Back to Engineering
Engineering Case Study

OT/ICS Security Architecture for a Smart Factory

How a smart-factory floor is segmented into IEC 62443 zones and conduits, given protocol-aware monitoring and brokered remote access, without pretending the plant can be patched like IT.

IEC 62443 zones & conduitsPurdue reference modelData diode / unidirectional gatewayProtocol-aware IDS (Modbus/OPC UA/PROFINET)Jump host / brokered remote accessNetwork TAP & passive monitoringPLC baselining & asset inventory
PyramidLedger Engineering10 min read

The problem and the constraints

A modern factory floor is a computer network that happens to move physical mass — motors, valves, robotic arms, ovens — and the first honest thing to say is that almost none of the IT security playbook transfers cleanly. The programmable logic controllers (PLCs), human-machine interfaces (HMIs), historians and safety systems that run a plant were engineered for determinism and multi-decade service life, not monthly patch cycles. Many run operating systems years past vendor support, speak protocols with no authentication, and cannot be rebooted on demand because a reboot is a production stoppage measured in real money and, sometimes, in scrap and safety risk.

The constraint that dominates every decision is availability and safety over confidentiality. On a plant floor, a control action arriving late — or a monitoring tool injecting a malformed packet into a fragile PLC stack — can trip a line, damage equipment, or defeat a safety function. So the architecture is not allowed to be intrusive the way a corporate endpoint agent is; it earns its place by being overwhelmingly passive.

The second constraint is convergence. The whole point of a 'smart' factory is that OT data flows up to IT and cloud analytics, MES and ERP push schedules down, and vendors want remote access to the machines they sold. Every one of those flows is also a path an attacker can travel. The job is not to wall the plant off from the business — that ship sailed — but to make each flow explicit, brokered, monitored and reversible, so a compromise of the enterprise network does not become a compromise of the physical process. The frame the industry has converged on for this is IEC 62443, layered on the older Purdue model.

Zones and conduits: segmentation that respects Purdue

The core structural move is to stop treating the plant as one flat OT network and instead carve it into zones — groups of assets sharing a security level and trust boundary — connected only by explicitly defined conduits, the sole sanctioned paths between them. Mapped onto the Purdue model this produces a recognizable layering: a Level 0/1 zone of field devices and PLCs; a Level 2 zone of supervisory HMIs and SCADA; a Level 3 zone of site operations, historians and MES; and an industrial DMZ between Level 3 and the enterprise network.

That DMZ is the single most important piece. The rule enforced there is non-negotiable: no protocol originating on the enterprise network terminates directly on a control device, and vice versa. If IT analytics needs historian data, it reads a replica or broker living in the DMZ, and that broker — never the enterprise client — talks to the real historian. That double termination turns a single hop from the internet into a series of deliberate, inspectable relays.

Zones are drawn horizontally too. Two production cells that never legitimately exchange traffic go in separate zones, so a worm loose in one cannot traverse to the next — the historical pattern of plant-wide malware outbreaks was precisely flat OT networks with no internal segmentation. Conduits are default-deny and specified down to 'this HMI may speak this protocol to these three PLCs on these ports,' because the legitimate communication matrix is remarkably static and knowable — unlike a chaotic corporate LAN, you can enumerate what normal looks like and forbid the rest. The honest trade-off: this is retrofitted onto brownfield plants whose addressing grew organically over decades, so the first real deliverable is almost always an asset inventory and traffic-mapping exercise — you cannot draw a boundary around devices you have not discovered.

Secure remote access: brokered, not tunneled

Remote access is where OT security most often quietly fails, because the operational pressure for it is enormous. Machine vendors contractually require it, integrators need it during commissioning, and engineers want to check a line from home rather than drive in. The dangerous-but-common answer is a VPN that drops the remote party straight onto the control network, or a machine with a cellular modem the vendor uses as a back door the plant's own security team does not even know exists. Either way, an outside party on a device of unknown hygiene sits directly adjacent to a PLC.

The architecture we advocate replaces the tunnel with a broker. Remote users authenticate — with MFA, against the plant's own identity system, never the vendor's — to an access broker in the DMZ. From there they get a mediated session to a jump host inside the operations zone: a screen-and-keyboard relay, not a routed network path. The remote laptop never obtains an IP route to the control network; it obtains a pixel stream to a hardened host that is the only thing allowed to speak to the equipment. Sessions are time-boxed, tied to a specific work order, fully recorded, and torn down afterward, so 'the vendor has access' becomes 'the vendor had a recorded, supervised session to exactly these two machines.'

