OT Network Architecture:
A Security-First Blueprint for Real-World ICS and SCADA

OT network architecture is the set of design decisions that determine how industrial systems communicate, how trust is established, and how risk is contained across controllers, HMIs, historians, engineering workstations, safety systems, remote access, and enterprise dependencies. In critical infrastructure, architecture is security. It is also safety, uptime, and maintainability.

This guide is written for practitioners who need more than diagrams. You will find a practical approach to segmenting ICS networks, placing an industrial DMZ, controlling remote access, and building monitoring that works with legacy protocols and operational constraints. It also focuses on validation: how to prove that an architecture actually blocks the attack paths you think it blocks.

If you want deeper implementation guidance on segmentation patterns, see OT Network Segmentation: Best Practices for ICS and SCADA Security. For a view of how visibility and attack-path reasoning come together in SCADA environments, read SCADA Cyber Security: Visibility, Attack Paths, and Safe Testing with Digital Twins. You can also reference ICS and SCADA Security: Architecture, Risks, and Safe Validation for Critical Infrastructure for broader context.

Throughout, the differentiator is verification without disrupting production. Frenos enables full-scope security testing of industrial environments without touching production systems by using digital twins and safe attack-path validation. That removes the usual trade-off between realistic testing and operational safety.

Definition: What “OT network architecture” means in practice

In IT, network architecture is often about performance, routing, and standardized controls. In OT, architecture must account for physical process consequences, deterministic communications, long asset lifecycles, and strict change management. Practically, OT network architecture includes:

  • The network zones you define and the trust boundaries between them.
  • The conduits that carry communications between zones, including firewall policy, proxying, and protocol mediation.
  • Where shared services live (identity, time, patch repositories, historians, backup, remote access).
  • How you monitor, log, and respond without breaking fragile endpoints.
  • How you validate that segmentation and controls actually prevent high-impact attack paths.

A good OT architecture is not “flat but monitored” or “segmented on paper.” It is a design that supports safe operations while making compromise difficult to spread, easy to detect, and bounded in impact.

Core constraints that shape OT architecture (and why IT patterns fail)

OT environments are shaped by constraints that make many IT-first patterns incomplete or unsafe.

Availability and safety dominate. Many ICS assets cannot tolerate aggressive scanning, frequent reboots, or intrusive agents. A change that is acceptable in an enterprise VLAN may be unacceptable when it sits between an HMI and a PLC controlling a batch process.

Legacy protocols and implicit trust persist. OT protocols often lack authentication, integrity, and encryption. Even when secure variants exist, they may not be supported by endpoints or may introduce latency. As a result, you must build compensating controls at network boundaries and monitoring points.

Long lifecycles and vendor dependencies matter. You may be operating equipment with decade-plus lifespans. Vendor remote support, proprietary engineering tools, and maintenance workflows create unique attack surfaces that must be addressed in the architecture, not as exceptions.

Physical consequences drive threat modeling. A threat path that “only” grants write access to a PLC is not comparable to a threat path that “only” steals credentials from a file server. The process impact, safety instrumented functions, and recovery time must shape segmentation, access control, and monitoring.

Finally, the architecture must be verifiable. Many teams accept a diagram and firewall ruleset as “done.” In OT, untested assumptions around allowed flows, fail-open behaviors, and shared credentials routinely undermine designs. Validation should be built into the lifecycle, not postponed until an incident.

Reference models that help: Purdue, ISA/IEC 62443, and “zones and conduits”

Most OT network architecture discussions reference the Purdue Model (levels 0 to 5). Used well, Purdue is a communication tool for separating process control from enterprise IT. Used poorly, it becomes a rigid diagram that does not reflect modern dependencies like cloud analytics, remote access brokers, or centrally managed identity.

ISA/IEC 62443 provides a more operationally useful structure: zones (grouping assets with similar security requirements) and conduits (the controlled communication paths between zones). The key advantage is that it forces you to define trust boundaries based on risk, not physical topology.

A practical approach is to use Purdue as a starting point for “where” systems tend to live, then use 62443 zones and conduits to define “how” communication is controlled and verified. For example, two systems both at “Level 3” may belong in different zones if one is an engineering workstation with elevated privileges and the other is an application server with a constrained role.

The takeaway: pick a model that helps you decide where to place boundaries, how to constrain communications, and how to assess residual risk. The model is not the goal; verifiable outcomes are.

A security-first OT network architecture methodology (design and assessment)

Whether you are designing a new site or assessing an existing one, the same sequence works: understand the process and trust boundaries, map communications, enforce minimal conduits, then validate.

