Network Segmentation for Critical Infrastructure: Beyond VLANs

Network segmentation is frequently cited as a fundamental security control, and with good reason - limiting network connectivity reduces attack surface and constrains lateral movement when breaches occur. However, there remains significant confusion about what effective segmentation actually means in practice. Many organisations believe they have implemented segmentation because they have multiple VLANs, yet traffic flows freely between those VLANs without inspection or restriction. This VLAN-only approach provides network organisation but not security segmentation. For critical infrastructure environments, where the consequences of compromise can extend beyond data breaches to physical impacts, effective segmentation requires a more rigorous approach: zone-based architecture with enforced boundaries, micro-segmentation within zones, and inspection of east-west traffic.

Why VLANs Are Not Enough

VLANs provide Layer 2 separation - devices in different VLANs cannot communicate directly at the data link layer. However, as soon as routing is enabled between VLANs (which is almost always necessary for operational purposes), traffic can flow between them. Without firewall rules or access control lists restricting this routed traffic, VLANs provide no more security than a flat network. In our experience auditing critical infrastructure networks, this is one of the most common gaps. Organisations have implemented VLANs that logically separate corporate systems from operational technology, but the Layer 3 routing between them is unrestricted. The VLAN structure creates an illusion of segmentation that does not exist in reality. An attacker who compromises a corporate workstation can reach OT systems just as easily as they could on a flat network. Effective segmentation requires enforcement at Layer 3 and above - firewall rules that define what traffic is permitted between zones, inspection capabilities that can detect malicious traffic, and logging that provides visibility into cross-zone communications. VLANs are a useful building block for segmentation architecture, but they are not segmentation in themselves.

Zone-Based Architecture Design

Zone-based architecture establishes discrete network zones based on trust levels and operational functions, with controlled boundaries between them. For critical infrastructure, zones typically align with the Purdue Model levels: separate zones for process control (Level 1), supervisory systems (Level 2), site operations (Level 3), and enterprise systems (Level 4-5), with a DMZ mediating between OT and IT environments. Each zone should have explicit security policies defining what systems belong in the zone, what communications are permitted within the zone, and what traffic can cross zone boundaries. Zone boundaries must be enforced by security controls - firewalls, at minimum, with additional capabilities like intrusion detection and content inspection for higher-risk boundaries. The number and granularity of zones involves trade-offs. More zones provide finer-grained control but increase complexity and administrative overhead. Fewer zones are simpler to manage but provide less protection against lateral movement. For critical infrastructure, the operational and safety implications of compromise should drive zone design - higher-consequence systems warrant more protective architecture.

Implementing Micro-Segmentation

Traditional zone-based architecture controls traffic crossing zone boundaries but typically allows free communication within zones. Micro-segmentation extends this model to control traffic within zones as well, limiting lateral movement even if an attacker establishes presence on a system within a zone. Software-defined networking platforms like Cisco ACI and VMware NSX enable micro-segmentation at scale by defining security policies based on application identity rather than network topology. Instead of firewall rules based on IP addresses - which become unmanageable at scale - policies describe permitted communications between application components. The platform automatically applies these policies regardless of where systems are located. For OT environments, micro-segmentation presents both opportunities and challenges. The opportunity is significant risk reduction - compromising one HMI should not grant access to every device in the control network. The challenge is complexity: OT protocols may not be fully supported by micro-segmentation platforms, and the detailed traffic flow mapping required for policy definition can be difficult in environments with legacy systems and undocumented integrations. A pragmatic approach implements micro-segmentation progressively, starting with the most critical or most exposed systems and expanding coverage as operational understanding develops.

East-West Traffic Inspection

Traditional security architectures focus on north-south traffic - communications entering or leaving the network. This made sense when threats primarily came from external attackers, but modern threats move laterally within networks after initial compromise. Detecting and preventing this lateral movement requires inspection of east-west traffic between systems within the network. East-west inspection can be implemented at zone boundaries, within micro-segmentation infrastructure, or through dedicated network detection capabilities. The key is gaining visibility into traffic patterns that traditional perimeter-focused tools miss. Anomaly detection can identify communications that deviate from established baselines - a workstation suddenly connecting to multiple servers it has never accessed before, or a control system attempting outbound connections. For critical infrastructure, east-west visibility is particularly valuable because OT environments often have predictable communication patterns. Control systems communicate with specific counterparts using specific protocols at regular intervals. Deviations from these patterns - even if they use permitted protocols - can indicate compromise. This baseline-based detection complements signature-based approaches that may not recognise OT-specific threats.