OT/IT Network Segmentation and Micro-Segmentation
Secure SCADA Architecture for HPPs: Purdue Model, IEC 62443 and Zero Trust
Renewasoft | 2026
Level: Advanced Audience: SCADA Engineer, HPP Operator, CTO, Infrastructure Investor
Introduction: The Security Prerequisite for Digital Transformation
Yet this transformation introduces a fundamental architectural challenge: how to enable data-driven operations without compromising the integrity of control systems.
According to NIST SP 800-82r3, security in OT environments must be carefully engineered to align with strict performance, reliability, and safety requirements [1].
TL;DR — Executive Summary
- OT/IT separation is an architectural reality where IT security practices cannot be directly copied to OT due to latency, determinism and safety requirements[1].
- Flat networks facilitate lateral movement from IT to OT; dual-homed systems, weak authentication and open remote access channels become pivot points[5][6].
- The Purdue model + DMZ approach establishes a mandatory enforcement boundary between OT and the corporate network, making data flows auditable[1].
- Micro-segmentation in Zero Trust architecture implements the never trust, always verify principle through Policy Enforcement Points (PEP) in practice[2].
- Secure integration requires isolating OT data collection layers via DMZ, jump servers, and micro-segmentation, allowing only strictly controlled data flows.
Paradigm Shift: IT/OT Separation Through the Purdue Model
OT systems (SCADA, DCS, PLC-based topologies) monitor and control physical processes; therefore, security design must address safety and continuity objectives alongside the CIA triad. NIST SP 800-82r3 defines adapting security measures to OT’s unique performance, reliability and safety requirements as its foundational framework[1].
| Criterion | IT Network | OT Network |
|---|---|---|
| Traffic Pattern | Variable, user-driven | Deterministic, repeatable, predictable |
| Latency Tolerance | Seconds to minutes acceptable | ms-level jitter affects process stability |
| Lifecycle | 3-5 years, regular updates | 15-25 years, legacy devices prevalent |
| Priority Order | Confidentiality → Integrity → Availability | Availability → Safety → Integrity |
| Anomaly Detection | Difficult: high variance | Opportunity: deterministic baselining |
Table 1: IT vs OT Network Characteristics Comparison [1]
A key challenge of this transformation is that operational data in HPPs no longer remains confined to the control room. Increasingly, data must be transmitted from OT environments to IT and cloud-based systems to support monitoring, analytics, and decision-making processes [13].
The modern threat landscape has demonstrated that the OT/IT boundary cannot be secured with a single firewall. In the 2015 Ukraine attack, adversaries exploited VPN pathways from the corporate network into OT environments; the absence of strong authentication mechanisms significantly amplified risk, and breaker operations were executed through compromised HMIs [5].
Infographic: Purdue Model + IEC 62443 Security Zones and Communication Conduits [1][9]
IEC 62443: Security Zones and Communication Conduits
The most valuable practical contribution of the IEC 62443 approach is thinking of the network not as subnets but as security zones and the communication conduits connecting them. ENISA addresses the zoning/conduit approach within the framework of deriving security levels based on threat actor profiles[9]. Designing a conduit means pre-defining which ports/protocols/commands will pass between two zones.
| Zone | Scope | Critical Assets | Conduit Constraint |
|---|---|---|---|
| Zone A: Safety | Protection relays, interlocks | SIS, emergency stop, trip | Read-only telemetry output only |
| Zone B: Control | PLC/RTU, field switches | Governor PLC, gate PLC | Only authorized HMI→PLC commands |
| Zone C: Supervisory | SCADA, historian, HMI | SCADA server, collector | DPI + ML baseline monitoring |
| Zone D: OT DMZ | Jump server, log broker | Bastion, data diode, syslog | MFA + time-based + session recording |
| Zone E: Enterprise | ERP, SOC/SIEM, Cloud | Corporate AD, UI | No direct OT access |
Table 2: IEC 62443 Security Zones — HPP Reference Architecture [1][9]
Attack Surface Mapping: HPP Vulnerabilities
To properly design network segmentation, one must first translate the question ‘where can attacks originate?’ into an HPP-specific attack surface map. NIST defines OT topologies and components within this framework and lists typical vulnerability classes[1].
⚠ Technical Note: Vulnerable Areas in HPPs
Remote Access (VPN/RDP): The Ukraine attack report highlights that adversaries discovered and exploited VPN connections; absence of 2FA created risk and recommends remote access DMZ/jump host/split tunneling shutdown as countermeasures[5].
