OT Network Segmentation Best Practices for Smart Buildings

Slug: ot-network-segmentation-smart-buildings
Published: 2026-03-22
Category: Cybersecurity & OT/IT Convergence

Cybersecurity OT/IT Convergence Network Segmentation Building Automation Zero Trust Ransomware Infrastructure Protection

Excerpt: Building networks are converging—IT and OT are no longer separate kingdoms. This convergence delivers efficiency gains but creates novel attack paths. Real ransomware incidents (Johnson Controls, MGM Resorts, Omni Hotels) show that building systems can be weaponized or disabled at scale. Network segmentation strategies—from VLANs to data diodes—form the critical boundary between corporate IT breaches and operational disasters.

The Convergence Paradox

Today's smart buildings are deeply integrated. Building management systems sync with corporate energy dashboards. Facilities managers monitor HVAC remotely from their laptops. Access control integrates with HR systems for badge provisioning. Cloud platforms aggregate data across dozens of buildings for predictive maintenance and optimization.

This integration delivers real value: 20% energy efficiency gains, faster incident response, predictive equipment failure detection. But convergence creates a paradox: the same network connections that enable remote management also enable remote attack.

When a corporate IT network is breached (ransomware, credential compromise, APT foothold), the attacker gains a bridge to building systems. And when building systems are attacked directly—through exposed cloud APIs, weak BACnet credentials, or unpatched firmware—the attacker has a foothold inside the corporate perimeter.

🤖

Run this analysis on your building

Our AI agents use the same methodology. First query free — no credit card.

Try the Agent →

The Ransomware Reality: Building Systems as Targets

Ransomware operators have learned that disrupting building systems creates immediate business pressure and negotiation leverage. Physical security, HVAC, access control—these are not optional IT conveniences; they are essential to facility operations. Disabling them generates urgency.

2023-2025 Incident Timeline

Johnson Controls (September 2023): A manufacturer of building automation controllers and systems was breached by the Dark Angels ransomware gang. Attackers claimed 27 terabytes of stolen data, including product designs and customer configurations. The company recorded a $27 million charge; the threat actors demanded $51 million ransom. Source: Industrial Cyber

MGM Resorts (2023): A cyberattack on the casino and hotel operator disrupted operations at more than 30 properties. Guest check-in and room access systems went offline; booking systems became unavailable. Source: Industrial Cyber

Omni Hotels (2024): A targeted attack disabled check-in systems, room access, and Wi-Fi across properties. Manual processes were required to continue operations; guest confidence was damaged.

Hospital HVAC Disablement (2024): "Disabling Hospital HVAC Is Now a Bargaining Chip in Ransomware" became a known tactic. Shutting down climate control in surgical suites and patient areas creates immediate health and safety justification for ransom payment.

2025 Risk Assessment: Widespread Vulnerability

A 2025 Claroty analysis of nearly 500,000 building management systems found alarming exposure:

75% of organizations have BMS devices affected by known exploited vulnerabilities (KEVs)
69% have devices with confirmed vulnerabilities previously exploited in ransomware attacks
51% are exposed to ransomware-linked vulnerabilities and are insecurely connected to the internet

For a typical large commercial building with 50+ BMS devices, the probability of at least one ransomware-linked vulnerability is near certainty. Without segmentation, a single compromised device is a beachhead for lateral movement to other systems.

Network Segmentation Architecture: Three Models

Network segmentation is the foundational defense strategy for OT/IT convergence. The goal: prevent lateral movement. If an attacker compromises one zone, they cannot automatically propagate to others.

Model 1: VLAN + Firewall (Traditional, Most Common)

VLANs partition a physical network into logical subnets. Access Control Lists (ACLs) and firewalls enforce policies between VLANs.

