EN
TR
DE
AE
UA
AZ
About Us
Our Business Partners
Organizational Chart
Our References
Our Certificates
Human Resources
Factory Automation
Process Automation
Digitalization
Software Development
After-Sales Support
Sales and Marketing
Project Management and Consultancy 
Opcenter (MES-MOM)
Automated Mobile Robot (AMR)
OT Cyber Security
Smart Sorting Lines (Sorters)
Solution 4.0
Material Tracking System (MTS)
Batch Systems (ISA-88)
Autonomous Crane Systems
Safety (IEC 61511)
Automotive Industry
Chemicals
Seamanship (Shipbuilding Factory)
Food Products
Intralogistics
Iron and Steel
Cable
One of the most critical—and most neglected—controls in OT security is segmentation. Many facilities gradually end up with a “flat” OT network because it seems easier to manage: one VLAN, one broadcast domain, everything can talk to everything. For attackers, this is perfect. Once they get in, they don’t hit walls.
Here’s how a simple incident becomes a plant-wide crisis: a maintenance laptop is infected on the IT side. It’s brought onto the shop floor and plugged into an unmanaged switch. Because the OT network is flat, that laptop can see engineering workstations, HMIs, historians, and management interfaces across the environment. A worm-like behavior begins: it traverses shared folders, remote services, and weak credentials. The result: HMI screens go black, SCADA services fail, historian stops, and production halts. The root cause is not “a fancy exploit.” It is the absence of segmentation and traffic control.
Segmentation’s goal is simple: if one area is compromised, the compromise should not spread everywhere. In practical OT terms, segmentation aligns with the IEC 62443 zone/conduit mindset:
-
Zone: a group of assets with similar criticality and security requirements
-
Conduit: the controlled pathway between zones (firewall/ACL/IPS with logging)
A strong segmentation model often looks like:
-
Corporate IT network
-
OT/IT DMZ (buffer zone)
-
OT management zone (jump host, update repository, NTP)
-
Control zone (PLC/RTU)
-
Visualization zone (HMI/SCADA)
-
Security monitoring zone (NDR sensors, log collectors)
-
Vendor access zone (time-boxed, recorded sessions)
Key implementation principles:
-
Default deny: don’t allow “any-any.” Define required flows.
-
Protocol awareness: OT traffic can be sensitive to latency, broadcasts, keepalives. Rules must respect real process behavior.
-
Limit lateral movement: does one HMI need access to all PLCs, or only its line’s PLCs?
-
Separate management from control: engineering and admin tooling should not share the same network path as process traffic.
-
Visibility by design: log and monitor inter-zone traffic, record rule changes, enforce approvals.
The economic argument is compelling: segmentation spending may look like “more firewalls,” but a single plant-wide outage is far more expensive. Segmentation slows attackers down. And in OT, what you need most is time—time to detect, time to isolate, time to respond before impact becomes catastrophic.
