OT/IT Network Segmentation and Zero Trust for Energy Control Networks

The Purdue Model and ISA-95 as a Segmentation Reference

Effective segmentation in energy control networks is built around the Purdue Model defined within ISA-95, which organises industrial systems into hierarchical levels. Each level is separated by enforced boundaries, and traffic is only permitted between adjacent zones where there is a defined operational need. This hierarchy gives operators a shared language for describing where an asset sits and what it should be allowed to communicate with.

• Level 0: field instrumentation, sensors and actuators
• Level 1: basic control such as PLCs, RTUs and protective relays
• Level 2: supervisory control including SCADA servers and HMIs
• Level 3: site operations including historians and engineering workstations
• Industrial DMZ: the brokered exchange layer between OT and IT
• Levels 4 and 5: enterprise IT, ERP and external connectivity

Why a DMZ Sits Between OT and IT

In a well-designed energy network, no enterprise system ever talks directly to a control-layer device. An industrial DMZ brokers every cross-boundary flow: historian replicas, patch repositories, remote-access jump hosts and data diodes all live here rather than spanning the boundary. The principle is that a compromise of the corporate network gives an attacker the DMZ at most, not the control systems themselves. This is precisely the assurance Colonial Pipeline lacked.

Applying Zero-Trust Principles to Control Networks

Zero trust does not mean ripping out the perimeter, it means never granting implicit trust based on network location alone. In an energy context this translates to identity-verified, time-bound access for engineers and vendors, multi-factor authentication on every jump host, micro-segmentation between substations or generation units so lateral movement is contained, and continuous verification of device posture. The goal is that compromising one HMI does not hand an attacker the entire control estate.

• Default-deny firewall rules between every Purdue zone
• MFA-authenticated, session-recorded jump hosts for all remote access
• Micro-segmentation between sites so one breach cannot spread laterally
• Unidirectional data diodes where only outbound monitoring data is needed

Segmenting Without Disrupting Generation or Supply

Energy operators cannot take a grid control room offline to install firewalls. Practical segmentation therefore begins with passive discovery to map every existing flow between OT and IT, followed by a target architecture that preserves the legitimate flows, such as historian replication and vendor maintenance, while removing the rest. Changes are introduced incrementally during planned maintenance windows and validated before the next is attempted. This phased approach delivers the security benefit without risking continuity of supply.

How Kyanite Blue and Sophos Deliver This

Kyanite Blue designs and implements OT/IT segmentation for energy operators using Sophos firewalls at every zone boundary, combined with Sophos deep-learning threat detection and managed monitoring that can watch OT traffic for anomalous commands. Our engineers map your current network, design a Purdue-aligned target architecture, and roll out default-deny segmentation in phases that respect your maintenance schedule. The result is a control network where a corporate IT compromise stays in IT, and zero-trust access governs every engineer and vendor who touches your control systems.

Frequently Asked Questions