The practice of separating industrial systems into controlled zones so traffic and access can be restricted by operational need. In effective programmes, segmentation depends on trustworthy asset identity, accurate communication mapping, and enforced rules that reflect how the environment really behaves.
Expanded Definition
OT segmentation is the deliberate division of industrial environments into security zones and conduits so that traffic, remote access, and lateral movement are constrained by operational necessity. In operational technology, the goal is not only to separate networks, but to preserve safe and predictable process behaviour while limiting exposure to ransomware, unauthorized engineering changes, and cross-zone propagation. The concept is closely related to network zoning, but it is broader than simple VLAN design because it must account for process dependencies, safety systems, engineering workstations, and vendor maintenance paths. NIST Cybersecurity Framework 2.0 treats segmentation as part of a wider governance and protective strategy, especially where asset visibility and access control need to reflect actual operating conditions, not just network topology. For OT environments, segmentation also depends on trustworthy asset identity and accurate communication mapping so that exceptions are deliberate rather than accidental. Definitions vary across vendors on whether “segmentation” includes only Layer 3/4 controls or also application-aware enforcement and physical isolation, so the term should be read in context. The most common misapplication is treating flat IT network segmentation as sufficient, which occurs when organisations mirror office network design into plants without mapping process-critical communications.
Examples and Use Cases
Implementing OT segmentation rigorously often introduces operational friction, requiring organisations to weigh resilience and containment against engineering convenience and maintenance overhead.
- Separating safety instrumented systems from standard control networks so a fault or compromise in one zone does not cascade into the other.
- Creating a vendor access zone with tightly scoped jump hosts and time-bound access, aligned to the guidance in NIST Cybersecurity Framework 2.0.
- Isolating historian servers, engineering workstations, and supervisory control components into distinct trust zones with rules based on observed protocol flows.
- Using compensating controls where legacy PLCs cannot support modern agents or authentication, while still limiting reachable paths between zones.
- Applying one-way transfer or tightly brokered interfaces where production data must move to enterprise analytics without exposing the control environment to inbound sessions.
Industry practice is still evolving on whether segmentation should be implemented primarily at the network, host, or application layer, and mature programmes usually combine all three where feasible. OT teams often validate design assumptions against recognised guidance such as NIST SP 800-82 and map communication paths before enforcing rules. The result is a segmented architecture that reflects real process dependencies rather than idealised diagrams.
Why It Matters for Security Teams
OT segmentation matters because industrial compromise rarely stays local once an attacker gains a foothold. Without strong zone boundaries, attackers can move from a low-value workstation to engineering assets, manipulate controllers, or disrupt availability at the exact point where business and safety risks converge. From a governance perspective, segmentation gives defenders a way to prove that access is intentionally limited, monitored, and justified. It also supports incident containment when a supplier account, remote support channel, or engineering laptop is compromised. This is where identity becomes relevant: zone design only works when access is tied to trustworthy identities, approved use cases, and well-defined maintenance windows. Where remote access is involved, teams often combine segmentation with stronger identity assurance and privileged access controls rather than relying on network location alone. NIST guidance on access control and industrial system protection reinforces that the architecture must match operational reality, not generic enterprise assumptions. Organisations often discover the cost of weak segmentation only after malware spreads from a business network into production, at which point containment becomes operationally unavoidable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022, NIS2 and DORA define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-5 | Segmentation is a core protective control for limiting access pathways between zones. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement directly maps to OT segmentation decisions. |
| ISO/IEC 27001:2022 | A.8.22 | Network segregation is an established ISMS control for reducing attack spread. |
| NIS2 | NIS2 drives risk management and resilience expectations for critical OT environments. | |
| DORA | DORA emphasises ICT resilience, relevant where OT and enterprise systems intersect. |
Design zones and conduits so only necessary communications are allowed across trust boundaries.
Related resources from NHI Mgmt Group
- What is the difference between OT network segmentation and identity-based access control?
- What breaks when OT segmentation depends on static network rules?
- How do teams know if OT segmentation is still working?
- Why do OT and CPS environments need segmentation even when they already have detection tools?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org