VLAN Segmentation Architecture ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ┌─────────────────────────────────────────────────────────┐ │ Physical Network │ │ (Single Ethernet cable plant throughout building) │ └─────────────────────────────────────────────────────────┘ ↓ ┌─────────────────────────────────────────────────────────┐ │ VLAN Logical Segmentation │ ├─────────────────────────────────────────────────────────┤ │ VLAN 10: HVAC Systems (10.10.0.0/24) │ │ ├─ RTU controllers │ │ └─ Thermal sensors │ │ │ │ VLAN 20: Access Control (10.20.0.0/24) │ │ ├─ Door readers │ │ └─ Lock controllers │ │ │ │ VLAN 30: Lighting & Occupancy (10.30.0.0/24) │ │ └─ Lighting controllers │ │ │ │ VLAN 100: Corporate IT (10.100.0.0/24) │ │ ├─ Workstations │ │ └─ File servers │ │ │ │ VLAN 200: Management & Monitoring (10.200.0.0/24) │ │ ├─ BAS web interface (DMZ) │ │ └─ Cloud gateway │ └─────────────────────────────────────────────────────────┘ ↓ ┌───────────────────────────────────────┐ │ Firewall / L3 Switch │ │ Enforces ACL Rules Between VLANs │ └───────────────────────────────────────┘ ↓ Traffic between VLANs ONLY via firewall rules Example: VLAN 10 → VLAN 200 allowed; VLAN 10 → VLAN 100 BLOCKED

Strengths: Cost-effective, industry-standard, integrates with existing switches, granular control via ACLs.

Weaknesses: Firewall rules can become complex and difficult to audit; VLAN-hopping attacks can bypass logical boundaries; within-VLAN traffic is unencrypted and unauthenticated.

Recommended for: Medium-complexity buildings with 20-100 BAS devices; organizations with mature IT operations teams.

Model 2: DMZ + Unidirectional Gateway (Hybrid)

A DMZ (demilitarized zone) is a network segment that sits between OT and IT. Systems in the DMZ can communicate with both sides but are hardened against compromise. Unidirectional gateways (data diodes) enforce one-way data flow.

DMZ + Unidirectional Gateway Architecture ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ┌──────────────────────────────────────────────────────────┐ │ OT Network (Building Automation) │ │ ├─ HVAC Systems │ │ ├─ Access Control │ │ └─ Lighting & Sensors │ │ │ │ [Historical data, real-time setpoints] │ └──────────┬───────────────────────────────────────────────┘ │ ┌──────▼──────────────────┐ │ Data Diode Gateway │ │ (Unidirectional) │ │ │ │ OT ──→ DMZ ──→ IT │ │ (One-way valve) │ └──────┬──────────────────┘ │ ┌──────────▼───────────────────────────────────────────────┐ │ DMZ Network (Monitored, Hardened) │ │ ├─ BAS Data Aggregation Server │ │ ├─ Cloud Gateway / API Gateway │ │ ├─ Security Monitoring / Logging │ │ └─ Historian Database │ └──────────┬───────────────────────────────────────────────┘ │ ┌──────▼──────────────────┐ │ Firewall / WAF │ │ (Bidirectional, Rules) │ └──────┬──────────────────┘ │ ┌──────────▼───────────────────────────────────────────────┐ │ IT Network (Corporate) │ │ ├─ Email & Collaboration │ │ ├─ File Servers │ │ ├─ User Workstations │ │ └─ Analytics & Reporting Portals │ └───────────────────────────────────────────────────────────┘

Data Diode Principle: A unidirectional gateway allows data to flow from OT to IT (sensors and status reports flowing out) but blocks any return traffic (no commands flowing back directly). If IT is compromised, attackers cannot use that connection to reach OT systems.

Strengths: Strong isolation; even if IT is breached, OT remains protected; data exfiltration is unidirectional (cannot pull sensitive building data into attacker-controlled IT systems).

Weaknesses: More complex to implement; requires a DMZ to manage; control commands from IT to OT must go through a separate bidirectional channel (which needs additional security); higher capital cost.

Recommended for: "Data Diodes Have Become Essential to Modern OT Cybersecurity" — critical facilities (hospitals, data centers, financial centers); organizations with high-value OT assets; risk-averse environments.

Model 3: Zero Trust + Microsegmentation (Advanced)

Zero Trust architecture applied to building networks assumes that no device is inherently trustworthy—not by virtue of being on the "internal" network, but only after continuous authentication and authorization.

