Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Why OSS

OT Network Segmentation,
Patterns and Failure Modes

Zone and conduit design in line with IEC 62443, the industrial DMZ at Level 3.5, unidirectional gateways for one-way flows, and a physical air gap for the copy that must survive when the rest is touched.

R6.2
The four patterns that hold up

Zones, Conduits, Diodes and a Physical Air Gap

The segmentation patterns that survive contact with a real ransomware operator, ordered by strength.

01
IEC 62443 baseline

Zone and conduit segmentation

Group assets that share security requirements into zones, then define every allowed connection between zones as an explicit conduit with a security level target. Zones map cleanly on to Purdue levels; conduits are enforced by firewalls, ACLs and, for the highest boundaries, protocol breaks.

Zones map to Purdue levelsConduits are explicit, not implicitSecurity level per conduit
02
The enforced OT/IT boundary

Industrial DMZ at Level 3.5

Level 3.5 is not a firewall rule between VLANs, it is a dedicated zone with its own hosts, its own identity domain and its own change process. Jump servers, patch mirrors, published historians and the Firevault gold copy live here. Nothing at Level 3 or below talks directly to Level 4 or above.

Dedicated hosts, dedicated identityJump servers and patch mirrorsFirevault gold copy at 3.5
03
Data diodes for one-way flows

Unidirectional gateways

Where OT must publish data to IT (historian data to a cloud analytics platform, for example) a unidirectional gateway enforces one-way flow at the hardware level. The IT side receives, the OT side has no return path. This is standard practice for regulated utilities and increasingly required by NIS2.

Hardware-enforced one-wayHistorian publish patternsRequired by NIS2 for some sectors
04
Layer 1 isolation, not VLAN

Physical air gap for the gold copy

For the offline gold copy, Layer 1 isolation is the only pattern that survives when segmentation is misconfigured, when identity is compromised or when the backup platform itself is targeted. Firevault provides this at Level 3.5 or in a dedicated bunker, with connection windows switched out of band.

No live network interfaceOut-of-band connection windowsTamper evident event log
Where segmentation actually breaks

Three Failure Modes We See Every Assessment

Segmentation on the diagram is not segmentation in practice. These are the patterns that turn a segmented estate back into a flat one.

01
The dominant legacy pattern

Flat OT VLANs behind a single firewall

Many industrial estates still run a single flat VLAN for the plant behind one perimeter firewall. Once an attacker gets past that firewall, every controller and historian is reachable. Segmentation between Purdue levels breaks this pattern; a physical air gap for the gold copy guarantees a survivable copy regardless.

Single perimeter, flat insideOne compromise, full plant reachNo lateral controls
02
Domain admin owns both

Shared identity across L4 and L3.5

Placing the industrial DMZ inside the same Active Directory domain as corporate IT means a phished domain admin has authority on both sides. The segmentation firewall is not the boundary any more; the identity domain is. Real Level 3.5 isolation requires its own identity plane.

Same AD forest as corporateDomain admin bypasses firewallIdentity is the real boundary
03
Immutable, but still on the wire

Backup platform reachable from IT

Running the OT backup platform as VMs on the corporate hypervisor, or as an appliance dual-homed into the corporate LAN, undoes segmentation regardless of Object Lock or immutability. The management plane is reachable, and a management-plane compromise weakens retention before ransomware runs.

Dual-homed appliancesCorporate hypervisor guestsManagement plane exposure

Build checklist

Ten Checks for an OT Segmentation Design

Use this list to review a proposed OT segmentation design before it goes into production.

  • Zones defined against Purdue levels, with a written security level target per zone
  • Every conduit between zones documented, with source, destination, protocol and enforcement
  • Industrial DMZ (Level 3.5) hosts sit in a dedicated identity domain, not the corporate forest
  • No system at Level 3 or below has a route to Level 4 or above except through Level 3.5
  • Backup and recovery platforms live in the OT identity plane, not the corporate one
  • Unidirectional gateways used for any required OT to IT data flow that carries value
  • Physical air gap for the gold copy, at Level 3.5 or in a dedicated bunker
  • Connection windows to the offline copy switched out of band and logged separately
  • Annual restore test across the Level 3.5 boundary, results captured for audit
  • Segmentation reviewed after every change to the corporate identity domain

Continue with the Purdue pillar, the diagram reference and the physical air-gap guide.

OT Segmentation, Common Questions

Mark Fermor
David Bailey
Kenny Phipps
Online Now
Concierge

Add a Layer 1 air gap to your segmentation design

Talk to the Firevault team about placing a physical air-gapped gold copy at Level 3.5 or in a dedicated bunker, so the copy survives when segmentation does not.

Takes about 2 minutes. No account needed.

Free2 minsNo sign-up
    Get started

    Your privacy matters

    We use cookies to keep the site running smoothly and to understand how you use it. You are in control. Privacy Charter · Cookie Policy