This methodology is intended to be usable with limited downtime and incomplete documentation. It favors iterative improvement: you can get to a safer architecture without waiting for perfect asset inventories or a full refresh of legacy gear.

The steps below also map cleanly to assessment deliverables. If you need a structured risk assessment workflow that ties architecture to risk decisions, see SCADA Cyber Security: How to Conduct a SCADA Security Risk Assessment.

  1. Define the process impact boundaries: Identify what failure looks like (safety, environmental, quality, uptime) and which assets can directly cause it (controllers, SIS interfaces, safety PLCs, batch servers, DCS nodes).
  2. Create a zone model: Group assets by function and risk. Separate engineering functions, operator functions, control functions, safety functions, and shared services. Document which roles need access and when.
  3. Map required communications: For each zone, document the minimum flows needed to operate and maintain the process. Include protocol, direction, frequency, and criticality. Treat “temporary” vendor access as a first-class flow.
  4. Design conduits and boundary controls: Place firewalls, data diodes, jump hosts, protocol gateways, and identity boundaries to enforce those flows. Prefer explicit allow rules and deny-by-default at boundaries.
  5. Engineer secure remote access: Centralize remote access, enforce strong authentication, time-bound access, session recording, and least privilege. Remove ad hoc VPN paths that bypass the industrial DMZ.
  6. Implement monitoring at choke points: Capture network telemetry where it matters (industrial DMZ, zone conduits, controller access segments) and tune for OT protocols and behaviors.
  7. Validate attack paths safely: Prove that a compromise in one zone cannot reach high-consequence assets through unintended paths. Validate both network reachability and identity/credential paths, ideally using non-production testing.
  8. Operationalize: Tie changes to management-of-change, maintain rule hygiene, review conduit exceptions, and retest after major upgrades or process changes.

Designing zones: practical patterns for ICS network segmentation

Segmentation in OT should reduce blast radius and limit who can talk to controllers, engineering interfaces, and safety-related systems. The most common failure mode is building many VLANs but leaving permissive routing, shared admin credentials, and broad firewall rules that recreate a flat network.

Start with a small set of zones that map to real operational functions. Over-segmentation increases operational friction and leads to rule sprawl. Under-segmentation increases attack surface. The right balance depends on process criticality and how much change the site can sustain.

Common zone patterns that hold up in real environments include: a control zone for PLC/DCS communication, an HMI/operator zone, an engineering zone with tightly controlled access, a site operations zone for patching and backups, a safety zone where applicable, and an industrial DMZ separating OT from IT.

Treat the engineering workstation footprint as high-risk. Engineering tools often have broad privileges, are used intermittently, and may require internet access for vendor updates. Keep them in a dedicated zone and force access to controllers through controlled conduits.

Also separate shared services that create transitive trust. Historian replication, time synchronization, domain services, and file shares can become bridges between zones. If these services must exist, place them intentionally and constrain who can query or authenticate to them.

For implementation-specific best practices and examples of segmentation approaches, refer to OT Network Segmentation: Best Practices for ICS and SCADA Security.

  • Keep controller access segments small: group by line, cell, unit, or safety boundary to limit lateral movement.
  • Separate engineering from operations: do not allow direct workstation-to-controller access from general-purpose user networks.
  • Assume any Windows host will eventually be compromised: design boundaries so a compromised HMI or application server cannot pivot to controllers or safety assets.
  • Avoid “any-any” within a zone: use micro-segmentation where feasible: limit east-west traffic on server segments and between critical endpoints.
  • Design for maintenance realities: include paths for backups, patch staging, and vendor access, but enforce them through dedicated conduits.

Conduits and boundary controls: what to allow, what to block, and where to enforce

Zones define what you are protecting; conduits define how communication is allowed. In OT, conduits must be explicit, stable, and testable.

At each conduit, define: source and destination zones, approved services, directionality, authentication expectations, and monitoring requirements. Then implement enforcement with the least complex mechanism that achieves the goal, because overly complex boundaries are harder to keep correct.

A common and effective control is to centralize privileged pathways. For example, operator HMIs might query a historian or SCADA server, but should not need direct write access to controllers across multiple lines. Similarly, engineering access to controllers should go through a jump host or dedicated engineering server rather than from arbitrary laptops.

Protocol mediation is often more realistic than endpoint hardening. If PLCs cannot support strong authentication, a firewall with deep visibility into industrial protocols, a broker, or a gateway can reduce exposure. However, do not assume DPI alone is sufficient. You still need deny-by-default, strict rules, and validation.

Be careful with exceptions that turn into permanent holes: temporary bridges during commissioning, vendor VPNs created “for a week,” or permissive rules added to fix a production issue quickly. Architecture is as much about how you control exceptions as how you design the baseline.

