Network Segmentation Best Practices for Critical Infrastructure

When an attacker gains initial access to a network, the first thing they do is look around. In a flat, unsegmented network, they see everything: domain controllers, file servers, SCADA systems, production databases, executive workstations. Lateral movement becomes trivial. The initial foothold -- usually a phishing email or an exposed service -- becomes a complete compromise.

Network segmentation is the architectural defense against lateral movement. For critical infrastructure organizations -- power utilities, manufacturing plants, transportation systems, healthcare facilities -- it is not just a best practice. It is a survival requirement. The consequences of an attacker reaching operational technology (OT) systems from the corporate IT network can be physical, not just digital.

At Zindagi Technologies, we design and implement segmentation architectures for organizations operating critical infrastructure, and this guide captures the principles and practices that work in the real world.

Why Segmentation Fails

Before discussing how to segment properly, let us understand why existing segmentation often fails.

Flat Networks with VLANs Masquerading as Segmentation

VLANs provide broadcast domain separation, not security isolation. Without firewall rules or ACLs enforced between VLANs, traffic flows freely. Many organizations create VLANs for different departments and call it "segmentation" without implementing any access controls between them.

Exception Creep

Even well-designed segmentation degrades over time. A temporary firewall rule added for a project is never removed. A vendor requires direct access to an OT system and gets a permanent exception. After a few years, the firewall has hundreds of rules, and the segmentation is Swiss cheese.

IT/OT Convergence Without Controls

As OT environments become more connected (remote monitoring, cloud analytics, vendor access), organizations create network paths between IT and OT without adequate security controls. The Purdue Model that once provided air-gapped isolation between levels has been eroded by operational convenience.

Monitoring Gaps

Segmentation without monitoring is half the equation. If you do not inspect traffic crossing segment boundaries, you will not detect an attacker who finds a way through.

Segmentation Architecture for Critical Infrastructure

The Zone and Conduit Model

IEC 62443 (ISA/IEC standard for industrial cybersecurity) defines the zone and conduit model, which is the gold standard for critical infrastructure segmentation:

• Zones: Groupings of assets with similar security requirements and trust levels. Each zone has a defined security level.
• Conduits: Controlled communication paths between zones. All traffic between zones flows through conduits with explicit security controls.

This model applies to both IT and OT environments and provides a structured approach to segmentation that scales.

Defining Your Zones

For a typical critical infrastructure organization, zones should include:

• Enterprise Zone (Level 4-5): Corporate IT -- email, ERP, web browsing, general business applications. Internet-facing.
• DMZ / Industrial DMZ (Level 3.5): The buffer between IT and OT. Historian servers, jump servers, patch management, and remote access portals live here. This zone NEVER has direct connectivity between IT and OT -- it acts as a broker.
• Operations Zone (Level 3): Control center applications, engineering workstations, HMI servers. Operators interact with OT systems here.
• Control Zone (Level 2): SCADA servers, DCS controllers, PLCs, RTUs. The systems that directly manage physical processes.
• Field Zone (Level 0-1): Sensors, actuators, field instruments. The physical process itself.
• Safety Zone: Safety Instrumented Systems (SIS). Isolated from all other zones with unidirectional communication where possible.

Conduit Design Principles

Every conduit between zones must implement:

• Explicit allow rules: Default deny, with only required protocols and ports permitted
• Stateful inspection: Track connection state to prevent unauthorized traffic injection
• Application awareness: Where possible, inspect at the application layer (not just port/protocol)
• Logging: Every allowed and denied connection logged for forensic and compliance purposes
• Unidirectional enforcement: Where the operational requirement allows, use data diodes or unidirectional gateways to ensure data flows only in one direction (typically from OT to IT for monitoring data)

Implementation Technologies

Next-Generation Firewalls (NGFW)

NGFWs are the primary enforcement mechanism at zone boundaries. For critical infrastructure, deploy dedicated firewall pairs (high availability) at each major zone boundary:

• IT/OT DMZ boundary: Palo Alto, Fortinet, or Check Point NGFWs with industrial protocol support
• Between OT zones: Firewalls capable of deep packet inspection for industrial protocols (Modbus, OPC UA, DNP3, IEC 61850)

Key capabilities to look for in industrial firewalls:

• Industrial protocol awareness (not just port-based filtering, but actual protocol parsing)
• Virtual patching for known ICS vulnerabilities
• Low latency (critical for real-time control systems)
• Passive monitoring mode for initial deployment without disrupting operations

Micro-Segmentation

For finer-grained segmentation within zones, deploy micro-segmentation:

• Software-defined micro-segmentation (Illumio, Guardicore/Akamai, VMware NSX) for IT environments
• Host-based firewalls (iptables, Windows Firewall with Advanced Security) for individual server protection
• Network access control (Cisco ISE, Aruba ClearPass) for dynamic segmentation based on device identity and posture

Network Access Control (NAC)

NAC is particularly important for environments where devices connect and disconnect (laptops, vendor equipment, IoT devices). NAC enforces:

• Device authentication before network access
• Posture assessment (is the device patched, does it have required security software?)
• Dynamic VLAN assignment based on device identity and compliance status
• Guest network isolation for visitors and contractors

Data Diodes and Unidirectional Gateways

For the most sensitive OT zones (safety systems, nuclear, defense), data diodes provide hardware-enforced unidirectional communication. Data can flow out (telemetry, logs) but nothing can flow in from untrusted zones.