Zero Trust Architecture for Building Networks ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Traditional (Perimeter-Based): Outside Network (Untrusted) ──[Firewall]── Inside Network (Trusted) Problem: Once inside, attackers move freely Zero Trust (Continuous Verification): Every Device ─→ Identity Verification ─→ Device Health Check ─→ Policy Decision Every Access ─→ Real-time MFA ─→ Behavior Analysis ─→ Allow/Deny Building Network Zero Trust Implementation: 1. Device Identity: RTU registers with trust server with X.509 certificate 2. Authentication: Trust server verifies certificate; checks device health (firmware version, patch level) 3. Policy Enforcement: Access control engine decides which traffic is allowed ┌─ HVAC RTU wants to send data to cloud gateway? │ ├─ Verify RTU identity (certificate) │ ├─ Check RTU firmware is current (no known vulns) │ ├─ Check cloud gateway is legitimate (IP whitelist, certificate pinning) │ ├─ Rate-limit traffic (anomaly detection: is this traffic pattern normal?) │ └─ Allow or deny based on combined signals │ └─ Workstation wants to access BAS? ├─ Verify user identity (multi-factor auth) ├─ Check workstation security (antivirus status, patch level, EDR telemetry) ├─ Check time/location (is this access pattern abnormal?) ├─ Apply least-privilege access (user can read thermal data, not write setpoints) └─ Allow or deny based on combined signals 4. Monitoring: Every access attempt generates a log; anomalies trigger alerts

Zero Trust in Building Automation: By 2026, 60% of large enterprises will have implemented measurable zero trust programs, up from less than 10% in 2023. The market for zero trust solutions reached $31.6 billion in 2025, projected to grow to $67.3 billion by 2028.

Strengths: Assumes all actors (internal and external) are untrustworthy until proven otherwise; adapts to emerging threats; provides granular audit trails.

Weaknesses: Highest implementation complexity; requires significant IT/OT integration; ongoing policy management is labor-intensive; can introduce latency in real-time control systems (microsecond critical applications).

Recommended for: High-risk environments; organizations with mature security operations; compliance-sensitive industries (healthcare, finance); buildings with sensitive research or government contracts.

Segmentation Technologies: VLANs, DMZ, Data Diodes

VLANs: Implementation Basics

"The easiest and lowest cost method of logically segmenting application traffic on IP networks is to combine the use of virtual LANs (VLANs) with access control lists (ACLs)", which breaks a network into separate broadcast domains and IP subnets.

VLAN Configuration Example (Cisco Switch)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

! Create VLANs
vlan 10
  name HVAC_Systems
vlan 20
  name Access_Control
vlan 100
  name Corporate_IT
vlan 200
  name Management_DMZ

! Assign ports to VLANs
interface Gi0/1
  switchport mode access
  switchport access vlan 10  ! This port belongs to HVAC VLAN

interface Gi0/2
  switchport mode access
  switchport access vlan 20  ! This port belongs to Access Control VLAN

! Create inter-VLAN routing (via layer-3 switch or firewall)
ip route 10.10.0.0 255.255.255.0 [Layer-3-Switch-IP]  ! Route to HVAC
ip route 10.20.0.0 255.255.255.0 [Layer-3-Switch-IP]  ! Route to Access
        

Firewall ACLs Between VLANs:

Access Control List Example
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Firewall Rule 1: HVAC (10.10.0.0/24) → Management DMZ (10.200.0.0/24)
  ALLOW: UDP port 47808 (BACnet/IP)
  ALLOW: TCP port 443 (HTTPS to gateway)
  DENY: All other traffic

Firewall Rule 2: HVAC (10.10.0.0/24) → Corporate IT (10.100.0.0/24)
  DENY: All traffic (default deny)

Firewall Rule 3: Access Control (10.20.0.0/24) → Corporate IT (10.100.0.0/24)
  ALLOW: TCP port 80/443 (HR badge provisioning API only)
  DENY: All other traffic

Firewall Rule 4: Corporate IT (10.100.0.0/24) → HVAC (10.10.0.0/24)
  DENY: All traffic (no IT-to-OT communication)
        

DMZ Design Pattern

The DMZ hosts systems that must interact with both OT and IT networks. These systems are high-value targets (they bridge the security boundary) and must be hardened.

