Network segmentation is the foundation of critical infrastructure security. But too many organisations stop at VLANs—creating the appearance of segmentation without the reality of effective isolation.
True segmentation for critical infrastructure requires a different approach.
The VLAN Illusion
VLANs provide broadcast domain separation. They don't provide security isolation. A VLAN configuration that looks comprehensive on a network diagram may offer minimal actual protection:
- Traffic between VLANs often routes through a single firewall—or worse, a router without stateful inspection
- Firewall rules accumulate over time, creating implicit "allow all" conditions
- Lateral movement within a VLAN is unrestricted
- VLAN configurations are often inconsistent across sites
The gap between intended segmentation and actual network behaviour is where breaches happen.
Zone-Based Architecture
Effective critical infrastructure segmentation starts with zone architecture—logical groupings based on trust and function, not just network topology:
Corporate zone: Standard enterprise IT—email, file servers, business applications. Internet-connected and treated as potentially compromised.
Industrial DMZ: The buffer between corporate and operational networks. Jump servers, historians, data diodes, and controlled integration points.
Control zone: SCADA systems, HMIs, engineering workstations. Limited connectivity, high change control requirements.
Field zone: PLCs, RTUs, intelligent field devices. Often physically dispersed, potentially air-gapped from central systems.
Safety zone: Safety instrumented systems. Strictly isolated from control and corporate systems.
Each zone has defined trust levels, connectivity rules, and security controls appropriate to its function.
The Purdue Model Evolution
The Purdue Model provided the original framework for industrial network segmentation—levels 0 through 5, from physical process to enterprise network. It remains useful but needs adaptation:
Level 3.5 (Industrial DMZ): The original model assumed limited IT/OT integration. Modern environments need a robust demilitarised zone handling data flow between worlds.
Cloud connectivity: Many organisations need cloud integration for analytics, remote monitoring, or vendor support. This requires careful architecture, not bolted-on VPN access.
Remote access: Post-COVID, remote access to OT environments is often mandatory. This needs proper controls, not just "temporary" solutions that became permanent.
Micro-segmentation within levels: The original model assumed flat networks within each level. Modern threats require finer-grained isolation.
Micro-Segmentation Strategies
Beyond zone-level segmentation, critical infrastructure increasingly needs micro-segmentation—isolation at the workload or device level:
Software-defined approaches: Platforms like VMware NSX or Cisco ACI can enforce segmentation policies at the workload level, independent of physical network topology.
Host-based firewalls: When properly managed, host firewalls provide last-line segmentation. The challenge is consistent policy deployment and visibility.
Network Access Control: 802.1X and profiling can enforce segmentation based on device identity, not just port assignment.
East-west inspection: Traffic within zones—not just between zones—needs visibility and control. This is where many organisations have blind spots.
The challenge with micro-segmentation is operational overhead. Every additional security boundary is another rule set to maintain, another potential failure point, another item for change control.
Monitoring Segmentation Effectiveness
Segmentation policies are only as good as their enforcement. Ongoing monitoring should verify:
Actual traffic flows: Does traffic actually follow the intended segmentation? Netflow analysis often reveals unexpected communication paths.
Rule utilisation: Are firewall rules being hit? Unused rules suggest either unnecessary complexity or unmonitored bypass routes.
Segmentation violations: Automated detection of traffic that shouldn't exist—cross-zone flows without matching policy, for example.
Configuration drift: Do current configurations match documented architecture? Automated compliance checking catches drift before it creates exposure.
Migration from Flat Networks
Many critical infrastructure environments have legacy flat networks that predate segmentation requirements. Migration is complex:
Discovery first: You can't segment what you don't understand. Comprehensive asset discovery and traffic baselining must precede segmentation projects.
Incremental implementation: Big-bang segmentation changes are high-risk. Phased approaches—starting with monitoring, then alerting, then enforcement—reduce operational impact.
Application dependency mapping: Many legacy systems have undocumented dependencies. Breaking these causes outages. Discovery tools and extended monitoring periods help identify dependencies before cutover.
Rollback capability: Segmentation changes must be reversible. Production impact should trigger rapid rollback, not extended troubleshooting.
Operational readiness: Operations teams need procedures for working within segmented environments. Change control, troubleshooting processes, and emergency access procedures must be updated.
The infraPatterns Approach
Our infraPatterns platform addresses segmentation challenges through declarative, composable patterns:
- Express segmentation intent without low-level device configuration
- Consistent policies across multi-vendor environments
- Automated compliance verification against defined architecture
- Version-controlled patterns that provide audit trail and rollback capability
Network segmentation shouldn't require heroic engineering for each environment. Patterns encode best practices and deploy consistently, whether to modern SDN environments or legacy infrastructure.