Securing the Unsecurable: Segmentation for Legacy OT Devices with IEC 62443

ARPITA (BISWAS) MAJUMDER | DATE: JANUARY 15, 2025

Operational Technology (OT) networks are the backbone of industrial operations, managing everything from manufacturing processes to critical infrastructure. However, many of these networks rely on legacy devices—such as programmable logic controllers (PLCs), remote terminal units (RTUs), and older SCADA systems—that were not designed with modern cybersecurity considerations. This lack of inherent security makes them prime targets for cyberattacks, posing significant risks to operational continuity and safety.

The Legacy OT Security Problem

Legacy OT devices often lack basic security features and are no longer supported by manufacturer security patches. This absence of updates leaves known vulnerabilities unaddressed, making it easier for attackers to exploit these weaknesses to disrupt operations, steal data, or even cause physical damage. The increasing convergence of IT and OT networks exacerbates this risk, providing attackers with more pathways to access these vulnerable systems.

Why Traditional Firewall Segmentation Falls Short

Traditional network segmentation methods, such as creating a demilitarized zone (DMZ) between IT and OT networks, offer some level of protection. However, this approach is often not granular enough to secure legacy OT devices effectively. Once an attacker breaches the OT network, they can move laterally within it, potentially compromising multiple vulnerable devices. Given that IT leakage is responsible for a significant percentage of attacks on OT networks, protecting unpatchable devices is a high priority for OT security administrators.

Micro segmentation: A Granular Approach

Micro segmentation enhances network security by isolating individual devices or groups of devices, limiting communication between them to only what is necessary. This "zero trust" methodology operates on the principle that no device is automatically deemed trustworthy, necessitating explicit permissions for all communication. Implementing micro segmentation in OT networks has traditionally been challenging due to the complexity and potential downtime involved. However, modern solutions are emerging that simplify this process, making it more feasible to deploy without significant operational disruptions.

Benefits of Micro segmentation for Legacy OT Devices

Containment: If a legacy device is compromised, micro segmentation prevents the attacker from moving laterally to other critical systems, containing the breach and minimizing its impact.

Reduced Attack Surface: By limiting communication pathways, micro segmentation significantly reduces the attack surface, making it harder for attackers to find and exploit vulnerabilities in legacy devices.

Simplified Compliance: Micro segmentation can help organizations meet regulatory compliance requirements, such as those outlined in IEC 62443, by demonstrating a strong commitment to security best practices and risk management.

Virtual Patching: In cases where devices cannot be patched, micro segmentation can act as a virtual patch by creating rules that block known exploits, thereby protecting vulnerable devices from potential attacks.

Implementing Micro segmentation in Line with IEC 62443

IEC 62443 is a collection of cybersecurity standards designed specifically for operational technology (OT) and industrial automation and control systems (IACS). These standards provide detailed requirements and methods to address the unique security challenges found in industrial environments. Implementing micro segmentation in accordance with IEC 62443 involves creating security zones and conduits, defining security levels, and establishing robust access control measures. This structured approach ensures that legacy OT devices are adequately protected within the network architecture.

Challenges and Considerations

While micro segmentation offers significant security benefits, implementing it in OT environments presents challenges:

Complexity: OT environments are naturally intricate, consisting of numerous interconnected systems and devices. Implementing network segmentation can be difficult as it demands a comprehensive understanding of the network's intricacies and interdependencies.  

Legacy Systems: Many OT environments consist of legacy devices and equipment that may not readily accommodate modern network segmentation approaches. Compatibility issues can hinder segmentation efforts.

Operational Disruption: Implementing micro segmentation can require changes to network configurations, which may lead to operational downtime if not managed carefully.

Conclusion

Securing legacy OT devices is a pressing challenge for organizations managing critical infrastructure and industrial operations. Micro segmentation provides a powerful solution by creating granular security boundaries that limit the impact of breaches and reduce the overall attack surface. By implementing micro segmentation in line with IEC 62443 standards, organizations can significantly improve their OT security posture and protect their critical assets.

Citations/References

1. Brash, R. (2024, March 14). Using IEC 62443 to secure OT Systems: The Ultimate Guide. Verve Industrial. https://verveindustrial.com/resources/blog/the-ultimate-guide-to-protecting-ot-systems-with-iec-62443/

2. Sectrio. (2024, May 31). OT Micro-Segmentation: A successful path to ICS security. Sectrio. https://sectrio.com/blog/ot-micro-segmentation-complete-guide/

3. OT Network Segmentation and Microsegmentation Guide | Fortinet. (n.d.). Fortinet. https://www.fortinet.com/resources/cyberglossary/ot-network-segmentation-and-microsegmentation

4. Toll, W. (2025, January 7). IEC 62443 in 2025: Network Segmentation requirements and Changes. Elisity. https://www.elisity.com/blog/iec-62443-in-2025-network-segmentation-requirements-and-changes

5. Hewitt, N. (2023, August 17). Why Device Microsegmentation is Important for OT and IT. TrueFort. https://truefort.com/device-microsegmentation/

6.  How Microsegmentation Enhances OT Security: Insights for Network Security Architects. (n.d.). https://www.byos.io/blog/how-microsegmentation-enhances-ot-security-insights-for-network-security-architects

7. Greitser, R. (2024, July 17). The benefits of microsegmentation for compliance. Akamai. https://www.akamai.com/blog/security/the-benefits-of-microsegmentation-for-compliance

8. Securing the Unsecurable: Segmentation for Legacy OT Devices with IEC 62443 | OT Cybersecurity. (n.d.). https://www.blastwave.com/blog/securing-the-unsecurable-segmentation-for-legacy-ot-devices-with-iec-62443

9. Elisity. (n.d.). White Paper | Enhancing OT Network Security with IEC 62443: Microsegmentation & Device Visibility. https://www.elisity.com/resources/wp/iec-62443-segmentation-white-paper

10. Elisity. (n.d.). Solution Guide | 2024 IEC 62443 OT Engineer Segmentation Guide. https://www.elisity.com/resources/wp/iec-62443-ot-engineer-guide

Image Citations

1. Mavis. (2024, May 24). How to construct the cornerstone of OT Cybersecurity using ISA/IEC 62443 | TXONe Networks. TXOne Networks. https://www.txone.com/blog/how-to-construct-the-cornerstone-of-ot-cybersecurity-using-isa-iec-62443/

2. (28) Addressing Cybersecurity Challenges in Legacy Systems with IEC 62443 | LinkedIn. (2024, May 28). https://www.linkedin.com/pulse/addressing-cybersecurity-challenges-legacy-systems-iec-sourabh-suman-ucsme/

3. Team, C. (2024, August 1). How to accelerate OT Industrial Network Segmentation. Claroty. https://claroty.com/blog/how-to-accelerate-segmentation-alongside-the-xiot

4. Network Segmentation | OT Microsegmentation. (n.d.). https://www.blastwave.com/network-segmentation

About the Author

Arpita (Biswas) Majumder is a key member of the CEO's Office at QBA USA, the parent company of AmeriSOURCE, where she also contributes to the digital marketing team. With a master’s degree in environmental science, she brings valuable insights into a wide range of cutting-edge technological areas and enjoys writing blog posts and whitepapers. Recognized for her tireless commitment, Arpita consistently delivers exceptional support to the CEO and to team members.