Vendors like Waterfall Security, Owl Cyber Defense, and Advenica provide purpose-built unidirectional gateways for industrial environments.

The DMZ: Your Most Critical Boundary

The Industrial DMZ between IT and OT is the most important zone in your architecture. Design it carefully:

What Lives in the DMZ

• Historian/data historian servers (replicated from OT-side historians)
• Patch management servers (staging patches before deployment to OT)
• Jump servers / privileged access workstations for remote OT access
• Anti-malware update servers
• Remote access portals (VPN terminators, ZTNA brokers)
• File transfer servers (for moving data between IT and OT)

What Does NOT Live in the DMZ

• Domain controllers (IT and OT should have separate AD forests)
• Email servers
• Web browsing proxies
• Any system with direct internet access

DMZ Rules

• IT systems can initiate connections INTO the DMZ but NOT through it to OT
• OT systems can initiate connections INTO the DMZ but NOT through it to IT
• No direct IT-to-OT connectivity exists, ever, under any circumstances
• All access to the DMZ requires multi-factor authentication
• All DMZ activity is logged and monitored

Handling Common Segmentation Challenges

Vendor Remote Access

Equipment vendors frequently need remote access to OT systems for maintenance and troubleshooting. This is a major segmentation challenge:

• Never allow persistent VPN connections from vendor networks to OT zones
• Use a jump server in the DMZ with session recording
• Require just-in-time access -- vendor access is granted for a specific window and automatically revoked
• Monitor all vendor sessions in real-time
• Maintain a separate vendor VLAN in the DMZ with restricted access

Legacy Systems

Many OT environments include legacy systems that cannot support modern authentication, encryption, or patching. Compensating controls include:

• Network isolation: Place legacy systems in their own micro-segment with strict access controls
• Monitoring: Deploy passive network monitoring (IDS) to detect exploitation attempts
• Virtual patching: Use NGFW virtual patching to block known exploits targeting legacy protocols
• Application whitelisting: Restrict which applications can run on legacy systems

Cloud Connectivity

As OT environments adopt cloud for analytics, predictive maintenance, and remote monitoring:

• Cloud connections should originate from the DMZ, not directly from OT zones
• Use unidirectional gateways or data diodes for telemetry flowing to cloud
• Encrypt all cloud-bound traffic
• Implement cloud-specific access controls (private endpoints, VPN/Direct Connect)

Validation and Maintenance

Penetration Testing

Conduct regular penetration testing that specifically targets segmentation controls:

• Can an attacker pivot from IT to OT?
• Can a compromised DMZ system reach control systems?
• Are firewall rules enforced as documented?
• Can inter-VLAN traffic bypass access controls?

Rule Review

Conduct quarterly firewall rule reviews:

• Remove expired temporary rules
• Verify that each rule has a documented business justification
• Identify overly permissive rules (any/any sources or destinations)
• Check for shadowed rules (rules that never match because a broader rule above them catches the traffic first)

Continuous Monitoring

Deploy network monitoring at every zone boundary:

• Network intrusion detection (Suricata, Zeek) for signature and behavioral detection
• Network traffic analysis (Darktrace, ExtraHop) for anomaly detection
• Flow analysis (NetFlow/IPFIX) for traffic pattern monitoring

Alert on any traffic that violates expected zone communication patterns.

Getting Started

If your network segmentation is minimal or nonexistent, here is a practical starting path:

• Asset inventory: You cannot segment what you do not know about. Identify all IT and OT assets, their communication patterns, and their criticality.
• Zone definition: Map your assets into zones based on function and security requirements.
• Priority enforcement: Implement the IT/OT DMZ first. This single control provides the highest risk reduction.
• Incremental refinement: Add segmentation within IT and OT zones over time.
• Monitoring: Deploy detection at zone boundaries before, during, and after segmentation changes.

Network segmentation is not a project with an end date. It is an ongoing architectural discipline that requires continuous attention as your environment evolves.

At Zindagi Technologies, our network security team designs and implements segmentation architectures for critical infrastructure organizations across India. We bring expertise in both IT and OT security to deliver segmentation that protects without disrupting operations.