0
0
SCADA systemsdevops~10 mins

Network segmentation (IT/OT separation) in SCADA systems - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Network segmentation (IT/OT separation)
Start: Network Traffic
Traffic arrives at Firewall
Check: Source = IT or OT?
Route to IT Zone
Apply IT Policies
Allow or Block Traffic
End
Network traffic is checked by a firewall to see if it comes from IT or OT. Then it is routed and controlled separately to keep systems safe.
Execution Sample
SCADA systems
firewall_rule = {
  'source_zone': 'IT',
  'destination_zone': 'OT',
  'action': 'block'
}
apply_firewall_rule(firewall_rule)
This code blocks traffic from the IT zone to the OT zone using a firewall rule.
Process Table
StepTraffic SourceTraffic DestinationFirewall CheckAction TakenResult
1ITOTSource=IT, Dest=OTBlockTraffic blocked between IT and OT
2ITITSource=IT, Dest=ITAllowTraffic allowed within IT zone
3OTOTSource=OT, Dest=OTAllowTraffic allowed within OT zone
4OTITSource=OT, Dest=ITBlockTraffic blocked between OT and IT
5UnknownITSource unknownBlockTraffic blocked due to unknown source
💡 Traffic is either allowed or blocked based on source and destination zones to keep IT and OT separated.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4After Step 5
traffic_sourceNoneITITOTOTUnknown
traffic_destinationNoneOTITOTITIT
firewall_actionNoneBlockAllowAllowBlockBlock
Key Moments - 2 Insights
Why is traffic from IT to OT blocked but traffic within IT allowed?
Because the firewall rules separate IT and OT zones to protect OT systems. Execution table rows 1 and 2 show blocking between zones and allowing inside the same zone.
What happens if the source of traffic is unknown?
Traffic is blocked by default to keep the network safe, as shown in execution table row 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what action is taken when traffic source is OT and destination is IT?
AAllow
BLog only
CBlock
DRedirect
💡 Hint
Check row 4 in the execution table where source=OT and destination=IT.
At which step does the firewall allow traffic within the OT zone?
AStep 1
BStep 3
CStep 2
DStep 5
💡 Hint
Look at the execution table row where source and destination are both OT.
If the firewall action for unknown sources changed to 'Allow', how would the result in step 5 change?
ATraffic would be allowed
BTraffic would be blocked
CTraffic would be redirected
DNo change
💡 Hint
Refer to variable_tracker and execution_table row 5 for current action and result.
Concept Snapshot
Network segmentation separates IT and OT zones.
Firewall checks source and destination zones.
Traffic between IT and OT is blocked.
Traffic inside the same zone is allowed.
Unknown sources are blocked by default.
This protects critical OT systems from IT threats.
Full Transcript
Network segmentation means dividing a network into parts to keep IT systems separate from OT systems. When network traffic arrives, a firewall checks if it comes from IT or OT. If traffic tries to go from IT to OT or OT to IT, the firewall blocks it. Traffic inside IT or inside OT is allowed. If the source is unknown, the firewall blocks the traffic to keep the network safe. This way, the OT systems that control important machines stay protected from IT network risks.