DMZ Systems Typically Include:

BAS Gateway / Aggregator: Collects data from all OT zones, exposes APIs to corporate IT
Cloud Integration Server: Connects building systems to cloud platforms (energy management, predictive maintenance)
Historian Database: Stores time-series data from BAS; queried by analytics platforms
Web Portal / Dashboard: User interface for facilities management
Logging and Monitoring Server: Receives syslog and SNMP from OT; correlates with IT security logs

DMZ Hardening Checklist:

☐ Minimal OS installation: only required services running; remove unnecessary software
☐ Network access controls: DMZ systems can reach IT and OT, but IT and OT cannot reach each other directly
☐ Host-based firewall: restrict outbound connections from DMZ servers (e.g., cloud gateway can only reach AWS; cannot reach external IPs)
☐ Application whitelisting: only approved software can execute (prevents backdoors)
☐ Disk encryption: sensitive data (credentials, API keys) is encrypted at rest
☐ Multi-factor authentication: administrative access requires MFA
☐ Centralized logging: all logs forwarded to syslog server; SIEM ingests for correlation
☐ Regular patching: security updates applied within 48 hours of release
☐ Intrusion detection: IDS/IPS on DMZ boundary detects exploit attempts

Data Diodes: One-Way Data Transfer

"A unidirectional gateway, or data diode, allows traffic to flow in only one direction and acts as an additional protection against system compromises at higher levels or tiers. Data diodes enforce a physical separation between network segments using one-way data transfer protocols, designed to eliminate back door attacks or breaches."

The data diode market is growing rapidly: projected to nearly double from $467 million in 2024 to nearly a billion dollars by 2034, reflecting increasing demand.

How Data Diodes Work:

Data Diode: Unidirectional Architecture ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ OT Network Data Diode IT Network (Building Systems) (One-way valve) (Corporate) HVAC RTU ─────┐ ┌──── Analytics Sensors ──────┤────→ Sensor Data & Status ──────────→ ├─ ─ Email Controllers │ (Unidirectional Only!) │ - File Servers Actuators ────┘ │ - Workstations │ ←─── BLOCKED ───┘ (No return traffic) OT Network Firewall IT Network (Building Systems) (Bidirectional) (Corporate) RTU Controllers ──────────→ SETPOINT UPDATES ←────────── Facilities Portal (Separate channel for control - protected by policy)

Data Diode Use Case in Smart Buildings: A hospital building system sends temperature and occupancy data to a corporate energy management analytics platform. The diode allows data to flow outbound only. If the analytics platform is compromised (or a hacker gains access to the corporate network), they cannot use that connection to reach back into the building systems. Control commands (if needed) must flow through a separate secured channel with bidirectional firewalls and authentication.

BACnet/IP Security in Segmented Networks

BACnet is the most common building automation protocol, but "millions of BACnet devices are lacking common security mechanisms such as user authorization, device authentication, and data encryption" because the protocol was designed in air-gapped environments.

BACnet Vulnerabilities in Convergence

When BACnet/IP is used across VLAN boundaries or over the internet (via cloud gateways), these vulnerabilities become exploitable:

Lack of Authentication: Any device that can send BACnet packets is treated as valid; spoofing is trivial
No Encryption: Setpoints, sensor readings, and control commands are transmitted in cleartext
Broadcast Vulnerabilities: BACnet broadcasts can be hijacked or spoofed
Weak Object Access Control: No fine-grained authorization; if you're on the network, you can read/write most objects

Defense Strategy: BACnet Secure Connect (BACnet/SC)

BACnet Secure Connect (BACnet/SC) adds encryption and authentication to BACnet over IP. Key features:

TLS 1.2+ encryption for all BACnet/IP traffic
Device certificate authentication (X.509)
Integrity checking (no tampering with messages)
Backward compatible with legacy BACnet systems (via gateways)

Implementation Path for Segmented Networks:

BACnet/SC Deployment Strategy ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Phase 1: Legacy BACnet (Isolated VLAN) ├─ All BACnet devices on VLAN 10 (no encryption) ├─ Firewall blocks all outbound access └─ Gateway (DMZ) translates to BACnet/SC when exporting data to IT Phase 2: Hybrid (New devices + gateway translation) ├─ New RTU controllers support BACnet/SC ├─ Legacy devices remain on isolated VLAN ├─ BACnet/SC Gateway translates between encrypted and cleartext └─ Firewall enforces inter-zone rules Phase 3: Full BACnet/SC (Convergence-ready) ├─ All devices upgraded to BACnet/SC-capable firmware ├─ All BACnet/IP traffic encrypted end-to-end ├─ Cross-VLAN communication protected by TLS └─ Device certificates managed by PKI infrastructure

Monitoring and Anomaly Detection for Building Networks

Segmentation creates barriers, but barriers alone don't detect breaches. Anomaly detection is the sensory system: it identifies when normal network behavior changes in ways that suggest compromise.