The deliberate cost is friction. This is slower than a persistent VPN, and vendors push back because their support model assumes always-on reach. That friction is the point: standing, unattended remote access into a control network is one of the highest-impact risks a plant carries, and trading convenience for brokered, recorded, revocable sessions is the right exchange. What we will not do is pretend a split-tunnel VPN with a shared password is 'secure remote access' because it has the word VPN in it.

Protocol-aware monitoring, detection and the patching reality

You cannot defend what you cannot see, and on a plant floor you mostly have to see without touching. The primary sensing method is passive: a network TAP or SPAN port mirrors control traffic to a monitoring appliance that never transmits back onto the wire. This is a firm rule — an active scanner sweeping an OT segment the way a vulnerability scanner sweeps a corporate LAN can, and historically has, knocked over fragile PLC stacks and tripped production. What makes passive monitoring valuable is that it is protocol-aware: a generic firewall sees a TCP session on port 502, while a Modbus-aware sensor sees a write command to a specific register on a specific PLC and can distinguish a routine setpoint from an unknown host suddenly issuing engineering-mode commands. The same applies to OPC UA, PROFINET, EtherNet/IP and DNP3. Because the legitimate command set is narrow and stable, deep inspection lets you baseline normal and alert on the anomalies that matter: a firmware download outside a maintenance window, a new device on a segment, a controller mode change. For the highest-consequence boundary protecting safety and core control, the strongest control is a hardware data diode that physically permits data out to monitoring while making inbound flow electrically impossible — a strong guarantee precisely because it is enforced in hardware, though its honest limit is that it only fits genuinely one-directional flows.

Because you often cannot patch quickly, detection and compensating controls carry more of the defensive load in OT than in IT, and the response plan must be written around physical consequences. 'Isolate the affected host' can mean stopping a line or orphaning a controller mid-process, so containment actions are pre-planned jointly with the operations and safety engineers who own the process, and the safest response is frequently to increase monitoring and prepare a controlled, scheduled intervention rather than yank a cable and hope. Patching itself is a scheduled, tested activity aligned to planned outages; between windows the plant relies on segmentation to limit blast radius, application allow-listing on the soft Windows-based HMIs and engineering workstations, removable-media controls, firmware baselining, and tested offline backups of PLC programs and HMI projects — because the fastest recovery from a destructive incident is restoring a known-good configuration to replacement hardware. OT security is a discipline of managed exposure, not elimination: make the plant hard to reach, easy to observe, and quick to recover. Anyone promising to make a legacy plant floor as clean as a greenfield cloud deployment is either going to break production or is not being straight with you.

Trade-offs, and what we would not do

The segmentation and brokering that make a plant defensible also make it less frictionless to operate, and that tension is permanent rather than a transitional cost. Every conduit is a firewall rule someone maintains, every brokered session is slower than a standing tunnel, and every passive sensor is another appliance to keep healthy. This investment is justified where the process carries real safety or economic consequence and is genuinely converged with IT and vendors. For a small, physically isolated operation with no remote access and no enterprise connectivity, a lighter posture is right-sized, and layering a full IEC 62443 program onto it would be ceremony rather than security.

We would not run intrusive active scanning across live control segments, and we would not deploy an IT endpoint agent onto a PLC or safety controller because a compliance checklist has a box for it — the availability and safety risk outweighs the benefit, and the device often cannot run the agent anyway. We would not accept a vendor's always-on modem or split-tunnel VPN as 'remote access' just because it already exists; that gets replaced by the broker or documented as an accepted risk with a name attached, not left as an invisible back door. And we would not oversell the data diode as a plant-wide firewall — it is a powerful control for one-directional flows and a poor fit for anything that needs a reply. The through-line is the same as the rest of our work: strong, honestly-scoped guarantees that an operator and an auditor can both actually reason about, in preference to impressive-sounding controls that quietly do not hold on a real plant floor.

Building something like this?

We engineer secure, regulated, and AI-driven systems at this depth. Tell us what you are building and we will help you architect it.

Start Your Project