OT Network Segmentation for Indian Industry: Design, Implementation, and Maintenance
Country Manager, Sweden
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
OT network segmentation is the highest-impact security control available to Indian industrial organisations, and it is also the most commonly underdone. Proper segmentation prevents an attacker who compromises an IT endpoint from reaching SCADA systems, and prevents a compromised field device from communicating with enterprise networks. It is the architectural foundation on which every other OT security control depends. Yet assessments of Indian industrial OT environments consistently find networks where IT and OT are either directly connected without controls or separated by firewall rules so permissive that they provide minimal real protection. Organisations with proper OT network segmentation reduce their OT breach risk by 70% compared to flat-network environments. (Claroty, 2024)
NCIIPC guidelines explicitly require network segmentation for Critical Information Infrastructure operators across all designated sectors. IEC 62443's zone-and-conduit model is the international technical standard for OT segmentation design. CERT-In's incident reporting requirements implicitly demand segmentation because without it, a single incident can compromise the entire OT environment simultaneously - making the six-hour reporting window meaningless if the incident is still evolving. (NCIIPC, 2025)
What is the Purdue Model? ICS architecture guideKey Takeaways
- Proper OT network segmentation reduces breach risk by 70% versus flat-network environments (Claroty, 2024).
- NCIIPC guidelines require segmentation for all designated CII operators; IEC 62443 provides the technical design standard.
- The DMZ between OT Level 3 and IT Level 4 is the most critical segmentation boundary for Indian industrial networks.
- Data diodes provide the strongest available segmentation for connections requiring one-way data flow.
- Firewall rule management and change control are as important as the initial segmentation design.
What Does Proper OT Network Segmentation Look Like?
Proper OT network segmentation creates distinct network zones separated by security controls that enforce explicit communication policies. The reference architecture is the Purdue Model, which defines five levels for industrial control systems. The critical security boundaries are between Level 3 (operations management, historians, MES) and Level 4 (enterprise IT), and between Level 2 (SCADA, DCS, HMI) and Level 3. The IT/OT boundary between Level 3 and Level 4 is where a DMZ should be placed to host shared services accessible to both sides under controlled conditions: historian servers, jump servers, patch repositories, and antivirus update servers.
Each zone boundary should be enforced by a firewall that implements a deny-by-default policy, permitting only the specific protocols and communication pairs needed for operational data exchange. The firewall ruleset should be documented, reviewed at least quarterly, and subject to formal change management processes. Every firewall rule should have a documented business justification, an owner, and an expiry review date. In practice, Indian OT firewalls commonly have rules accumulated over years without review, with no documentation of their purpose and no process for identifying and removing obsolete rules.
[CHART: OT network segmentation architecture - zones, DMZ, conduits, and security devices - Source: Opsio]What Technologies Are Used for OT Network Segmentation?
Several technology categories provide OT network segmentation, each with specific use cases. Industrial firewalls are the most common segmentation mechanism, sitting at zone boundaries and enforcing communication policies. Industrial-specific firewalls (from vendors like Tofino/Belden, Fortinet, Palo Alto Networks) can inspect industrial protocols at the application layer, identifying and blocking specific Modbus function codes or DNP3 commands that should not cross zone boundaries. Generic enterprise firewalls provide network-level segmentation but cannot inspect industrial protocols.
Data diodes (hardware-enforced one-way communication devices) provide the strongest available segmentation for connections where data must flow from OT to IT but no return path should exist. A data diode connecting an OT historian to an enterprise data lake physically cannot transmit data in the reverse direction - there is no hardware path for a return signal. Data diodes are used by Indian power sector organisations for grid monitoring data feeds and by defence OT environments where one-way data extraction from classified networks is required. Vendors including Owl Cyber Defense, Waterfall Security, and Fox-IT manufacture data diodes used in Indian critical infrastructure.
VLANs vs Physical Segmentation in Indian OT
VLAN segmentation provides logical separation but not physical isolation. VLANs can be misconfigured, bypassed through trunking, or compromised if an attacker gains access to the switching infrastructure. For high-criticality OT systems in Indian critical infrastructure - national grid management, refinery control systems, pipeline SCADA - physical segmentation with separate switching infrastructure is more appropriate than VLAN-only separation. For lower-criticality systems - building automation, smart city IoT - VLAN segmentation on properly configured switching infrastructure may be an acceptable cost-performance trade-off.
