Securing industrial networks: three architecture strategies

The goal of industrial cybersecurity is to enhance existing architectures with layered, pragmatic security measures.

Industrial networks are no longer isolated islands. The convergence of information technology (IT) and operational technology (OT) systems, driven by digital transformation, remote operations and data-driven decision-making, has fundamentally reshaped the cybersecurity landscape.

Historically, OT environments relied on physical isolation (air gapping) and perimeter defences to safeguard critical systems. However, the rise of ransomware, supply chain attacks and advanced persistent threats has exposed the limitations of this approach.

To address these challenges, cybersecurity strategies have evolved from perimeter-based defences to a layered, identity-aware approach. Principles such as defence in depth and zero trust, while originating in IT, are now essential considerations for securing OT environments. Rather than assuming implicit trust based on network location, modern industrial networks require continuous verification of devices, users and traffic behaviours, ensuring that every interaction is explicitly authorised and monitored.

The IEC 62443 standard provides a comprehensive framework for securing industrial automation and control systems. It defines concepts such as zones, conduits and defence-in-depth strategies that guide the design of secure network architectures.

In this context, network architecture design becomes the foundation for practical security implementation, translating these principles into deployable strategies that align with operational realities.

Three common IT/OT network architectures

Industrial network architectures have evolved in response to the breakdown of the traditional air gap model. Historically, OT environments relied on physical isolation from IT systems to maintain security. However, the need for digital transformation, operational efficiency needs and remote access has dissolved this separation. IT/OT convergence is no longer optional, driving the need for structured approaches to manage interconnectivity and security.

This evolution has led to three common architecture types: complete separation (Type 1); shared IT/OT platforms (Type 2); and full integration (Type 3). Each type reflects a different balance between isolation, operational integration and security strategy.

Network architecture evolution: from isolation to convergence

The evolution of architectures from Type 1 to Type 3 reflects a broader transformation in industrial network design. Initially, strict physical separation ensured security through isolation, but this limited scalability and operational flexibility. The emergence of shared IT/OT platforms (Type 2) addressed these limitations by enabling controlled service interactions through DMZs and segmented conduits.

As the digital transformation trend accelerates, full integration (Type 3) architectures have become prevalent, driven by the need for unified infrastructure and resource optimisation. This shift requires replacing physical boundaries with logical segmentation, dynamic access control and continuous monitoring to manage the expanded attack surface.

Architectural segmentation strategies

Type 1: complete separation

In traditional OT environments, IT and OT networks are designed to be independent and isolated systems. This separation is not a newly introduced security measure, but an inherent characteristic of how industrial control systems have been deployed historically — prioritising reliability, availability and operational stability over connectivity.

However, with the acceleration of digital transformation, even isolated OT environments face new cybersecurity challenges. Threats now enter through alternative vectors such as portable media (USB drives), third-party maintenance connections and supply chain vulnerabilities. This has made it essential to reinforce the existing separation with additional security controls to ensure that isolation remains effective in a more connected world.

Type 1 architectures maintain the principle of physical or logical separation between IT and OT, with independent infrastructures for each domain. When cross-domain data exchange is required — such as sending telemetry data from OT to IT— controlled conduits are established using DPI firewalls and data diodes to enforce one-way, policy-governed communication.

Within the OT domain itself, internal segmentation is implemented using access control lists (ACLs) in Layer 2 and Layer 3 switches, limiting east–west traffic between devices or functional zones and reducing the risk of lateral movement in the event of an internal compromise. While Type 1 environments rarely adopt dynamic, identity-based access controls, basic measures such as disabling unused ports and hardening critical devices remain essential. These controls uphold the principle of minimising the attack surface to ensure that the OT network remains resilient despite evolving threat landscapes.

Type 2: shared IT/OT platforms

As industrial operations become increasingly reliant on centralised management and streamlined maintenance, IT-hosted services — such as Active Directory, patch servers and asset management systems — are gradually being introduced into OT environments. This shared service model improves operational efficiency but also introduces new security challenges, particularly at the intersection of IT and OT domains.

To mitigate these risks, Type 2 architectures implement a layered segmentation strategy:

• A demilitarised zone (DMZ) is established to serve as a buffer, hosting intermediary services that mediate IT/OT interactions and preventing direct access from IT systems to OT assets.
• At the IT/OT boundary, DPI firewalls enforce cross-domain traffic policies, performing protocol-aware inspection and filtering unauthorised access attempts.
• Within the OT domain, internal segmentation is refined through ACLs and identity-based access controls.
   

Technologies such as network access control (NAC) are commonly used to dynamically verify device identities, manage access scopes, and adapt policies based on compliance and operational context. This ensures that shared services remain functionally integrated while minimising lateral movement risks and maintaining segmentation integrity.

Rather than relying on a single perimeter, Type 2 architectures employ multiple layers of defence, ensuring that operational gains from IT/OT integration do not compromise the integrity of critical OT systems.

Table 1: Architecture comparison.

Type 3: full integration

With growing demands for centralised management, real-time data analysis and infrastructure efficiency, many organisations are adopting fully converged networks where IT and OT systems coexist on shared Layer 2/3 infrastructures.

In this architecture, physical segregation is replaced by logical segmentation, relying on VLANs, ACLs and dynamic policy enforcement to maintain operational integrity.

While convergence simplifies deployment and reduces infrastructure complexity, it significantly increases security challenges. The absence of clear network boundaries amplifies the risk of lateral movement, identity misuse and visibility gaps.

To address these challenges, Type 3 architectures deploy a combination of multilayered logical segmentation and adaptive access control mechanisms. DPI firewalls continue to secure aggregation points, managing inter-domain traffic flows, but the primary defence shifts towards micro-segmentation, which enables fine-grained isolation of devices, workloads and user sessions within a converged environment. Within this framework, NAC systems authenticate devices, assess compliance, and dynamically enforce access policies based on identity and contextual behaviour.

These dynamic controls are critical to maintaining segmentation in the absence of physical boundaries. To complement these segmentation strategies, continuous visibility and anomaly detection mechanisms are deployed to establish behavioural baselines and detect deviations that may indicate a security breach.

This comprehensive approach allows Type 3 architectures to maintain a robust security posture, aligning operational flexibility with cybersecurity best practices.

Cross-layer security measures

Network visibility and anomaly detection

Comprehensive visibility is essential for maintaining network security. Passive asset discovery, flow analysis and behaviour monitoring establish operational baselines. Anomaly detection identifies deviations indicative of compromise or policy violations, enabling swift response and containment.

Beyond the network: people, process and procedures

Technical controls are only part of the security equation. Effective cybersecurity also requires well-defined processes and trained personnel. This includes incident response planning, change management with security validations, and continuous training for operators and engineers.

Defence in depth: a holistic security perspective

True resilience comes from a multilayered defence-in-depth strategy. This includes asset hardening, identity and access management, anomaly detection, and robust incident response processes.

Defence in depth ensures that even if one layer fails, others can mitigate the impact. Aligned with IEC 62443 principles, this approach is crucial for managing risks in increasingly interconnected IT/OT environments.

Conclusion: strengthening existing architectures with practical security

The goal of industrial cybersecurity is to enhance existing architectures with layered, pragmatic security measures. Type 1 focuses on enforced separation, Type 2 balances shared services with segmented control, and Type 3 demands pervasive micro-segmentation and dynamic policy enforcement.

System integrators must align security strategies with the state of their current networks, and apply IEC 62443 principles in a risk-informed manner to build resilient and secure industrial networks.

Top image credit: iStock.com/metamorworks