Hermes OSIndustrial Intelligence Platform
Back to the library

OT Cybersecurity

Network Segmentation

Zones, conduits, and DMZ design per IEC 62443.

CybersecurityOT Network

Overview

Network segmentation is the structural defense of OT: zones group assets by criticality, conduits carry only documented flows, and a DMZ brokers all exchange with IT.

Engineering purpose

Contain compromise — a flat network turns one infected laptop into plant-wide reach; zones turn it into a contained event.

How it works

IEC 62443 zones-and-conduits modeling assigns assets to security zones; firewalls enforce conduit policy between them; the industrial DMZ terminates all IT-originated sessions so nothing reaches controllers directly.

  • Group assets into zones by criticality; conduits between zones carry only documented, necessary flows.
  • An OT DMZ brokers all IT/OT exchange — no direct path from enterprise (or internet) to controllers.
  • Flat networks turn one compromised laptop into plant-wide reach; VLANs without ACLs are labels, not segmentation.

Common faults

VLANs without enforced ACLs mistaken for segmentation; any-any firewall rules accumulated over years; vendor remote links bypassing the DMZ; undocumented flows breaking when policy finally tightens.

Diagnostic checks

  1. 1Review inter-zone firewall rules for any 'any-any' entries.
  2. 2Trace one data flow end-to-end and confirm every hop is documented.
  3. 3Trace one production data flow end-to-end and verify every hop appears in the conduit documentation.

Safety notes

Segmentation changes can sever control traffic — stage and test conduit policy changes against an inventory of legitimate flows before enforcement.

Commissioning notes

Build the asset inventory first, model zones from it, implement deny-by-default conduits, and schedule periodic rule reviews as an operational duty.

Related concepts

IEC 62443 zones/conduits, industrial DMZ, deny-by-default policy, flow documentation, VLAN vs true segmentation.

segmentation · dmz · zone · conduit · vlan · 62443 · firewall · تفکیک · ناحیه · فایروال · دی‌ام‌زد

Related engineering cases

Related articles

Security Monitoring

Detection of anomalies and intrusions on OT networks.

Access Control

Identity, remote access, and least privilege in OT.

Audit & Logging

Audit trails, log collection, and compliance evidence in OT.

Industrial Protocols

Fieldbus and industrial Ethernet selection and diagnostics.

When Hermes Brain uses this article

Cited for OT network architecture, firewall policy between cells, DMZ design, and containment of network-borne threats.