OT Network Segmentation & the Purdue Model

Every industrial network breach has a story. And in nearly every story, the same painful truth surfaces: the attacker didn't need to work hard. They found a flat, poorly segmented network -one where a compromised engineering workstation could talk directly to a PLC, where IT credentials opened doors into OT environments, and where there was no logical boundary between a historian server and a safety instrumented system.

This is the reality facing thousands of industrial organizations today. The convergence of IT and OT has accelerated business efficiency but it has also opened the door to a new class of threats that legacy architectures were never designed to handle.

OT network segmentation, when done right, is one of the most effective defensive measures available to industrial organizations. It limits the blast radius of an attack, protects operational continuity, and creates the visibility needed to detect threats before they reach critical systems. But "done right" is doing a lot of work in that sentence.

This guide breaks down what effective OT network segmentation looks like in practice -from the foundational Purdue Model to zone-based architecture, IT/OT boundaries, and industrial DMZ design -so your organization can build defenses that actually hold under pressure.

Before we move forward don’t forget to check out our last blog post on “Shadow warfare threatens India's energy sovereignty”here.

Why OT Network Security Is a Different Game Entirely

Before diving into architecture, it's important to understand what makes OT network security fundamentally different from conventional IT security. In traditional IT environments, security priorities follow the CIA triad: Confidentiality, Integrity, and Availability in that order.

In operational technology environments, the priorities are inverted. Availability comes first. A PLC managing a chemical dosing process cannot be taken offline for a patch cycle. A SCADA system monitoring a pipeline cannot tolerate a ten-minute reboot. The moment downtime becomes acceptable, safety and production both suffer -and in critical infrastructure, the consequences can extend far beyond financial loss.

This dynamic creates a challenging environment for security teams. Many OT assets run on legacy protocols, Modbus, DNP3, PROFINET, EtherNet/IP -that were engineered for reliability in isolated networks, not resilience against external adversaries. They often lack authentication, encryption, or any native access control. Patching timelines stretch from months to years. And operational constraints mean that standard IT-style security controls simply cannot be bolted on without breaking things.

This is precisely why network segmentation is so critical in OT environments. It compensates for the inherent limitations of legacy assets by controlling the network pathways those assets can communicate over and by preventing threats from moving freely between systems.

The Purdue Model for OT Networks: Foundation, Not Formula

The Purdue Enterprise Reference Architecture developed in the 1990s at Purdue University remains the most widely recognized framework for structuring industrial network hierarchies. While often criticized as outdated in the era of cloud connectivity and IIoT, its core logic is more relevant than ever when it comes to defining clear network boundaries.

The Purdue Model organizes an industrial enterprise into five distinct levels:

• Level 0- Field Devices: Sensors, actuators, and physical process components. These are the assets closest to physical operations -pumps, valves, motors, and instruments.

• Level 1- Basic Control: PLCs, RTUs, and DCS components that directly read and control field devices. These assets execute real-time control logic.

• Level 2- Supervisory Control: SCADA systems, HMIs, and operator workstations. This is where process monitoring and supervisory decisions happen.

• Level 3- Site Operations: Manufacturing execution systems (MES), data historians, and engineering workstations that support operational management at the site level.

• Levels 4 & 5- Enterprise & Corporate IT: Business systems including ERP, email infrastructure, and corporate networks. This is where traditional IT security operates.

The Purdue Model's core value is not its age it's the principle it enforces: traffic should flow between adjacent levels, not freely across all of them. A control system at Level 1 should never communicate directly with a business application at Level 4. Any communication that crosses multiple levels represents a potential attack vector that needs to be explicitly controlled.

Adapting the Purdue Model for Modern Industrial Environments

Today's industrial environments don't look like the networks Purdue's architects envisioned in the 1990s. Cloud-connected SCADA systems, remote access for OEM vendor support, IIoT sensors feeding data analytics platforms, and hybrid IT/OT infrastructure have all blurred the lines between levels.

A practical, modernized approach to the Purdue Model doesn't discard its logic, it augments it. This means accounting for remote access paths, cloud data flows, and third-party connectivity while maintaining the core principle that lateral movement between operational levels should be actively controlled, monitored, and restricted to only what is operationally necessary.

OT Network Zones and Conduits: The Architecture of Control

While the Purdue Model defines horizontal layers within an industrial network, the concept of zones and conduits, formalized in the IEC 62443 standard for industrial cybersecurity, defines how those layers are subdivided and interconnected in practice.

Defining Security Zones

A security zone is a grouping of assets that share the same security requirements, risk profile, and protection needs. The boundary of a zone is where security controls are applied. Assets within a zone trust each other; assets in different zones do not.

