OT Network Segmentation: Zones, Conduits, and Industrial DMZ Design
Group COO & CISO
Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments
OT Network Segmentation: Zones, Conduits, and Industrial DMZ Design
Network segmentation is the single most effective control for limiting the spread of attacks in OT environments. Dragos documented that 96% of OT security incidents in 2024 originated from IT network connections, the precise attack path that proper segmentation closes (Dragos, 2024). IEC 62443 provides the engineering framework for designing that segmentation through zones and conduits. This guide explains the IEC 62443 architecture, industrial DMZ design, micro-segmentation for OT, and the firewall decisions that make segmentation operationally sustainable.
Key Takeaways
- IEC 62443 zones-and-conduits architecture is the engineering standard for OT network segmentation.
- An industrial DMZ is mandatory between corporate IT and OT networks; direct connectivity is never acceptable.
- Conduit security level must match the higher of the two zones it connects.
- Micro-segmentation within OT using VLANs and zone-specific firewalls limits lateral movement after initial compromise.
- 96% of OT incidents trace to IT network paths; segmentation directly addresses the primary attack vector (Dragos, 2024).
OT network segmentation is architecturally different from IT network segmentation. IT segmentation primarily enforces data access policies. OT segmentation must enforce communication policies between devices that often use legacy protocols with no authentication, while maintaining the real-time communication reliability that production processes depend on. The design must be a security engineer's work AND a process engineer's work simultaneously.
[UNIQUE INSIGHT: The most common segmentation failure we see in OT audits is not missing firewall rules. It is missing conduit documentation. Organizations deploy firewalls between IT and OT but allow any-to-any traffic through them because no one has defined which specific communications are required for production. Without conduit design, a firewall is just an obstacle to troubleshooting. With conduit design, it's a security control.]
What Are IEC 62443 Zones and Conduits?
IEC 62443 defines a zone as a grouping of logical or physical assets that share common security requirements. A conduit is a communication pathway between zones that is explicitly designed, controlled, and monitored. Every communication between zones must pass through a defined conduit. Communications that can't be assigned to a conduit shouldn't exist. This zone-and-conduit architecture forces explicit design of every inter-zone communication, replacing the implicit and undocumented connectivity that characterizes most OT networks before segmentation is applied ([IEC 62443-1-1, 2009](https://webstore.iec.ch/publication/7028)).
Security levels in IEC 62443 apply to both zones and conduits. Zone security level (SL) is determined by the consequence of compromise: what happens if an attacker gains control of all assets in this zone? Conduit security level must match the higher security level of the two zones it connects. A conduit between a low-security corporate IT zone (SL1) and a high-security safety instrumented system zone (SL4) must be engineered to SL4 standards, regardless of the lower zone's classification.
Defining Zones for Industrial Environments
Zone definition is the starting point for OT segmentation design. Zones should be defined based on three criteria: security level requirement (what threat level is the zone protecting against?), functional grouping (which assets work together and require direct communication?), and consequence of compromise (what's the worst-case impact if this zone is fully compromised?). A typical industrial facility might define four to eight OT zones: safety systems, process control, supervisory/HMI, historian/data collection, engineering workstations, field devices, and vendor access.
[IMAGE: IEC 62443 zones and conduits diagram for industrial facility showing safety zone, control zone, supervisory zone, and DMZ with firewall icons at conduit boundaries - search terms: IEC 62443 zones conduits OT network segmentation industrial diagram]
Conduit Design and Communication Requirements
Each conduit requires a communication requirements document that lists every permitted communication flow: source device, destination device, protocol, port, direction, and business justification. This document becomes the basis for firewall rule sets and network monitoring signatures. Communications not on the list are denied by default. Permitted communications are monitored for anomalous behavior, including unusual timing, unexpected source-destination pairs, or protocol violations that indicate command injection or replay attacks.
Conduit design must be developed with process engineers, not just security engineers. Operations staff know which communications are operationally essential and which are legacy connections that exist for historical reasons rather than current need. Legacy connections that can be eliminated should be documented and removed rather than secured, reducing attack surface without adding defensive cost.
How Should You Design an Industrial DMZ?
The industrial demilitarized zone (industrial DMZ or IDMZ) is the mandatory buffer zone between corporate IT networks and OT networks. An industrial DMZ serves the same conceptual function as a network DMZ in IT, isolating traffic flows and preventing direct connectivity, but it must be designed for OT-specific traffic patterns including historian replication, remote access, and vendor connectivity. The IDMZ typically hosts data historians, data diodes for unidirectional data transfer, remote access jump servers, and proxy services for OT-IT data exchange ([NIST SP 800-82r3, 2023](https://doi.org/10.6028/NIST.SP.800-82r3)).
