OT/IT Network Segmentation for Utilities: A Practical Starting Architecture
Full IT/OT convergence takes years and a change-management program most utilities don't have budget for yet. This is the segmentation architecture that gets measurably safer in one cycle.
By Uniqcli Team · · 7 min read

Critical Infrastructure
OT/IT network segmentation for utilities doesn't have to be a five-year program
Utilities running SCADA, distribution automation, or substation control systems face a recurring question from auditors, insurers, and increasingly regulators: is the operational technology network actually separated from the business network, or does one flat topology connect the meter-data-management server to the relay that trips a breaker? Full IT/OT convergence — unified identity, centralized monitoring, one security view across both domains — is the eventual goal, but it's a multi-year program most utilities can't compress. An OT/IT network segmentation utility architecture doesn't require that scope. A minimum-viable segmentation — one enforced boundary, one asset inventory, one set of allow-listed paths — closes the largest exposure inside a single budget cycle. This piece lays out that starting architecture.
What is OT/IT segmentation and why do utilities need it?
Information technology handles email, billing, customer systems, and enterprise applications. Operational technology handles the physical process: SCADA masters, remote terminal units, protection relays, distribution management systems, and the field devices that open and close switches. Utilities historically ran these as separate networks, but over the last fifteen years the two have converged — remote vendor support, centralized historian data, and the savings of shared infrastructure. The result at many utilities is a flat network where a compromised laptop in billing has a viable path to a control-system historian, and from there to the OT LAN.
That path is exactly what ransomware operators look for. Incidents across the energy and water sectors have followed the same pattern: initial access through a phished IT account, lateral movement across an unsegmented network, and either data theft or a forced OT shutdown once the intrusion is found — even when the ransomware never touches a control system. The operational impact often comes from the utility's own scramble to isolate OT manually once it realizes the boundary doesn't exist.
Regulatory pressure reinforces this but doesn't fully cover it. Bulk electric utilities under NERC CIP carry mandated segmentation and monitoring requirements for high- and medium-impact assets. Municipal utilities, water and wastewater systems, and smaller electric cooperatives often fall outside that mandate entirely — which is precisely why deliberate, voluntary segmentation matters most for them. Nobody will require it on a deadline; the exposure exists either way.
Where should the first zone boundary go?
The Purdue Enterprise Reference Architecture is the standard mental model here, even for utilities that don't formally adopt it. It stacks levels from the field-device layer (Level 0/1: sensors, RTUs, relays) up through the control network (Level 2), the site operations layer (Level 3), and the enterprise IT network (Level 4/5). The single highest-leverage boundary in that stack sits at Level 3.5 — a demilitarized zone between site operations and the enterprise network, not down at the field-device layer.
Utilities often start segmentation at the bottom, trying to isolate individual RTUs or relays from each other. That's expensive, disruptive to engineering workflows, and addresses a smaller slice of the actual risk — the path an intruder uses runs from the enterprise network down, not laterally within the control network. Put the first firewall pair and monitoring point at the enterprise/OT boundary — the Level 3.5 DMZ — before touching anything below it. Segmenting substations from each other and hardening field communications is real work, but it's phase two and three, not the starting point.
How do you segment without breaking SCADA availability?
Control-system availability requirements are stricter than almost anything on the IT side — a firewall rule that blocks a legitimate DNP3 poll can trip an alarm or leave an operator blind to a breaker state. Segmentation work in OT can't follow the IT playbook of deploying an enforcement device and iterating on the rule set in production. The sequence has to be passive first, enforced second.
Start with a network tap or span port feeding a passive monitoring tool that builds an asset inventory and a protocol baseline — what's talking to what, over which protocol, on what schedule. Most utilities are surprised by what shows up: legacy engineering workstations running unsupported operating systems, vendor remote-access tools nobody remembers installing, historian jobs polling far more RTUs than documented. You cannot write an accurate allow-list for traffic you haven't observed.
Then move enforcement in during a planned outage window, allow-listing only the protocols and endpoints the baseline confirmed — DNP3, Modbus TCP, IEC 61850 GOOSE/MMS, or vendor historian traffic, each scoped to specific source and destination pairs rather than broad subnet rules. Keep redundant paths for protection functions intact throughout; segmentation must never introduce a single point of failure into a function that trips a breaker for safety.
What's the minimum viable segmentation for one budget cycle?
