management
Caution:
Many microsegmentation solutions on the market are designed for IT, not OT. They may not work with static IPs or legacy devices and can create significant management burdens. Armexa’s approach is to start with strong fundamentals and only layer on microsegmentation where it truly adds value.
Enhance Your Network Security
Armexa’s approach to network segmentation is thorough, meticulous and tailored to meet the specific needs of your operational technology (OT) environment. From the initial step of defining zones and conduits to the detailed planning and execution of changes, our expertise ensures a seamless transition to a segmented network that is secure and optimized for performance and resilience.
Ensure your network is not just segmented, but also strategically aligned with industry best practices.
Contact Armexa for expert guidance in shaping a more secure, efficient and resilient network infrastructure for your operations today.