Effective zone design considers:

• The criticality of the assets within the zone, safety systems require stricter isolation than operational monitoring systems

• The communication requirements of each asset what does it need to receive data from, and what does it need to send data to?

• Access requirements, which users, systems, and vendors need to interact with assets in this zone?

• The consequences of compromise, what happens operationally and from a safety perspective if a zone is breached?

Securing Conduits Between Zones

A conduit is the communication pathway between two or more zones. It's where access control, protocol filtering, traffic inspection, and logging occur. Every conduit should be designed with the principle of least privilege in mind: allow only the specific communication flows that are operationally required, and deny everything else by default.

In practice, conduits are implemented through next-generation firewalls with OT protocol awareness, managed switches with VLAN segmentation, and dedicated security appliances capable of inspecting industrial protocols like Modbus TCP, DNP3, and PROFINET. Generic IT firewalls that cannot parse industrial protocols will fail to detect malicious commands disguised within legitimate protocol traffic.

IT/OT Network Segmentation: Where Strategy Meets Risk Reduction

The junction between IT and OT networks is, statistically, where most industrial cyberattacks gain traction. Threat actors move laterally from compromised corporate email accounts to domain controllers, and from there to historian servers and engineering workstations -following legitimate trust relationships between IT and OT systems.

Effective IT/OT network segmentation requires more than a firewall between the two domains. It requires a deliberate architectural strategy that addresses data flows, authentication, remote access, and the operational realities of industrial environments.

Common IT/OT Segmentation Mistakes That Create Hidden Risk

• Assuming a firewall equals segmentation- A misconfigured firewall with overly permissive rules provides little actual separation between environments

• Allowing shared credentials between IT and OT domains- A single compromised Active Directory account can cascade into OT systems if domain trust is shared

• Using uncontrolled remote access pathways- VPN connections used by IT staff that extend directly into OT networks bypass critical inspection points

• Overlooking historian servers and data integration platforms- These assets span IT and OT and must be treated as high-risk conduit points

• Neglecting encrypted traffic inspection- Encrypted channels are increasingly used by attackers to conceal lateral movement, even within OT environments

Industrial DMZ Design: The Critical Bridge Between IT and OT

The industrial demilitarized zone or industrial DMZ -is the architectural centerpiece of a well-segmented OT network. It serves as a controlled buffer between the IT enterprise network and the operational technology environment, enabling necessary data exchange while preventing direct connectivity between the two domains.

Key components typically hosted within an industrial DMZ include:

• Data Historians and Replication Servers: Process data is aggregated here before being passed to enterprise analytics platforms -eliminating direct connections between Level 2 systems and corporate networks

• Remote Access Gateways: Controlled jump servers or privileged access workstations that allow authorized vendor and remote maintenance access without creating direct paths into the OT network

• Patch Management and Update Servers: Validated patch repositories that allow controlled software and firmware updates without exposing OT assets to direct internet connectivity

• Security Monitoring Infrastructure: Passive monitoring sensors and OT-aware SIEM aggregation points that collect security telemetry from OT environments without introducing active scanning that could disrupt legacy devices

• File Transfer and Anti-Malware Scanning Nodes: Controlled transfer points that scan and validate files before they cross from IT to OT -a critical defense against USB-borne and supply chain malware

The industrial DMZ is not optional in a mature OT security architecture -it's the foundational control point that enables the enterprise to function efficiently while maintaining the security boundaries that protect operational systems.

Segmentation for SCADA Networks: Protecting the Operational Nerve Center

SCADA networks present unique segmentation challenges. Unlike discrete manufacturing environments, SCADA systems often cover geographically distributed assets -remote pump stations, substations, pipeline monitoring points -connected over a mix of wired, wireless, and cellular communication pathways. This distributed topology creates numerous potential entry points that a centralized firewall policy alone cannot adequately protect.

Effective segmentation for SCADA networks should address:

• Network segmentation at remote field sites, not just at the control center- Each remote terminal unit (RTU) or remote station should be treated as a potential entry point requiring its own access controls

• Protocol-aware inspection at all communication gateways- DNP3, IEC 60870-5, and other SCADA protocols carry operational commands that must be validated, not just passed

• Encryption and authentication for all communication between master and remote stations- where legacy protocol constraints prevent native encryption, compensating controls such as VPN tunnels should be applied at the network layer

• Behavioral anomaly detection that establishes communication baselines and alerts on deviations- Since SCADA traffic patterns are highly predictable, anomalies are often early indicators of compromise or misconfiguration

Practical Recommendations: Building Segmentation That Holds

Effective OT network segmentation is not a technology purchase -it's an architectural discipline built through structured methodology. Here are the principles that separate robust segmentation from checkbox compliance:

• Begin with asset discovery and inventory: You cannot segment what you have not mapped. A comprehensive OT asset inventory, including passive discovery to avoid disrupting live systems -is the non-negotiable starting point of any segmentation project.

