How to Accelerate OT Industrial Network Segmentation

July 21, 2023
Download PDF


Segmenting operational technology (OT) networks allows network administrators to manage the flow of traffic in these subnets based on granular network policies. This not only boosts cybersecurity, but also helps improve overall network management by localizing technical issues.

Industrial organizations perform critical functions that have a significant impact on public safety, the economy, and the well-being of society. As digital transformation accelerates, the cyber-physical systems (CPS) that underpin the environments of industrial organizations have become increasingly interconnected with information technology (IT) and operational technology (OT) networks. These advancements have made it more difficult for organizations to enhance security, reduce cyber risk, comply with industry regulations and standards, and improve their overall operations. By implementing OT industrial network segmentation, organizations can begin to safeguard the security, resilience, and continuity of these operations — and ensure uninterrupted functioning of society and the economy.

What is OT Network Segmentation?

OT network segmentation is the process of dividing networks into smaller isolated segments or zones. This practice enables network administrators to manage the flow of traffic in these subnets based on granular network policies. Organizations that implement network segmentation are able to achieve enhanced security and improve overall network management — while boosting performance and localizing any technical issues. Network segmentation is especially important for OT environments due to the critical infrastructure and essential devices that are used to control and monitor physical processes, such as power plants, manufacturing facilities, transportation systems, and more. OT segmentation not only includes segmentation within secluded OT environments, but also references segmentation of OT networks from IT networks, the cloud, and other CPS. This ensures that organizations can monitor all network traffic throughout their extended internet of things (XIoT).  

Why is OT Network Segmentation Important for Industrial Networks?

With proper OT network segmentation, organizations can prevent the spread of cyberattacks by restricting their lateral movement through the network. If a breach occurs in one subnet, it becomes more difficult for an attacker to access other subnets, reducing the attack surface. This principle is also true for attacks originating in IT networks, if a breach were to occur proper segmentation will prevent the spread from moving laterally throughout the XIoT. By separating these critical systems and processes, organizations can also enforce risk mitigation, reducing the impact of failures or disruptions. If an incident occurs, it will be less likely to spread through the entire network, limiting any operational downtime and minimizing risk to safety and productivity.

Many critical industries including oil and gas, transportation, food and beverage, manufacturing, and more, have very specific regulatory requirements for securing OT networks — such as NERC CIP, IEC 62443, or ISO 27001. Network segmentation is critical in enabling these critical infrastructure organizations to meet technical requirements, implementing the appropriate security controls and isolating critical assets. Finally, OT network segmentation is key in improving an organization's network management and optimization. Separating networks into smaller subsets allows them to be more manageable, allowing organizations to allocate their resources more efficiently by reducing traffic and improving network performance.  

5 Challenges to OT Network Segmentation in Industrial Environments

The concept of network segmentation is not new, but it can be a drawn out and costly endeavor, particularly in industrial environments. Here are a few of the major challenges organizations face when ensuring their OT networks are properly segmented:

1. Legacy systems

Unlike IT environments — where systems rarely last more than five years — industrial OT environments are comprised of legacy devices and systems that have life cycles which can span decades. The legacy industrial control systems (ICS) located in these environments are typically not built with security in mind, and may lack the necessary features to support network segmentation or the compatibility with new security controls.

2. Integration with IT systems

IT and OT networks many times need to interact with one another in order to exchange data and information; however, ensuring that communication between segmented OT networks and other parts of an organization's IT infrastructure can be challenging. This process requires collaboration between IT and OT teams, who have rarely worked together — leading to oversights that can cause complexity and duplication of efforts, an increase in operations costs, or exposure to security flaws.

3. Segmentation policies are error prone

Implementing effective network segmentation policies in industrial environments can be difficult, error-prone, and expensive to manage and maintain. The process often entails constantly tuning network policies to your unique environment, which leaves room for oversight.  

4. Compliance is inconsistently enforced

Critical infrastructure organizations are subject to many complex industry regulations and standards. Many times, monitoring and ensuring compliance with these regulations requires granular, properly tuned policies that many organizations lack. This can lead to variations in approaches to segmentation and inconsistent enforcement across different organizations.

5. Unsecured Remote Access is Widespread

All industrial environments rely on remote access to enable both internal and third-party personnel to maintain assets, but common practices are risky and inefficient. If not managed properly, remote access has the potential to bypass network segmentation measures. It also causes an expanded attack surface, introducing new potential entry points for cyber threats.

Read more here.

Sign up today for a free Essential Membership to Automation Alley to keep your finger on the pulse of digital transformation in Michigan and beyond.


Claroty is the industrial cybersecurity company. Trusted by the world's largest enterprises and endorsed by leading industrial automation vendors, we help our customers reveal, protect, and manage their OT, IoT, and IIoT assets.

Become a Member