The scope that fits inside a single capital or operating budget cycle is narrower than a full convergence program, but it's not trivial. A defensible minimum has six elements: a validated OT asset inventory built from passive monitoring, not a spreadsheet; one enforced DMZ at the Level 3.5 boundary with a firewall pair, not a single point of failure; and one-way or broker-mediated historian replication so analytics never opens a live path back into the control network.
The other three lock down access: remote vendor and engineer access through an MFA-protected jump host, never a direct VPN into the OT LAN; east-west traffic between corporate and control LANs disabled outside the DMZ; and egress monitoring so unexpected outbound connections from OT get flagged. None of it requires touching field-device segmentation, replacing SCADA software, or re-architecting the control network — which is what makes it achievable in one cycle rather than five. It also produces the artifact auditors and insurers ask for: a documented, enforced boundary with monitoring, not a diagram that shows one on paper.
How do you sequence toward full convergence after year one?
The minimum-viable architecture is a foundation, not an endpoint. Once the Level 3.5 boundary is live and monitored, later cycles typically expand segmentation to individual substations or generation sites, each with its own enforced zone rather than one flat OT network behind the first DMZ. Centralized log aggregation across IT and OT tooling — without merging the identity systems — usually comes next, giving a security team one place to correlate an IT phishing alert with an OT anomaly instead of two disconnected consoles.
Identity convergence — a single directory governing access to both domains with role-based, least-privilege scoping — is realistically a year two or three initiative; rushing it is how utilities end up granting an IT service account standing access to a control network to hit a deadline. Sequencing matters more than speed: each phase should leave the utility measurably safer than the one before it, not just further along a roadmap.
Minimum-viable segmentation checklist
What a defensible first-cycle OT/IT segmentation project should include, regardless of utility size:
- Passive network monitoring deployed before any enforcement rule is written
- Documented OT asset inventory built from observed traffic, not a maintenance spreadsheet
- Redundant firewall pair at the Level 3.5 enterprise/OT boundary
- Protocol- and endpoint-scoped allow-list, not broad subnet rules
- One-way or broker-mediated historian replication out of the control network
- Jump-host-only remote access with MFA and full session logging
- East-west traffic between corporate and control LANs blocked outside the DMZ
- Egress monitoring on the DMZ for unexpected outbound OT connections
- Enforcement changes staged and applied during planned outage windows
- Redundant paths preserved for protection-relay communications throughout
Frequently asked
How much does OT/IT network segmentation cost for a utility?
It varies widely with site count, how legacy the control-system network is, and whether passive monitoring is already in place. The core hardware — a redundant firewall pair and a monitoring appliance for the Level 3.5 boundary — is a modest capital line; the larger cost driver is usually engineering labor for asset inventory and outage-window implementation, not equipment.
Do municipal and water utilities need OT/IT segmentation if they're not NERC CIP regulated?
Yes. NERC CIP applies to bulk electric assets above certain impact thresholds, which excludes most municipal electric, water, and wastewater systems. The absence of a regulatory mandate doesn't reduce the exposure — an unsegmented network is equally reachable by ransomware regardless of which regulator, if any, oversees the utility.
Can OT/IT segmentation be done without a control system outage?
The monitoring and inventory phase can run entirely passively with zero outage risk. Actual enforcement — deploying firewall rules that block previously-flat traffic — should still be staged into a planned outage window, because an incorrect rule against live SCADA polling can cause exactly the operational disruption segmentation is meant to prevent.
What network protocols need to be allow-listed through an OT/IT boundary?
It depends on the site, which is why the passive baseline matters more than a generic list. Common candidates include DNP3 and Modbus TCP for SCADA polling, IEC 61850 GOOSE/MMS for substation automation, and vendor-specific historian or engineering-workstation protocols — each scoped to specific source/destination pairs rather than allowed broadly.
Related resources
Go deeper
Utilities
How Uniqcli sources and stages networking, security, and control-system-adjacent IT for electric, water, and gas utilities.
Learn moreCritical infrastructure
The broader sector view: procurement and integration support across the infrastructure categories that share this risk profile.
Learn moreCyber capability
Sourcing and integration support for the network security tooling — firewalls, monitoring, access control — behind a segmentation build.
Learn moreScoping an OT/IT segmentation project
Uniqcli sources and stages the firewall pairs, monitoring appliances, and access-control hardware behind a Level 3.5 boundary build — configured for your environment and ready to install during your outage window.