Network segmentation

Network segmentation is the practice of dividing a computer or operational technology (OT) network into multiple smaller, isolated zones or segments, with controlled communication paths between them. It is used to separate critical systems, limit the spread of incidents, and enforce different security or performance requirements for different parts of the environment.

In industrial and manufacturing settings, network segmentation commonly separates business IT systems from plant-floor OT systems, and further divides OT networks into zones such as safety systems, controllers, HMIs, MES interfaces, historians, and remote access points. Traffic between segments is typically managed using firewalls, VLANs, routers, access control lists, or industrial security appliances.

How network segmentation is used in industrial operations

Within regulated and safety-critical manufacturing environments, network segmentation commonly includes:

• Separating IT and OT networks to reduce the chance that office systems or internet-facing services affect production systems like PLCs, DCSs, and SCADA.
• Creating security zones and conduits (often aligned with standards such as ISA/IEC 62443) so that critical control, safety, and quality systems are isolated and only necessary communication is allowed.
• Protecting MES, ERP, and quality systems by placing them in intermediate or demilitarized (DMZ) segments that broker data between plant-floor equipment and enterprise applications.
• Restricting remote access to specific segments through jump servers, VPNs, or dedicated gateways, instead of allowing broad access to the entire plant network.
• Limiting blast radius of incidents so that a malware infection, misconfiguration, or network fault in one segment is less likely to impact other zones, especially those supporting batch records, electronic signatures, or safety interlocks.

What network segmentation includes and excludes

Network segmentation includes both:

• Logical segmentation such as VLANs, subnets, firewall rules, VPNs, and access control lists.
• Physical segmentation such as dedicated switches, separate cabling, and isolated wireless networks for specific production areas or systems.

It does not, by itself, define user permissions, application security, or data encryption policies, although it often works alongside those controls as part of a broader cybersecurity and reliability strategy.

Common confusion

• Network segmentation vs. air gapping: Air gapping refers to complete physical isolation with no active network connection. Segmentation allows controlled, monitored connectivity between segments.
• Network segmentation vs. VLANs only: VLANs are one way to implement segmentation, but effective segmentation usually combines VLANs with routing, firewalling, and policy controls.
• Network segmentation vs. microsegmentation: Microsegmentation typically refers to very fine-grained controls at the workload or device level, often in data centers or cloud environments. Network segmentation usually operates at subnet, site, or zone level.

Context in regulated manufacturing environments

In regulated industries, network segmentation is commonly referenced in cybersecurity programs, data integrity protection measures, and business continuity planning. It is often documented in site network diagrams, OT architecture descriptions, and risk assessments that cover MES interfaces, batch control, electronic records, and remote support arrangements.