If you are evaluating conduit designs, test for both network reachability and identity reachability. A blocked port does not help if an attacker can obtain credentials that grant access through an allowed management channel.

  • Default deny between zones, then add explicit allow rules for required flows.
  • Prefer one-to-one or one-to-few flows over broad subnet-to-subnet rules.
  • Constrain management protocols (RDP, SMB, WinRM, SSH) to dedicated administration paths, not general conduits.
  • Enforce unidirectional flows where appropriate (for example, historian replication from OT to IT via DMZ patterns).
  • Log conduit decisions and review rules periodically to remove obsolete access.

Industrial DMZ: the control point that either works or becomes a bypass

The industrial DMZ is the boundary environment that mediates interactions between enterprise systems and the OT environment. It is not just a subnet with a couple of servers. It is a set of services and controls designed to prevent direct enterprise-to-control communications while still enabling necessary business functions.

A useful mental model is: nothing in IT should directly initiate sessions into the control zones, and OT should not depend on arbitrary IT services that can change without OT change control. The DMZ exists to absorb that volatility.

Common DMZ roles include: patch and update staging, AV definition staging, remote access termination, historian or data broker tiers, file transfer gateways, and identity bridging (carefully designed). Place systems in the DMZ that must interact with both sides and harden them as high-value assets.

Common DMZ failure modes are predictable: a dual-homed server that becomes a bridge, a firewall rule that allows broad RPC/SMB “temporarily,” shared domain membership that allows credential reuse, or routing that makes the DMZ effectively another transit network.

Design the DMZ as a choke point with minimal services, strong monitoring, and clear ownership. Changes to DMZ systems should follow stricter review because they can change the effective exposure of the whole OT environment.

For broader architectural context and how safe validation fits into real critical infrastructure operations, see ICS and SCADA Security: Architecture, Risks, and Safe Validation for Critical Infrastructure.

  • Avoid direct IT-to-OT connectivity: use DMZ proxies, brokers, and staged services instead.
  • Treat the DMZ as hostile-adjacent: harden, minimize services, and monitor aggressively.
  • Prevent credential transit: avoid designs where enterprise credentials automatically grant OT access.
  • Design file transfers explicitly: use malware scanning and controlled workflows rather than ad hoc shares.
  • Test for bypasses: validate that no alternate route exists around the DMZ via wireless, cellular, vendor links, or shadow IT.

FAQs

Will assessing or validating our OT network architecture disrupt production?

It does not have to. Traditional approaches often rely on scanning, intrusive testing, or ad hoc validation on live networks, which can create operational risk. A safer approach is to validate segmentation, conduits, and attack paths using a digital twin that mirrors relevant OT behaviors, so testing does not touch production systems. You can still combine that with carefully scoped passive monitoring in production at choke points such as the industrial DMZ and key conduits.

Is OT network architecture validation better than a traditional pentest?

They answer different questions. A pentest can demonstrate specific exploitable weaknesses on in-scope systems at a point in time. Architecture validation focuses on whether your segmentation, remote access design, identity boundaries, and monitoring actually prevent or contain the attack paths that lead to process impact. Many organizations use both: architecture validation to verify trust boundaries and reduce systemic risk, and targeted pentesting to validate specific assets or applications.

How long does an OT network architecture assessment take?

It depends on scope, documentation quality, and how many sites and zones are involved. A focused assessment that prioritizes high-consequence zones and the industrial DMZ can often progress quickly because it targets the choke points that define risk. The fastest path is usually: confirm the zone model, collect firewall and routing data, map required flows, then validate the highest-risk attack paths in a safe testing environment.

What do we get at the end of an OT network architecture assessment?

You should expect evidence-based outputs: a zone and conduit model aligned to operations, a map of required versus observed communications, a prioritized set of validated attack paths to high-risk assets, and a remediation plan that ties each recommendation to a specific broken path or architectural weakness. The most useful deliverables include retestable scenarios so you can confirm fixes and prevent regression.

Do we need perfect data to build a digital twin for OT security validation?

No. The objective is to replicate the parts of the environment that determine attack paths: key zones, conduits, identity relationships, remote access workflows, and representative configurations for critical roles. You can start with a minimum viable dataset (network diagrams, firewall rules, routing, and system roles) and expand fidelity over time. Maturity is not a prerequisite; it is often a result of adopting a repeatable validation process.


Next Steps

A well-designed OT network architecture is only as strong as the attack paths it actually blocks in practice. If you want a security-first review of your zones, conduits, industrial DMZ, remote access, and monitoring, plus safe validation using digital twins and attack-path testing without touching production systems, request an OT Security Assessment with Frenos.

Request an OT Security Assessment