Asset Visibility & CIP Mapping: Eliminating Security Blind Spots
Hidden assets are silent vulnerabilities. See how passive discovery and continuous CIP mapping create full network visibility for proactive defence.
Mastering Industrial Network Segmentation
When a breach occurs, flat OT networks become digital wildfire zones. Proper segmentation contains incidents and prevents catastrophic operational disruption across your entire control environment.
OT Network Segmentation
Containing Breaches in EtherNet/IP Control Systems
Flat Networks Are Digital Tinderboxes Waiting for a Single Spark
One compromised device can potentially cripple your entire production operation within minutes.
The interconnected nature of modern industrial automation has created networks where safety systems communicate with batch processors, and historians pull data directly from controllers. While this connectivity enables operational efficiency, it also creates pathways for cyber incidents to spread uncontrollably. A breach that starts in a non-critical supervisory system can quickly propagate to safety controllers or process control units, transforming a manageable IT incident into a catastrophic operational shutdown. The absence of internal barriers turns your entire operation into a single point of failure.
The Industrial Demilitarized Zone Forms Your First Line of Defense
An IDMZ isn't merely a recommendation - it's the fundamental boundary between corporate risk and operational reality.
The Industrial DMZ creates a controlled intermediary zone that strictly regulates all data exchange between corporate IT networks and operational technology environments. This neutral territory prevents direct routing between networks, forcing all communication through secure proxies and data diodes. Implementing an IDMZ using industrial firewalls from suppliers like Westermo ensures that only explicitly authorized data traverses this critical boundary. The architecture prevents malware from crossing between networks while still enabling legitimate business data flow, striking the crucial balance between connectivity and protection.
Microsegmentation Transforms Your Control Network into Contained Cells
When segmentation extends to individual controllers, breaches become isolated incidents rather than facility-wide emergencies.
While the IDMZ protects your perimeter, microsegmentation creates internal firebreaks that contain incidents at their source. This approach involves dividing your control network into functional zones - safety systems, process control, batch operations, and supervisory control - then implementing strict communication policies between them. Advanced industrial firewalls can enforce these policies at the controller level, ensuring that a compromised HMI cannot communicate directly with safety controllers. This granular containment strategy means that even if attackers breach one segment, they cannot pivot to more critical systems.
Industrial Fibre Optics Enable Physically Enforced Segmentation Boundaries
Fibre's inherent isolation characteristics make it the ideal medium for creating unambiguous segmentation boundaries.
The physical network infrastructure plays a crucial role in effective segmentation. Industrial fibre optics provide not just EMI immunity and distance capabilities, but also create natural physical segmentation points. By implementing separate fibre runs for different security zones, you establish physically enforced boundaries that cannot be accidentally bridged through misconfiguration. Media converters from suppliers like ATOP and ProSoft enable this physical segmentation while maintaining protocol compatibility. This physical layer segmentation complements logical controls, creating defense in depth that is far more resilient to both attacks and human error.
VLANs and Industrial Protocols Require Careful Coordination
Misconfigured VLANs can create the illusion of security while actually increasing your attack surface.
Virtual LANs provide logical segmentation within shared network infrastructure, but their implementation in OT environments requires deep understanding of industrial protocols. EtherNet/IP's use of multicast communication for I/O messaging can be disrupted by improper VLAN configuration. Industrial switches from manufacturers like Westermo handle these protocol specifics correctly, ensuring that segmentation doesn't break critical control communications. Proper VLAN design separates traffic types while maintaining necessary communications, creating security zones that align with operational requirements rather than working against them.
Deep Packet Inspection Understands Industrial Protocol Context
Conventional firewalls see CIP traffic as opaque data streams - industrial firewalls understand the commands within.
Effective segmentation requires firewalls that comprehend the industrial protocols they're inspecting. Deep Packet Inspection for EtherNet/IP goes beyond port numbers to analyze the actual CIP commands within packets. This understanding enables policies that permit legitimate controller communications while blocking unauthorized programming changes or malicious commands. Next-generation industrial firewalls can distinguish between a routine setpoint change and a controller stop command, applying granular controls that protect operations without impeding legitimate control functions. This protocol-aware filtering is essential for segmentation that actually works in production environments.
Secure Remote Access Integration Maintains Segmentation Integrity
Third-party connections that bypass segmentation undermine your entire security architecture.
