Industrial Segmentation Playbook

    Define zones and conduits, apply least privilege, and stage enforcement without downtime.

    OT
    Microsegmentation
    IEC 62443
    10 min
    Last updated: 2026-01-01

    Overview

    QuantLayer segmentation uses identity + posture signals to enforce policy at the right point in the environment—edge gateways, jump hosts, industrial DMZ, and zone firewalls—so you can reduce lateral movement while maintaining operational continuity.

    Goal
    Contain threats to the smallest possible blast radius by separating critical functions (HMI/SCADA, safety, engineering, historians, remote access) and allowing only known-good flows.

    Zone & Conduit Design

    Industrial DMZ

    Typical assets: jump hosts, patch repo, broker services. Allowed conduits (examples): IT → DMZ (admin), DMZ → OT (controlled), OT → DMZ (telemetry).

    Control Zone

    Typical assets: SCADA, HMI, PLC engineering stations. Allowed conduits (examples): DMZ → Control (approved ports), Control → Control (limited).

    Safety Zone

    Typical assets: SIS controllers, safety workstations. Allowed conduits (examples): strictly isolated; exceptions require explicit approval.

    IIoT / Edge Zone

    Typical assets: gateways, sensors, edge compute. Allowed conduits (examples): Edge → DMZ/Cloud (egress only), local OT conduits as needed.

    OT best practice
    Keep safety systems isolated by default. Any conduit touching the safety zone should require explicit approval and continuous monitoring.

    Staged Enforcement (No Downtime)

    • 1) Observe: Deploy agents/gateways and collect baseline communications (who talks to whom, when, and on what ports).
    • 2) Model: Group assets by function into zones. Convert observed communications into candidate allow-rules.
    • 3) Simulate: Run policies in audit mode to detect what would be blocked before enforcing.
    • 4) Enforce gradually: Start with high-confidence rules (known services). Roll out enforcement per site/line/cell.
    • 5) Respond: Auto-quarantine anomalous paths, restrict remote access, and trigger runbooks for SOC/OT teams.

    Recommended Controls

    • Least privilege flows: allow only required ports/protocols between zones.
    • Privileged remote access: force identity + posture check for jump hosts and vendor sessions.
    • Immutable logging: record policy decisions, exceptions, and drift events for audits.
    • Containment: quarantine devices or isolate a conduit when risk score crosses threshold.

    Next Steps

    • Create Zones & Conduits.
    • View Network Topology.
    • Download PDF.