Network segmentation is the practice of dividing a computer network into smaller, isolated sections
(segments) with controlled communication between them.
Its primary objectives are to:
Improve cybersecurity
Limit the spread of cyber attacks
Reduce the attack surface
Improve network performance
Simplify network management
Protect critical Industrial Automation and Control Systems (IACS)
Each segment has its own security rules and access controls, allowing only authorised communication between networks.
Figure – Network segmentation divides a network into isolated segments with controlled communication between them.
Why Network Segmentation is Important
Without Segmentation
Malware can spread freely across the network.
An attacker gaining access to one device may gain access to the entire network.
IT incidents can impact operational technology (OT) systems.
Critical industrial processes become vulnerable to corporate network threats.
With Segmentation
Incidents are contained within a single segment.
Critical systems remain isolated.
Only authorised traffic is allowed.
Defence-in-depth is strengthened.
IT and OT Separation
Industrial control systems should not be directly connected to the corporate IT network. Instead, the OT network
should be isolated behind a dedicated industrial firewall.
Firewalls are designed to enforce security policies.
Capabilities include:
Packet inspection
Stateful inspection
Deep packet inspection (DPI)
Access control
Threat detection
Traffic filtering
Logging and monitoring
Firewalls are essential for controlling communication between network segments.
Routers
Routers are designed primarily for forwarding network traffic. Although many modern routers include basic firewall
features, routing is their primary function.
Typical router capabilities:
Route traffic between networks
Forward packets
Support VLANs
Perform Network Address Translation (NAT)
Limitations compared to dedicated firewalls:
Limited threat detection
Limited traffic inspection
Limited application awareness
Not intended as the primary security boundary for industrial networks
For OT security, routers should not replace dedicated industrial firewalls.
Demilitarized Zone (DMZ)
A Demilitarized Zone (DMZ) is a secure buffer network positioned between the corporate IT network
and the industrial control system (ICS/IACS) network. Its purpose is to allow controlled communication without
permitting direct connectivity between IT and OT.