Direct connections between corporate IT and OT networks are never acceptable regardless of firewall rules between them. The IDMZ must terminate all connections from both directions. Corporate IT systems connect to IDMZ services. OT systems connect to IDMZ services. No connection crosses the IDMZ directly. This dual-terminated connection model ensures that a compromised IT system cannot initiate direct communication with an OT device, even if the firewall rules would technically permit it.
Data Diodes for Unidirectional Data Transfer
Data diodes are hardware-enforced unidirectional gateways that allow data to flow in only one direction. They are the strongest available control for protecting OT data replication to historian and business intelligence systems. A data diode between OT historian and corporate IT data systems guarantees that no command, query, or malicious payload can reach the OT network through the historian path, regardless of software vulnerabilities or misconfiguration. Vendors including Waterfall Security, Owl Cyber Defense, and Fox-IT produce industrial data diode products designed for OT environments.
Citation Capsule: Industrial DMZ design must terminate all connections from both IT and OT sides with no direct cross-DMZ connectivity. NIST SP 800-82r3 recommends this dual-terminated architecture as the baseline for IT/OT boundary protection, preventing compromised IT systems from initiating direct communication with OT devices regardless of firewall rule permissiveness (NIST, 2023).
Remote Access Architecture in the IDMZ
Remote access to OT is a primary attack vector. The Oldsmar, Florida water treatment attack (2021) used remote access software to modify chemical dosing settings. Colonial Pipeline's ransomware attack spread through IT but exploited remote OT access paths. Every remote access connection to OT must be terminated in the IDMZ at a dedicated jump server or privileged access workstation (PAW), never directly to OT devices. Jump servers should require MFA, record all sessions, and time-limit connections automatically.
Vendor remote access is a specific risk category requiring dedicated architecture. Many OT vendors require periodic remote access for maintenance and updates. These connections should use a dedicated vendor access platform (such as Claroty SRA or Xage) that provides granular session control, recording, and automatic termination after the maintenance window closes. Shared vendor credentials and persistent VPN connections for vendor access are two of the most common OT network vulnerabilities found in assessments.
Need expert help with ot network segmentation?
Our cloud architects can help you with ot network segmentation — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
What Firewalls Are Appropriate for Industrial Networks?
Industrial firewalls for OT must meet requirements that standard IT firewalls don't address. They must support industrial protocol deep packet inspection (DPI) for Modbus, DNP3, EtherNet/IP, PROFINET, IEC 104, and other OT protocols. They must operate reliably in industrial temperature and humidity ranges. They must handle asymmetric traffic patterns, including the high-frequency, small-packet communications of process control systems, without introducing latency that disrupts real-time control. Vendors including Cisco (with ICS capabilities), Tofino/Hirschmann, Phoenix Contact, and Fortinet (FortiGate Rugged) produce firewalls designed for OT environments (IEC 62443-3-3, 2013).
Protocol-aware DPI is particularly important. Modbus has no authentication: any device that can reach a Modbus server can issue commands. A Modbus-aware firewall can enforce function code whitelisting, blocking write commands from unauthorized sources while allowing read commands needed for monitoring. DNP3 firewalls can enforce source address authentication and block unauthorized control commands. This application-layer enforcement is only possible with an industrial protocol-aware firewall, not a standard IT firewall applying IP/port rules to encrypted or proprietary protocols.
Firewall Rule Management for OT
Firewall rules for OT zones must be managed differently from IT firewall rules. OT rules should be derived directly from the conduit communication requirements documents, not built by trial and error. New rules should require change management approval with sign-off from both security and operations staff. Rules should be reviewed quarterly and any rules not matched in the past 90 days should be flagged for removal. Rule bloat is a major OT firewall management problem: organizations add rules for specific operational needs and never remove them, eventually producing a ruleset that allows far more than was intended.
How Does Micro-Segmentation Apply to OT?
Micro-segmentation divides OT zones into smaller segments to limit lateral movement after an initial compromise. Within a process control zone, individual PLCs or PLC groups can be placed on separate VLANs with inter-VLAN firewall rules that permit only documented communications. If an attacker compromises one PLC or the engineering workstation connected to it, micro-segmentation prevents them from using that foothold to reach adjacent PLCs or other control systems.