Segmentation strategies often fail at the remote access point, where vendor connections create hidden pathways between network zones. Solutions from suppliers like Secomea integrate with your segmentation architecture, ensuring that remote support sessions terminate in the appropriate zone and don't create backdoors between segments. These systems can enforce zone-specific access policies, ensuring that a vendor supporting a single controller cannot pivot to other systems. This integrated approach maintains segmentation integrity even during remote support scenarios, closing a critical vulnerability in many segmentation implementations.
Monitoring and Analytics Detect Boundary Violation Attempts
Segmentation isn't just about preventing attacks—it's about detecting them when they occur.
Effective segmentation creates natural detection points where unauthorized cross-zone communication attempts can be monitored and alerted. Network monitoring solutions can track traffic patterns across segmentation boundaries, identifying reconnaissance attempts or lateral movement efforts. When integrated with security information and event management systems, these detection capabilities provide early warning of compromise attempts. This visibility transforms your segmentation architecture from a passive barrier into an active detection system that provides intelligence about attack progression and techniques.
Implementation Strategy Prioritizes Risk-Based Segmentation
Begin segmentation where the consequences of breach propagation are most severe.
Attempting to segment an entire operation simultaneously often leads to project failure. A phased approach that begins with isolating safety systems and critical process control delivers maximum risk reduction early in the project. This strategy allows operational teams to build confidence in the segmentation approach while addressing the most significant risks first. Subsequent phases can address less critical systems, refining the approach based on lessons learned during initial implementation. This risk-based prioritization ensures that security investments are aligned with operational criticality.
Answered - Some Frequently Asked Questions
Properly implemented segmentation using industrial-grade equipment has minimal impact on performance. Industrial firewalls from suppliers like Westermo are designed with control system timing requirements in mind, ensuring that critical I/O messaging maintains its deterministic characteristics.
Yes, through careful planning and phased implementation. Segmentation can often be implemented during normal operations by gradually introducing firewalls and reconfiguring network paths. Critical systems should be addressed during planned maintenance windows.
Segmentation should follow functional boundaries rather than arbitrary counts. Typical zones include safety systems, basic process control, supervisory control, and data historians. The goal is to isolate based on criticality and function, not to create maximum segments.
Network segmentation divides networks into broad zones (like separating OT from IT), while microsegmentation creates granular boundaries within zones (like separating individual controllers within the OT network). Both are essential for comprehensive protection.
Legitimate cross-zone communications should be explicitly permitted through firewall rules that specify source, destination, protocol, and sometimes specific commands. The principle is "deny by default, permit by exception" with careful documentation of business justification.
Absolutely. Standards like IEC 62443 explicitly recommend segmentation as a fundamental security control. Proper segmentation demonstrates due diligence in protecting critical systems and provides auditors with clear evidence of security boundary implementation.
Fibre enables clear physical separation between segments while providing immunity to EMI and ground potential differences. Separate fibre runs between zones create unambiguous physical boundaries that complement logical controls, and fibre's security characteristics prevent signal leakage between segments.
From Flat Networks to Contained Operations
The transition from flat, interconnected networks to properly segmented environments represents one of the most significant improvements in industrial cybersecurity posture. Segmentation transforms your operations from a single vulnerable entity into a collection of resilient, contained cells where incidents remain localized and manageable.
Proper segmentation isn't about building walls between systems - it's about creating controlled pathways that enable necessary communications while preventing unauthorized access and containing breaches before they become catastrophes.
Ready to transform your flat network into a segmented, secure operation?
Contact a Throughput network security specialist for a segmentation assessment and receive our Zone Segmentation Framework.
Subscribe to the Link & Layer | Smart Learning Hub for immediate access to our "OT Segmentation Implementation Guide" with zone templates and firewall rule libraries.
Don't wait for a breach to reveal your network's flat architecture. Build containment before you need it.
You May Also Be Interested In ...
Legacy PLC Security: Protecting the Unpatchable Core
Outdated PLCs can’t be patched - but they can be protected. Explore virtual patching and containment strategies that secure your core.
CIP Protocol Hardening: Securing the Industrial Language
Unencrypted traffic exposes your control logic. Learn how deep packet inspection and CIP Security enforce trust without compromising determinism.