Many Indian industrial networks use VLAN segmentation as their sole segmentation mechanism. This is better than no segmentation, but organisations should understand that VLAN misconfigurations are a common penetration testing finding in OT assessments - and that VLAN-only segmentation does not satisfy the stronger requirements in IEC 62443 or NCIIPC guidelines for high-security zones.
IEC 62443 guide for Indian industryNeed expert help with ot network segmentation for indian industry?
Our cloud architects can help you with ot network segmentation for indian industry — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
How Should Indian Organisations Design Their OT Segmentation Architecture?
OT segmentation design for Indian industrial organisations should follow a five-step process. First, document the current network topology through a combination of passive discovery (identifying all devices and communication flows) and network diagram review. This documentation provides the baseline from which the target architecture is designed. Second, identify and classify all OT assets by function, criticality, and security requirements. Assets with similar security requirements and trust levels belong in the same zone. Third, design the target zone architecture using Purdue Model levels as the reference framework, with explicit conduit definitions between zones. Fourth, identify the gap between current network topology and the target architecture - the remediation plan must close this gap in phases that minimise operational disruption. Fifth, implement the target architecture starting with the highest-risk boundaries, validating that operational communications are maintained throughout the implementation.
Phased implementation is essential for Indian industrial environments where continuous operation must be maintained. A common sequence is: first implement segmentation at the IT/OT boundary (Level 3-Level 4) because this boundary can typically be modified with minimal operational impact. Then implement segmentation within the OT environment at the Level 2-Level 3 boundary. Finally, implement segmentation at the field level (Level 1-Level 2) during planned maintenance windows.
What Are the Common Segmentation Mistakes in Indian OT Networks?
Four mistakes account for the majority of segmentation failures in Indian OT environments. First, overloaded firewalls: using the same firewall for both corporate internet access and OT/IT boundary enforcement creates policy complexity and management burden that leads to errors. Dedicated OT boundary firewalls, managed by OT security personnel, are more reliable. Second, undocumented exceptions: engineers create firewall exceptions to solve specific operational problems and do not document them, resulting in rulesets that nobody fully understands. Over time, these accumulated exceptions provide effective segmentation only on paper. Third, missing conduit monitoring: implementing the firewall but not the logging and monitoring means that segmentation breaches are not detected. Firewall logs must be collected, retained for 180 days (CERT-In requirement), and reviewed for anomalies. Fourth, ignoring wireless: wireless access points in or near OT environments, including engineer laptops with WiFi enabled and industrial IoT devices using WiFi or 4G, create segmentation bypasses that wired network controls cannot address.
[PERSONAL EXPERIENCE] In over 80% of Indian OT segmentation assessments, we find firewall rules that were created for specific access requirements but never removed when those requirements ended. Vendor remote access rules, rules for systems that have been decommissioned, and rules for testing purposes that were left active are the most common culprits. A formal change management process that requires firewall rule review when the associated system change is completed eliminates this accumulation over time.
How Do You Maintain OT Network Segmentation Over Time?
OT network segmentation is not a one-time implementation; it requires active maintenance to remain effective as the network evolves. Three ongoing processes are essential. First, change management: every network change that touches OT environments must go through a formal change management process that includes security review. Any change that affects zone boundaries or firewall rules should require OT security team approval. Second, periodic firewall rule review: firewall rulesets should be reviewed at least quarterly to identify and remove obsolete rules, validate that active rules still have documented business justifications, and ensure that accumulated exceptions have not undermined the intended segmentation architecture. Third, continuous monitoring: passive OT monitoring tools should alert on communication patterns that violate the intended segmentation policy - traffic attempting to traverse a zone boundary through an unauthorised path, or communication between devices that should not be talking to each other.
[CHART: OT segmentation maintenance cycle - change management, rule review, monitoring - Source: Opsio]What Is the Business Case for OT Network Segmentation Investment?