Micro-segmentation in OT requires a detailed communication matrix: which devices need to communicate with which other devices, using which protocols, for what operational purpose. This matrix is usually developed through a combination of passive traffic capture analysis and process engineering review. The passive capture reveals what communications are actually occurring. The process engineering review distinguishes required communications from legacy or redundant ones that can be eliminated.
VLANs and Managed Switches in OT Segmentation
VLAN-based micro-segmentation requires managed switches throughout the OT network. Many legacy OT environments use unmanaged switches that don't support VLANs. Replacing unmanaged switches with managed alternatives is a prerequisite for micro-segmentation and also enables port-level visibility used by passive OT monitoring tools. Managed switch deployment should be phased with OT monitoring deployment, as the two initiatives are complementary and share the same network access requirements.
How Do You Implement OT Segmentation Without Disrupting Production?
Production continuity is the non-negotiable constraint on OT segmentation implementation. The Stuxnet attack was notable partly because Iran's operators couldn't respond aggressively without risking centrifuge destruction. Most industrial operators face a less dramatic version of the same constraint every day: they can't take systems offline for extended maintenance windows without significant production and revenue impact. OT segmentation must be implemented in a way that production systems remain available throughout.
The implementation methodology follows three phases. Phase 1: passive monitoring and communication mapping. Deploy passive monitoring to capture all OT network traffic and build a complete communication matrix without touching any production systems or rules. This phase takes 4-8 weeks for a mid-sized environment. Phase 2: firewall deployment in permissive mode. Install industrial firewalls at zone boundaries with logging enabled and rules set to permit-all. This creates visibility into cross-boundary traffic without blocking anything. Phase 3: rule enforcement. Using the communication matrix from Phase 1 and the traffic data from Phase 2, build the restrictive rule set and enable enforcement during a planned maintenance window.
Frequently Asked Questions
What is the difference between an IT DMZ and an industrial DMZ?
An IT DMZ hosts externally accessible services (web servers, email relays) that accept connections from the internet. An industrial DMZ hosts services that mediate communication between corporate IT and OT networks (historians, remote access jump servers, proxy services). The industrial DMZ terminates connections from both IT and OT sides, preventing any direct IT-OT connectivity. Traffic protocols in an industrial DMZ include OT-specific protocols like OPC-DA/UA, historian replication, and management traffic, not internet-facing services (NIST SP 800-82r3, 2023).
How many OT zones should a facility have?
Most industrial facilities benefit from 4-8 security zones: enterprise/IT, industrial DMZ, supervisory/HMI, process control, field devices, engineering workstations, safety systems, and vendor access. The right number depends on consequence-of-compromise analysis for each functional grouping. Safety instrumented systems should always be in their own zone at the highest security level. Control and supervisory systems are typically separate zones because they have different change frequencies and access requirements (IEC 62443-3-3, 2013).
Can software-defined networking be used for OT segmentation?
Software-defined networking (SDN) can be applied to OT environments, particularly in newer greenfield deployments, but requires careful adaptation. Traditional OT concerns about availability and change management apply to SDN controllers as well. A compromised or failed SDN controller could affect all segmentation simultaneously. Most OT environments use hardware-based VLAN segmentation with physical firewalls rather than SDN, maintaining the security and availability characteristics of traditional network segmentation while gaining centralized management through SDN controller integration.
What industrial firewall should I choose?
Industrial firewall selection depends on OT protocol requirements, environmental conditions, and management architecture. Evaluate vendors on: native support for your specific OT protocols (Modbus, DNP3, EtherNet/IP, PROFINET), operating temperature range for plant floor deployment, DIN rail mounting for panel installation, centralized management console capability, and integration with your OT monitoring platform. Cisco Industrial Network Director, Fortinet FortiGate Rugged, and Phoenix Contact FL mGuard are commonly deployed in manufacturing and utilities environments.
Conclusion
OT network segmentation through the IEC 62443 zones-and-conduits architecture is the highest-impact structural security improvement available to most industrial operators. The architecture directly addresses the attack path responsible for 96% of OT incidents: the connection from IT networks into OT environments through poorly controlled boundaries.
The implementation requires discipline: zone definition based on consequence analysis, conduit design based on documented communication requirements, industrial DMZ architecture that terminates all cross-boundary connections, and firewall rule sets derived from those requirements rather than built ad hoc. The result is an OT network where every communication flow is intentional and every unusual flow generates an alert. That is the foundation on which effective OT security monitoring and incident response are built.
Our OT security services include network segmentation design and implementation for industrial environments of all sizes and complexity levels.
About the Author
Group COO & CISO at Opsio
Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.