Dual-homed Systems: The ICS tactics framework explains that adversaries use default passwords and dual-homed devices for lateral movement. In flat networks, there is no segment barrier[6].
Engineering Workstations: PLC/RTU programs, governor setpoints are typically managed from EWS. High-priority attack surface as they are close to OT and require USB/vendor software[1].
Legacy Protocols: Some OT protocols were not born with security design. NIST notes that OT firewalls can perform DPI with DNP3/CIP/Modbus parsers[10].
Bowman Dam Breach (2013): Unauthorized access to the Bowman Dam SCADA in the US; water level, temperature and sluice gate status data was compromised. Remediation cost: $30,000+[12].
Defense Layers and Zero Trust
Layered Defense: VLAN / Firewall / DMZ / Jump Server / Data Diode
| Layer | Technical Function | HPP Implementation |
|---|---|---|
| DMZ | Blocks direct access from corporate network to OT; centralizes services at a single point [1] | OT gateway, log broker, time sync proxy located in DMZ |
| Jump Server | Routes OT access through a single controlled hop point [5] | MFA + time-based + session recording; split tunneling disabled |
| Firewall (DPI) | deny-all / permit-by-exception; stateful + DPI [10] | OT NGFW: Modbus FC, DNP3, OPC UA parser for command-level filtering |
| Data Diode | OT→DMZ unidirectional data flow; physically eliminates C2 channel [1] | All reverse flow physically blocked except critical telemetry |
| VLAN | Valuable for initial segmentation; trunk/routing/ACL bypass risk [10] | Should be supported with physical separation + enforcement devices where possible |
Table 3: Layered Defense Components [1][5][10]
Zero Trust and Micro-Segmentation
Zero Trust makes access decisions with least privilege on every request under the assumption that the network may already be compromised. NIST SP 800-207 explains that in micro-segmentation, resources are placed in separate segments and each segment is protected by a gateway/PEP[2]. In OT, this means cell/area-based segments, engineering workstation→PLC program download flows open only during defined maintenance windows, and HMI→PLC commands arriving only through operator role + MFA + designated jump host.
Deterministic Traffic Baselining
Traffic patterns in OT networks are far more deterministic than IT. NIST emphasizes that this determinism is critical for anomaly detection with IDS/IPS/BAD/SIEM and recommends tuning sensors in learning mode according to OT traffic[1][10].
Protocol Security: OPC UA and IEC 62351
The OPC UA security model includes client/server authentication, X.509 certificates, communication integrity/confidentiality and audit trail support[13]. IEC 62351 focuses on communication security for energy control protocols such as IEC 60870-5 and IEC 61850[14].
Technical Risk Scoring Model
NIST defines risk as a function of impact and likelihood[3]. NREL’s VaR framework formulates how risk can be reduced through control implementation level (CI)[7]:
L = Event likelihood (0-1) | CI_seg = Segmentation maturity (0-1) | I = Impact (0-1)
| Status | L | CI_seg | I | VaR |
|---|---|---|---|---|
| Baseline (VLAN exists, limited DMZ) | 0.40 | 0.20 | 0.70 | 0.224 |
| Target (DMZ+jump+micro-seg+DPI) | 0.40 | 0.70 | 0.70 | 0.084 |
Table 4: NREL VaR — Impact of Segmentation Maturity on Risk Indicator [7]
Segmentation/micro-segmentation maturity reduces the risk indicator by ~62% (0.224 → 0.084). This is not a definitive result; it is a decision-support metric for prioritizing investment[7][3].
Infographic: Segmentation Maturity Levels and NREL VaR Risk Reduction Model [7]
Case Study: HPP Attack Simulation
💥 Evidence-Based Background
Ukraine 2015: Adversaries executed operations not only through malware but by directly using control systems; BlackEnergy/KillDisk facilitated access and delayed recovery[5].
ICS-CERT: KillDisk corrupted MBR rendering systems unusable; Windows-based HMIs and serial-to-Ethernet firmware were affected[6].