• Conduct a communication flow analysis: Document all existing traffic flows before designing zones. Many organizations are surprised to discover undocumented connections between OT and IT systems that have existed for years without formal approval.

• Apply risk-based zone prioritization: Not all assets carry equal risk. Safety instrumented systems and critical control assets deserve the highest isolation priority. Segment from the inside out -protect the most critical assets first.

• Design for monitoring, not just control: Segmentation without visibility is incomplete. Every zone boundary should generate security telemetry. Passively monitor OT traffic for anomalies using OT-native detection tools that understand industrial protocols.

• Enforce strict remote access controls: Remote access is among the highest-risk vectors in OT environments. Every remote session should be mediated through a jump server, require multi-factor authentication, be time-limited, and be fully logged with session recording where feasible.

• Validate segmentation under realistic conditions: Periodic segmentation validation exercises, including controlled attempts to test lateral movement paths, reveal gaps that configuration reviews miss. Real defenses are stress-tested.

• Treat segmentation as a continuous process: Network topology changes with every new installation, vendor connection, and operational modification. Segmentation must evolve accordingly, it is not a one, time project.

How Shieldworkz Supports Industrial Organizations

At Shieldworkz, we understand that OT network segmentation is not a product you install, it's a capability you build. Our team of OT security specialists works directly with industrial organizations to design, implement, and continuously improve segmentation architectures that reflect operational realities, not theoretical models.

Our OT network segmentation capabilities include:

• OT Asset Discovery & Network Mapping: We conduct non-intrusive, passive asset discovery to build a complete, validated inventory of your OT/ICS environment the essential foundation for any segmentation initiative.

• Zone & Conduit Design Based on IEC 62443: Our architects design security zones and conduits aligned with IEC 62443 principles, calibrated to your specific operational environment, asset criticality, and compliance requirements.

• IT/OT Boundary Architecture: We design and implement the architectural separation between IT and OT environments including industrial DMZ design, firewall policy development, and access control architecture that balances security with operational continuity.

• SCADA & ICS Protocol-Aware Security Controls: Our implementation specialists deploy and configure OT-native security tools capable of inspecting industrial protocols ensuring that segmentation controls actually see and understand your operational traffic.

• Remote Access Security for OT Environments: We design secure remote access architectures for vendor and maintenance access that enforce least-privilege access, multi-factor authentication, session monitoring, and automatic session termination.

• OT Security Monitoring & Anomaly Detection: We integrate passive monitoring solutions that establish behavioral baselines for your OT network and alert on anomalies giving your team the visibility to detect threats before they reach critical assets.

• Segmentation Validation & Gap Assessment: Through structured assessments and controlled testing, we validate that your segmentation controls perform as designed under realistic conditions identifying gaps before adversaries do.

• Ongoing Security Advisory & Compliance Support: Our team provides continuous advisory support as your environment evolves ensuring segmentation remains effective and aligned with frameworks including NIST CSF, IEC 62443, NERC CIP, and industry-specific regulations.

Segmentation Is Not a Project, It's a Commitment

The industrial networks of today are under real, sophisticated, and persistent threat. The adversaries targeting critical infrastructure are patient, well-resourced, and deeply familiar with the architectures they seek to exploit. What stands between them and operational disruption is not any single product or vendor it's a principled, continuously maintained approach to securing the environment they operate in.

OT network segmentation, built on the structured foundation of the Purdue Model and the IEC 62443 zone-and-conduit framework, is that approach. It is not a theoretical construct it is a practical, proven methodology for limiting the exposure of critical assets, controlling the movement of threats, and preserving the operational continuity that industrial organizations depend on.

At Shieldworkz, our commitment is simple: we believe industrial organizations deserve security architectures built for the realities of their environment not adapted from IT blueprints that were never designed with operational technology in mind. Every engagement we undertake reflects that belief. We don't protect networks. We protect operations, safety, and the infrastructure that communities and economies depend on.

Is Your OT Network Segmentation Built to Withstand Real Threats?

Many industrial organizations believe they have adequate segmentation in place until a structured assessment reveals the gaps. Whether you're starting from scratch, validating an existing architecture, or navigating regulatory compliance requirements, Shieldworkz can help you build a defensible, operational, and continuously monitored OT network.

Additional resources       

2026 OT Cybersecurity Threat Landscape Analysis Report here  
A downloadable report on the Stryker cyber incident here       
Remediation Guides here     
IEC 62443 and NIS2 Compliance Checklist here  
OT Security Best Practices and Risk Assessment Guidance here