The business case for OT network segmentation in Indian industrial organisations is compelling when expressed in incident cost terms. The most damaging OT incidents - ransomware campaigns, nation-state intrusions - rely on lateral movement from IT to OT. Proper network segmentation either prevents this movement entirely or significantly slows it, giving detection and response teams time to contain the incident before it reaches critical OT systems. The 2021 Colonial Pipeline ransomware attack in the US - which caused the company to proactively shut down its pipeline OT systems out of caution rather than because those systems were directly compromised - demonstrated how IT/OT connectivity creates operational risk even when OT systems are not directly attacked. (CISA, 2021)
For Indian critical infrastructure operators under NCIIPC oversight, segmentation is a compliance requirement as well as a security control. The consequence of non-compliance is not just regulatory action but the operational consequence of an incident that segmentation could have prevented or contained. The investment in proper segmentation - typically INR 50 lakh to 5 crore for a mid-sized Indian industrial site, depending on complexity - is low relative to the potential cost of the incidents it prevents.
Frequently Asked Questions
Does network segmentation impact operational performance of OT systems?
Properly designed segmentation does not impact OT operational performance. The conduit controls between zones should be sized and configured to handle the actual communication traffic without introducing latency. Industrial firewalls designed for OT environments process industrial protocol traffic at wire speed. The rare cases where segmentation has impacted OT performance involve either improperly sized firewall appliances or segmentation designs that introduced unnecessary routing hops for time-sensitive control communications. Segmentation design should always be validated in a test environment before production deployment. (IEC 62443, 2025)
Can we use cloud-based firewalls for OT network segmentation?
Cloud-based firewalls are not appropriate for OT/IT boundary enforcement because they introduce network latency and create a cloud dependency for on-premises OT security controls. If the cloud connection is unavailable, the firewall cannot function. On-premises industrial firewalls, with proper high-availability configurations, are the appropriate technology for OT boundary enforcement. Cloud firewall services are appropriate for protecting cloud-connected OT management interfaces - such as vendor support portals and remote monitoring dashboards - that sit outside the physical plant network. (NCIIPC, 2025)
How does data diode technology work in Indian power sector applications?
Data diodes in Indian power sector applications allow operational data - SCADA readings, historian data, energy management system telemetry - to flow from OT networks to enterprise IT for analytics and reporting, without creating any return communication path. The data diode hardware physically cannot transmit signals in the reverse direction. This is the strongest available protection for the OT-to-IT data boundary because it cannot be misconfigured or compromised - there is no return path for an attacker to exploit. Indian power sector operators including PowerGrid and NTPC use data diode technology for select high-criticality data flows. (Waterfall Security, 2025)
What protocols should be blocked at the OT/IT boundary?
At the OT/IT boundary, the default policy should be deny-all with explicit permit rules for required flows. Protocols that should typically be blocked from IT to OT include SMB (used by ransomware for lateral movement), RDP (unless explicitly required and controlled through jump servers), SNMP write access, Telnet and unencrypted SSH, and direct Modbus/DNP3 access. Protocols that may need controlled permits include OPC-DA/UA for historian access (through dedicated historian servers in the DMZ), SFTP for patch distribution (from a controlled patch repository), and syslog for log forwarding to the SIEM. CERT-In's log retention requirements make the log forwarding path essential. (CERT-In, 2022)
How should remote vendor access interact with network segmentation?
Vendor remote access should not bypass network segmentation. Vendors should access OT systems through a jump server in the OT DMZ, not through direct connections that traverse zone boundaries. The jump server provides authentication, session recording, and access control that maintains segmentation integrity while enabling vendor support. Time-limited access credentials, pre-defined access scopes, and automatic session termination prevent vendor access from becoming a permanent segmentation bypass. All vendor access sessions should be logged for CERT-In compliance and forensic readiness. (IEC 62443, 2025)
Segmentation as the Foundation of Indian OT Security
OT network segmentation is not glamorous. It does not involve sophisticated threat intelligence or advanced analytics. It is infrastructure work - designing, implementing, and maintaining network controls that enforce the boundaries between systems that should not communicate freely. But it is the work that makes every other OT security control more effective, and it is the control that most reliably prevents the lateral movement that turns IT incidents into OT catastrophes.
Indian industrial organisations that invest in proper OT network segmentation - with the architecture, technology, and ongoing management that makes segmentation real rather than nominal - are building the most durable foundation available for their OT security programme. The organisations that have done this work are consistently better protected, more NCIIPC compliant, and more insurable than those that rely on paper segmentation policies over flat networks.
For OT network segmentation design and implementation, visit our Opsio ot security services.
For hands-on delivery in India, see Opsio's industrial iot solutions practice.
About the Author
Country Manager, Sweden at Opsio
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.