Bowman Dam 2013: Unauthorized SCADA access; $30K+ remediation cost[12].
| # | Phase | Technical Step | Segmentation Impact |
|---|---|---|---|
| 1 | Initial Access | Spearphishing to enter corporate network [5] | IT segmentation forms the first barrier |
| 2 | Credential Access | Domain credentials + VPN path discovery [5] | MFA + PAM blocks credential harvesting |
| 3 | Pivot (IT→OT) | Lateral movement to OT via dual-homed EWS [6] | DMZ + jump server + data diode prevents pivot |
| 4 | Lateral Movement | Spreading within OT via RDP/SMB [6] | Micro-segmentation provides cell-based isolation |
| 5 | Impact | Breaker/gate control, wiper, DoV/DoC [5][6] | Segmentation hardens steps 3-4, limiting impact |
Table 5: Attack Simulation Flow and Segmentation Impact [5][6]
DOE’s document emphasizes that an HPP cyber incident can affect public safety, critical infrastructure and grid energy distribution[8]. In a 100 MW HPP, a 4-hour forced outage = 400 MWh loss + market/imbalance and restart costs.
Enterprise Integration Approach: Secure OT Data Flow
Secure integration in HPP environments requires enabling data visibility without compromising control integrity.
This architecture is based on:
• Read-only data extraction from OT systems
• Controlled data transfer via DMZ
• Jump server-based controlled access
• Micro-segmentation for cell-level isolation
• Secure protocols such as OPC UA with certificate-based authentication
This approach ensures that data is accessible while maintaining strict control over operational systems.
DMZ Reference Architecture
| Zone | Components | Security Controls |
|---|---|---|
| Zone 0-2 (Field/Control) | PLC/RTU, I/O networks, turbine-gate control cells | Micro-seg: each cell isolated; DPI for Modbus FC control |
| Zone 3 (Supervisory) | SCADA servers, historian, HMI | HMI→PLC only from authorized hosts/protocols; ML baseline |
| Zone 3.5 (OT DMZ) | OT gateway, jump server, log broker | MFA + time-based + session recording; optional data diode |
| Zone 4-5 (Enterprise/Cloud) | SOC/SIEM, corporate IAM, UI | No direct OT access; controlled flow through DMZ |
Table 6: Integrated HPP OT/IT DMZ Reference Architecture [1][2][9]
Critical design principle: The OT collector only collects read-only telemetry; it does not generate control commands. Identity verification is X.509 certificate-based via the OPC UA security model[13].
🔍 HPP-Specific AI Capabilities
Water Flow Prediction: ML model trained on meteorological data (rainfall, snowmelt, temperature), watershed parameters and historical flow records. 72-hour forecast window.
Production Forecasting: Integrated forecast combining reservoir level + water flow + turbine efficiency curves + market price signals. Output aligned with EPIİAŞ DAM/IDM periods.
Predictive Maintenance: Multi-variable anomaly scoring from turbine vibration, bearing temperature, oil quality, winding insulation resistance.
EPIİAŞ Integration: Optimization integrated with DAM/IDM price signals. Automated bidding, imbalance risk analysis and revenue maximization.
Frequently Asked Questions (FAQ)
Q1: Can VLAN alone provide OT/IT separation?
VLANs are valuable for cost efficiency; however, NIST recommends physical separation and enforcement devices (firewall/unidirectional gateway) where possible. VLANs can be bypassed through trunk/routing/ACL gaps[1][10].
Q2: Does micro-segmentation degrade OT latency?
If poorly designed, yes. When selecting PEPs (NGFW/OT firewall), throughput/latency tests must be conducted; sensors should be tuned in learning mode; allowlists for critical control flows must be clearly defined[1][2].
Q3: What belongs in the DMZ?
Data collectors, jump host, log broker, time sync proxy. Direct domain controller dependency to OT makes OT dependent on IT reliability[1].
Q4: Is DPI necessary for OT firewalls?
Port-based filtering is the baseline; command/function differentiation in OT protocols is critical. NIST recommends DPI-capable firewalls as compensating controls for legacy devices[10].
Q5: Should Zero Trust be implemented gradually in OT?
Yes. First isolate critical assets with micro-segments and control access through jump hosts; then mature the policy engines[2].
Q6: How is remote access secured?
Remote access should be routed through a jump server within the DMZ, protected by MFA, time-based access controls, and session recording.
Q7: How is segmentation’s contribution measured?
NREL VaR framework: VaR = L×(1-CI)×I. Segmentation maturity is scored within CI_seg; as DMZ, jump host, DPI, baselining controls increase, the risk metric decreases[3][7].
Conclusion and Next Steps
OT/IT segmentation and micro-segmentation are not only cybersecurity measures in HPPs, but essential components of operational continuity and safety.
A properly designed segmentation architecture reduces attack surfaces, limits lateral movement, and protects critical control systems.
In modern energy infrastructures, security must be treated as a continuously monitored and improved system rather than a static control.
If you would like to learn more about securing critical energy infrastructure and improving OT cybersecurity practices, feel free to contact us: