Why IT/OT segmentation is the foundation of energy security
IT/OT network segmentation is the most effective measure for limiting cyberattack risk on industrial systems in the energy sector. Without proper segmentation, compromising a single workstation in the corporate IT network can lead to taking over PLC controllers managing turbines, transformers, or transmission lines.
The DynoWiper attack on Polish energy infrastructure in December 2025 confirmed that absent or weak IT/OT segmentation is the primary vector enabling industrial system destruction. Attackers exploited insufficient network separation to move from IT to OT and systematically destroy controller configurations.
IEC 62443 and the NIS2 directive require segmentation as a fundamental element of critical infrastructure security.
Step 1: Audit existing network architecture
Before implementing segmentation, understanding the current topology and data flows is essential.
Physical mapping includes documenting all switches, routers, and firewalls in IT and OT networks. Identifying IT↔OT contact points — where networks connect. Documenting cabling, VLANs, and port configurations.
Logical mapping requires analyzing network traffic for 2-4 weeks using passive probes. Identifying all IT↔OT communications — which IT systems communicate with OT and why. Documenting protocols, ports, and communication frequency.
Dependency inventory identifies systems that genuinely require communication between IT and OT. Typical dependencies include process data transfer to historians and reporting systems, remote management and controller updates, ERP/MES integration, and vendor remote service access.
Step 2: Design zone model per IEC 62443
The Zones and Conduits model from IEC 62443 forms the foundation of segmentation architecture.
Zone 5 — Enterprise IT: corporate systems, internet, email, ERP. Standard IT security, separated from OT by DMZ.
Zone 4 — Industrial DMZ: the critical buffer zone between IT and OT. Contains proxy servers: jump servers, mirror historians, reporting servers. Rule: no connection passes directly from IT to OT — everything through DMZ.
Zone 3 — Operations/Supervisory: operator HMI stations, SCADA master servers, process historians, MES systems. Restricted access, monitoring of all connections.
Zone 2 — Control: PLC, RTU, DCS controllers. Communication limited to industrial protocols with designated stations. No internet access.
Zone 1 — Safety: SIS (Safety Instrumented Systems), process safeguards. Physical separation from other zones. All changes require physical presence and authorization.
Step 3: Design industrial DMZ
The industrial DMZ is the most critical segmentation element. Its proper design determines the effectiveness of the entire segmentation.
DMZ architecture uses two firewalls — one on the IT side, another on the OT side (preferably from different vendors so compromising one doesn’t grant access to the other). DMZ servers are the only systems with connections to both IT and OT.
Typical servers in an energy DMZ include mirror historian (process data replica for IT), jump server (controlled remote OT access), update server (distributes verified patches to OT systems), antivirus server (signatures for OT systems), and log server (OT log aggregation for SIEM).
DMZ traffic rules: IT→DMZ: allowed, initiated by IT. DMZ→OT: allowed, limited to specific services. OT→DMZ: allowed, e.g., process data transfer. IT→OT: prohibited directly, always through DMZ. OT→IT: prohibited directly.
Step 4: Select segmentation technology
Industrial firewalls are the primary segmentation tool. Requirements: Deep Packet Inspection (DPI) for OT protocols — Modbus, DNP3, IEC 104, OPC UA. Industrial environment resilience (temperature, vibration, fanless). Ability to configure rules at OT command level (e.g., blocking Modbus write commands from unauthorized sources).
Data diodes provide physically one-way data flow — from OT to IT. They eliminate IT-to-OT attack risk at the physical level. Used for the most critical zones — e.g., between the Safety zone and the rest of the network. Limitation: not suitable for bidirectional communication (e.g., remote control).
OT microsegmentation divides the OT network into smaller segments — e.g., each energy substation as a separate segment. Limits lateral movement if one element is compromised. Requires firewalls or ACLs on managed switches.
Step 5: Phased deployment without downtime
Deploying segmentation in active energy infrastructure requires careful planning to avoid energy supply disruptions.
Phase 1 — Monitor (2-4 weeks). Deploy firewalls in monitoring/audit mode (no blocking). Analyze traffic and identify communications that will be blocked after full deployment. Verify that identified IT↔OT dependencies are complete.
Phase 2 — DMZ (1-2 weeks, maintenance window). Deploy DMZ servers and redirect IT↔OT communication through DMZ. The most critical moment — requires a maintenance window and readiness for quick rollback.
Phase 3 — Enforce (gradually). Enable blocking rules on firewalls, starting with least critical connections. Monitor impact on industrial processes. Escalate to full enforcement for all zones.
Phase 4 — Harden (ongoing). Tightening rules — from protocol whitelisting to OT command whitelisting. Deploy anomaly monitoring. Regular rule reviews and updates.
Step 6: Testing and validation
After deployment, verifying segmentation effectiveness is essential.
IT/OT penetration testing simulates attempts to cross from IT to OT using techniques employed by APT groups. Verification that DMZ effectively blocks unauthorized traffic.
Firewall rule testing checks whether each rule is necessary and not overly permissive. Removing “any-any” rules and replacing them with precise rules.
Incident response exercises verify whether the security team can quickly isolate a compromised OT segment without stopping critical processes.
How nFlo supports IT/OT segmentation
OT/ICS security audits — mapping existing topology, IT/OT flow analysis, IEC 62443 zone model design, and migration plan.
Red Team — penetration testing verifying segmentation effectiveness. IT→OT lateral movement simulation under controlled conditions.
SOC as a Service — traffic monitoring at zone boundaries with segmentation breach attempt detection.
Incident Response — OT segment isolation procedures during incidents without disrupting energy supply.
Schedule a free consultation — we’ll design IT/OT segmentation for your energy infrastructure.
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
Related topics
See also:
