Part 4: OT Security Architecture – What Works?

In the first three parts of this series, we explored the business case for OT security, identified industry-specific use cases, and examined the evolving threat landscape. It has come to our attention that OT systems are increasingly exposed to cyber risk and that traditional IT security models are not applicable in this context.

The next logical question is: What does a functional, effective OT security architecture look like?

What are the core components of such an architecture, and how can organizations build something secure and sustainable in complex, aging, and often fragile OT environments?

Let’s examine the details.

The Core Principles of OT Security Architecture

Designing security for OT environments entails more than deploying the latest tools or mimicking IT practices. The objective is to align security measures with the operational realities of physical systems, many of which were never designed to be connected, let alone protected against cyber threats.

The following are the foundational principles that underpin any effective OT security architecture:

1. Visibility before control
2. Segmentation over perimeter
3. Availability and safety above all
4. Passive monitoring, not intrusive scanning
5. Simplicity and operational fit

These principles serve as the foundation for all architecture decisions. These principles underscore the concept that what cannot be seen cannot be secured, and what must not stop cannot be broken.

Zones and Conduits: The Backbone of OT Segmentation

Most modern OT security architectures are based on the ISA/IEC 62443 zone and conduit model, either explicitly or implicitly. The concept is straightforward: categorize assets based on their risk profiles and communication requirements into “zones,” and regulate traffic flow between them through “conduits.”

Essential OT Security Components

A mature OT security architecture generally comprises the following components:

1. Asset Discovery and Inventory

The cornerstone of visibility. Many OT organizations lack a comprehensive real-time inventory of their connected assets. Passive scanning tools can safely identify devices, protocols, and firmware versions without disrupting operations.

2. Network Segmentation

Flat networks are a common feature of legacy OT. Introducing VLANs, firewalls, or segmentation appliances is an effective strategy to limit the impact of any compromise. Segmentation is also instrumental in ensuring compliance with regulatory requirements, such as NIS2 and IEC 62443.

3. Anomaly and Threat Detection

Specialized network detection and response (NDR) tools for OT observe traffic patterns and detect suspicious behavior, such as unusual commands to PLCs, rogue devices, or lateral movement attempts.

4. Access Control and Authentication

Control who can access what, and how. This includes:

• Role-based access (e.g., operator vs. engineer)
• Jump servers for remote access
• MFA for sensitive operations
• Logging and session recording

5. Patch and Vulnerability Management

While patching is rare in OT, it is critical to know what is vulnerable. An effective architecture should support out-of-band patch testing, safe maintenance windows, and compensating controls where patching isn’t feasible.

6. Incident Response Integration

OT security must integrate with the organization’s overall SOC and IR processes. This includes alarm correlation, playbooks, and clearly defined escalation paths for OT incidents.

Challenges Unique to OT Architecture

OT design entails more than simply determining what to include; it involves the safe and pragmatic implementation of these elements. Some of the most common challenges include:

• Legacy Devices: Many OT assets can’t run modern security agents or even support encryption.
• Vendor Constraints: OEMs may prohibit specific configurations or changes without voiding warranties.
• Downtime Restrictions: Some systems can’t be restarted or taken offline without a significant operational impact.
• Skill Gaps: Many operators are not trained in cybersecurity, and many security staff are unfamiliar with OT protocols like Profibus, Modbus, DNP3, or PROFINET.

For this reason, collaboration between OT and IT teams is essential. Architecture decisions must reflect operational realities, not just security best practices.

Maturity Matters: Crawl, Walk, Run

Not every organization requires an advanced architecture immediately. A phased, risk-based approach is often more successful.

Example Maturity Journey:

• Phase 1: Visibility – Asset inventory, passive monitoring, basic segmentation
• Phase 2: Control – Role-based access, incident response alignment, anomaly detection
• Phase 3: Optimization – Risk scoring, secure remote access, integration with SOC/SIEM
• Phase 4: Compliance & Governance – Formalized policies, auditability, lifecycle management

The objective is not perfection but progress without disruption. Achieving minor, significant victories (e.g., segmenting legacy devices from the enterprise LAN) can mitigate risk while substantially fostering stakeholder support.

What’s Next: Who Owns What in OT Security?

A robust architecture is only as strong as the people and processes behind it. In the fifth installment of this series, we will delve into the organizational facets of OT security, encompassing the roles, responsibilities, and governance models that ensure the effective implementation of technology.

It is essential to understand that firewalls and sensors do not secure systems; people do.