When new regulations require significant changes to an existing network security architecture, determining where to begin can be challenging. Redesigning a network is rarely as simple as unplugging a cable and reconnecting it elsewhere — especially when the new configuration must continue to interoperate with existing infrastructure.
This post summarizes a real-world OT network segmentation project: a complete architectural redesign separating critical control systems from both the public internet and the internal business network. The full technical whitepaper is linked below.
The Requirements
The environment contained critical control systems subject to new regulatory requirements. The segmentation mandate was specific and non-negotiable:
- Three layers of firewalls between the public internet and the OT network
- No outbound connections originating from OT assets
- No direct access to the OT network from the public internet
- No direct access to the OT network from the business network
Why This Matters
Prior to segmentation, the environment used a flat network design — meaning a compromise on the business side could move laterally into critical control systems with little friction. Outbound internet access from OT assets added further exposure to command-and-control channels and data exfiltration.
A successful compromise of OT systems doesn't just mean data loss. It can mean physical safety hazards, service outages, and significant regulatory fines. The risk profile for flat IT/OT architectures is fundamentally different from a standard business network breach.
The Approach
The solution centered on a three-firewall architecture with a Leap network — a controlled intermediary zone modeled on jump-host security principles. Rather than allowing any direct path into OT systems, all remote connections terminate in the Leap network first, where stricter authentication, monitoring, and ACL-governed access controls are enforced before any limited OT access is permitted.
The full whitepaper covers the complete implementation: mock network design, double-NAT configuration, VLAN architecture for high-availability failover, identity and access policies, and the real-world challenges that emerged between the lab environment and production deployment.
Read the Full Whitepaper
Complete architecture diagrams, firewall config approach, VLAN design, lessons learned, and NIST SP 800-82 compliance notes.