Building Network Baselines

A baseline is the pattern of normal traffic. Once established, deviations become alerts. Key metrics to baseline:

Metric	Normal Baseline	Anomaly Indicator	Action
HVAC-to-DMZ Traffic	UDP port 47808 (BACnet), 10 packets/min, 5KB/min	Sudden spike (50 packets/min, 50KB/min); new destination IPs	Alert; check for command injection or data exfiltration
Access Control Commands	Periodic reader polls, typical unlocks during business hours	Unlock commands at 3 AM; unlock all doors simultaneously	Alert; verify legitimacy; check for physical security breach
Sensor Value Ranges	Building temp: 68-74°F, occupancy: 0-300 people	Temp spikes to 110°F; occupancy shows 5000 (impossible)	Alert; check for sensor failure or spoofed data
Cross-VLAN Traffic	Corporate IT → DMZ gateway only (specific IPs, ports)	Corporate IT → HVAC VLAN (should be blocked); new source IPs	Alert; investigate firewall rule violations; potential breach
Configuration Changes	Scheduled firmware updates, quarterly setpoint adjustments	Unscheduled changes; configuration via unexpected source IP	Alert; require approval before changes take effect

Integration with SOC Operations

Building networks are traditionally managed by facilities; security is managed by IT/Security. Modern operations require integration.

SOC Integration Pattern:

Building Network → SOC Integration Pipeline ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BAS Network Events ├─ Firewall ACL violations (e.g., unauthorized zone crossing) ├─ Anomalous sensor readings or control commands ├─ Failed authentication attempts on gateways ├─ Firmware update notifications └─ Device status changes (new devices, devices offline) ↓ Syslog / SNMP / API ↓ SIEM Platform (Splunk, ELK, Microsoft Sentinel) ↓ Correlation Rules: • Firewall violation + High-value device in HVAC zone = High severity • Unscheduled firmware update attempt = Medium severity • Occupancy sensor reading > 5000 = Low severity (likely sensor error) ↓ Alert Routing: ├─ High severity → Immediate escalation to on-call security engineer ├─ Medium severity → SOC analyst triage during business hours └─ Low severity → Daily summary report ↓ Incident Response: ├─ Isolate affected zone (firewall rule: disable zone connectivity) ├─ Capture network traffic (preserve evidence) ├─ Notify facilities team (manual operations backup) └─ Post-incident review (lessons learned, process improvements)

Zero Trust Architecture for Building Networks

Zero Trust is not a network device; it's a security philosophy applied across the entire building infrastructure. KMC Dome, designed specifically for building automation networks, brings Zero Trust principles to life by continuously authenticating every connection—user, system, or device—before access is granted, creating internal checkpoints that dynamically verify trust.

Zero Trust Implementation for Building Systems

1. Device Identity and Device Health

Every device (RTU, sensor, lock controller) has a cryptographic identity (X.509 certificate). During registration, the device proves its identity to a trust server, which verifies:

Serial number matches device record (prevents spoofing)
Firmware version is current (no known vulnerabilities)
Hardware integrity (no tampering)
Certificates are not revoked

Once registered, the device must continuously prove its health. If firmware becomes outdated (security patch released), the device is automatically de-trusted until updated.

2. Per-Connection Authentication

Every communication flow requires explicit authentication. An HVAC RTU wanting to send data to the cloud gateway must:

Present its certificate (device identity)
Prove it's authorized to communicate with this specific gateway (policy decision)
Submit to real-time health check (firmware version, patch status, no malware)
Rate-limit connection (is this traffic pattern normal?)

If the RTU is compromised (malware installed), the health check fails, and the connection is denied—even if the device is physically on the network.

