virtualization

Virtualization is the abstraction of physical computing resources into logical instances so that multiple isolated workloads can run on the same underlying hardware. It is commonly implemented through a hypervisor that creates and manages virtual machines (VMs), each with its own operating system and applications, sharing CPU, memory, storage, and network interfaces.

Key characteristics

In industrial and manufacturing environments, virtualization commonly refers to:

• Server virtualization: Running multiple virtual servers (for MES, historians, batch systems, engineering workstations, or domain controllers) on a single physical host or host cluster.
• Desktop or application virtualization: Providing operator stations, engineering clients, or specialized tools as virtual desktops or remote applications instead of dedicated PCs.
• Network and security virtualization: Using virtual firewalls, routers, and network segments to separate OT and IT traffic or isolate zones and conduits defined by security standards.
• Storage virtualization: Presenting pooled or abstracted storage resources to hosts as logical disks or volumes.

Virtualization does not change the logical functions of applications or operating systems; it changes how and where they are hosted and how resources are allocated and isolated.

Operational meaning in regulated and industrial environments

In regulated or security-sensitive manufacturing environments, virtualization is used to:

• Host OT and IT workloads with defined separation and controlled resource sharing.
• Segment systems into different security zones by running separate virtual machines, each mapped to specific network segments and security policies.
• Support lifecycle management tasks such as snapshots, backups, test environments, and disaster recovery scenarios.
• Maintain legacy operating systems or applications on modern hardware by encapsulating them inside VMs.

From an operational perspective, virtualization introduces additional layers to document and manage: the physical host infrastructure, the hypervisor, and each virtual machine or virtual network component. In regulated environments, changes, configurations, and access controls at each layer typically need clear governance and traceability.

Relation to security zoning (e.g., IEC 62443)

When applying security zoning concepts, such as those in IEC 62443, virtualization allows a single physical device to host multiple logical entities (for example, several virtual machines or virtual network interfaces) that belong to different zones. Each virtual instance can be assigned:

• Its own security policies and firewall rules.
• Separate network interfaces or VLANs mapped to defined conduits.
• Distinct user and role configurations aligned with zone-specific requirements.

This approach requires careful architectural design, clear documentation of which virtual components belong to which zones, and strong enforcement of isolation at the hypervisor and network levels to avoid ambiguous trust boundaries.

Common confusion

• Virtualization vs. containerization: Virtualization typically provides full virtual machines with their own operating systems. Containerization shares a single OS kernel and isolates applications at the process level. Both can appear similar from an application perspective, but they have different isolation and management models.
• Virtualization vs. cloud computing: Cloud services are often built on virtualization, but virtualization itself is the underlying technology for abstracting hardware. It can be used on-premises without any public cloud components.
• Virtual machines vs. physical segmentation: Virtual separation on a single host is not the same as physically distinct hardware. Security or availability requirements may still call for physical separation even when virtualization is used.