3. Least Privilege Access

Users and devices are granted the minimum access necessary. Examples:

Facilities manager can READ all BAS data, WRITE setpoints only during business hours
RTU 1 can send temperature data to gateway, cannot READ Access Control zone
Cloud analytics service can READ historical data, cannot issue real-time control commands

4. Continuous Monitoring

Every access attempt is logged and analyzed. Anomalies trigger alerts:

RTU sending 100x normal data volume (possible exfiltration attempt)
User accessing BAS from geographic location 5000 miles away (account compromise)
Cloud gateway attempting to access devices not in its allowed scope (policy violation)

Practitioner Implementation Roadmap

Phase 1: Current State Assessment (Weeks 1-2)

☐ Network diagram: physically map all BAS devices, IT systems, cloud connections
☐ Traffic baseline: capture 1-2 weeks of normal network traffic; understand flows
☐ Risk assessment: which systems/zones are critical; what's the impact of compromise?
☐ Compliance review: PCI-DSS, HIPAA, or industry standards that apply to building systems?
☐ Stakeholder interviews: facilities, IT, security, compliance; identify pain points and constraints

Phase 2: Segmentation Planning (Weeks 3-4)

☐ Define zones: group devices by criticality and function (HVAC, Access, Lighting, etc.)
☐ Choose segmentation model: VLAN+Firewall, DMZ, or Zero Trust?
☐ Design VLANs/subnets: IP ranges for each zone; VLAN IDs and naming conventions
☐ Firewall rules: explicitly list allowed flows between zones; default DENY all others
☐ High-availability plan: how to operate manually if segmentation breaks network connectivity?

Phase 3: Infrastructure Deployment (Weeks 5-12)

☐ Upgrade network hardware: switches must support VLAN trunking, firewalls must support OT protocols
☐ Implement VLANs: configure switches; assign ports to VLANs without disrupting service
☐ Deploy firewalls: inter-zone gateways; configure initial ACLs and test rules
☐ Install monitoring: Network TAP or SPAN; collect baseline data; tuning alerts
☐ Test failover: simulate failure of segmentation device; verify manual bypass works

Phase 4: Device Hardening (Weeks 13-20)

☐ Inventory firmware: document current version for each device type
☐ Security advisory review: cross-reference CVE databases; identify devices with known vulns
☐ Plan firmware updates: prioritize critical security patches; schedule with minimal downtime
☐ Remove defaults: disable unused services, change default passwords, configure timeouts
☐ Encryption support: identify which devices support BACnet/SC or TLS; plan upgrades

Phase 5: Monitoring & Alerting (Weeks 21-28)

☐ Baseline validation: confirm 4+ weeks of baseline data is representative
☐ Anomaly detection tuning: define thresholds; reduce false positives
☐ SIEM integration: forward logs to central security platform; create correlation rules
☐ Alert routing: define escalation procedures; on-call rotation for building security
☐ Documentation: runbooks for common alerts; how to investigate and respond

Phase 6: Incident Response & Hardening (Weeks 29+)

☐ Incident response plan: written procedures for breach scenarios
☐ Manual operations procedures: how to operate HVAC, access control if systems fail
☐ Backup/recovery testing: restore from backups; verify RTO (recovery time objective)
☐ Tabletop exercise: simulate incident; test communication and response
☐ Continuous improvement: quarterly review of alerts, vulnerabilities, and architecture

Key Takeaways

Convergence is inevitable, and so are threats. Smart buildings must be integrated, but integration creates attack paths. Segmentation is the primary defense.
Ransomware targets building systems explicitly. 2023-2025 incidents show attackers understand the leverage: disrupting HVAC, access control, or lighting creates immediate business pressure.
Choose the segmentation model that fits your risk profile. VLAN+Firewall for cost-conscious organizations; DMZ+Diode for risk-averse; Zero Trust for high-security environments.
Monitoring transforms segmentation from a firewall rule into a security system. Baselines and anomaly detection identify when attackers are trying to cross zone boundaries or manipulate building systems.
Integration with SOC is non-negotiable. Building network alerts must flow into central security operations; facilities and security teams must collaborate.
Implementation is a journey. Start with network segmentation (highest ROI, fastest deployment); add encryption, anomaly detection, and Zero Trust incrementally over 9-12 months.

Cover Image Description

Recommended Cover Image: Network diagram showing the segmentation models side by side: a traditional VLAN+firewall topology (left) with VLANs color-coded and firewall symbol at the boundary; a DMZ+diode topology (center) with the data diode shown as a one-way valve; and a Zero Trust topology (right) with identity and access control checkpoints at multiple layers. Use blue for OT, gray for IT, green for DMZ. Include security metrics or heatmaps showing traffic flows and blocked attempts. Professional technical aesthetic; 1200x800px.