Operational Technology

Secure separation of industrial systems

The operational logic, structure, and risk profile of corporate systems that serve and directly support industrial production are fundamentally different from classic IT environments. While the primary goal of traditional IT systems is to ensure business processes, administration, communication, and data management, Operational Technology (OT) specifically controls and supports physical manufacturing, production, and control processes.

The OT environment consists of operating servers, network devices, industrial control systems, PLCs (Programmable Logic Controllers), and HMIs (Human-Machine Interfaces) that have a direct impact on the operation of production machines, conveyor belts, boilers, turbines, or other industrial equipment, and thus directly influence the company’s revenue, production efficiency, operational safety, and regulatory compliance. A single failure, faulty configuration, improper update, or poorly set security rule can in itself have severe consequences: immediate production shutdown, significant loss of revenue, order delays, and risks can also appear in the form of official proceedings and financial penalties. Moreover, the failure of OT systems not only affects production capacity but can also have an impact on supply chain partners, customers, and the company’s market reputation.

The secure operation of OT systems and their strict, layered separation from the classic IT infrastructure is now a fundamental requirement, not only from a cybersecurity perspective (INTERNAL LINK) but also for overall business continuity and regulatory compliance. This separation means much more than just preventing industrial control from being directly accessible from the internet: it also includes the company’s entire internal IT environment, including web, email, file, and other internal business process control systems (e.g., SAP, CRM, etc.), which could serve as potential entry points for an attacker. Effective IT–OT separation is achieved through the creation of the right architecture, continuous supervision, and the application of standards.

The Purdue model – A standard for the secure structure of OT

Unicorn designs the logical, secure separation between OT and IT according to the recommendations of the internationally accepted Purdue model. This layered, strictly regulated architecture allows industrial control systems and classic IT environments to be separated, while still being able to communicate with each other at necessary points in a controlled manner.

OT has different security requirements, different focal points, and different emphases. By applying the model, the entire IT environment, from cloud-based services to production line sensors, becomes transparent, regulated, and auditable, complying with the strictest principles of IT security and protection and on-site data traffic security.

The layers of the Purdue model extend from the highest level down to the field devices at the bottom; each level has its own role and security responsibility.

Level 6: Cloud resources, internet

This top layer provides the company’s external connections: cloud services, public web applications, and the internet connection. External email systems, web customer portals, and all services accessible from outside the company’s IT environment are located here. Level 6 is the most exposed to external threats, so security controls such as firewalls, intrusion detection systems, and encryption are critically important.

Level 5.5: Internet, DMZ, remote access

The demilitarized zone (DMZ) is the “buffer zone” between the company and the outside world. This layer hosts remote access solutions, public servers (web, SFTP), and VPN endpoints. The primary task of the DMZ is to prevent direct access to the internal network while allowing external users to access certain, predefined services. Logging, traffic filtering, and network segmentation are particularly important here.

Level 5: Corporate network

This layer is the domain of internal, business IT systems: it includes business applications, internal file servers, email systems, ERP, CRM, and MDM platforms, as well as central printers and workstations. Systems running on Level 5 cannot connect directly to the OT layers, only through appropriate gateways.

Level 4: Site IT network

This is the level of the local office and corporate network infrastructure, access points, internal servers, and site management systems. This layer ensures site-level IT operations and connects to the company’s central IT system. Security here is not just about authorization management, but also about internal network segmentation and traffic control.

Level 3.5: Industrial DMZ (iDMZ)

The iDMZ is the single, strictly supervised point of passage between IT and OT. Its task is to enable controlled data exchange between the two worlds while excluding direct access. Inbound and outbound traffic is protected by firewalls, intrusion prevention systems (IPS), logging, and rule-based filtering. The servers and services in the iDMZ operate in a dual protection zone, ensuring that neither side can be directly accessed from the other.

Levels 3-0: OT layers

These levels cover the industrial control environment from central control down to the field sensors.

  • Level 3 operates SCADA systems, database servers, engineering workstations, and monitoring systems that supervise and control the entire plant’s operation.
  • Level 2 is for on-site production control systems and HMIs, where the daily control of processes takes place.
  • Level 1 contains PLCs and other logic controllers that communicate directly with the manufacturing equipment.
  • Finally, Level 0 consists of field I/O devices—sensors, actuators, safety switches—that are in direct contact with the physical manufacturing process.

By applying the Purdue model, Unicorn is able to create an architecture that both meets the strictest security requirements and ensures business continuity. The precise design of the layers is always tailored to the specific company’s operations and security needs, in close cooperation with the system integration process, ensuring that critical OT systems remain protected and continuously operational.

NIS2 compliance – A legal requirement that must be met

The European Union’s NIS2 Directive is the second-generation regulation on network and information security, which specifically affects critical infrastructures, including OT (Operational Technology) environments. The directive’s goal is to ensure a uniform, high level of cybersecurity protection throughout the European Union, with particular regard to systems whose failure could have a direct impact on the functioning of the economy, the safety of the population, or even the stability of the national economy.

NIS2 compliance is verified through official audits, during which the security structure of OT and IT systems, the regulation of processes, risk management, and incident response protocols are examined in detail. If deficiencies are discovered during the audit, the following steps can be expected:

  • A notice to remedy the faults – along with a deadline by which the company must prove that the corrections have been made.
  • In case of serious or repeated deficiencies – the imposition of a significant financial penalty, the amount of which can reach millions of euros depending on the size of the company and the severity of the incident.

Compliance is not just an administrative task but a requirement that is organically integrated into daily operations and requires continuous attention. This includes continuous security monitoring, access management, rapid detection and reporting of incidents, and the existence of documented recovery plans.

Unicorn provides support in this process as a full-service partner: from security architecture design, technology implementation, and policy development to daily operation and continuous supervision. Our services cover all relevant requirements of the NIS2 directive, so our clients can be sure that their systems not only meet legal expectations but are also more resilient to modern threats. All this is done in a cost-effective manner, so that the company’s production can continue uninterrupted, and operational security is guaranteed throughout the entire infrastructure.

Main elements of our service:

  • Logical and physical separation of OT and IT networks
  • Creation of an Industrial DMZ according to the Purdue model
  • Strict regulation and logging of network access
  • Endpoint and perimeter protection with technologies optimized for industrial environments
  • Design of parallel and high-availability architectures
  • NIS2 audit preparation, documentation, and long-term support

Our technology partners in OT solutions

The secure operation of OT systems and their strict, layered separation from the IT environment require not only a well-thought-out architecture and expert operation but also a technological background that guarantees long-term stability, regulatory compliance, and business continuity.

Unicorn builds its OT services exclusively on the solutions of industry-leading manufacturers whose innovation, reliability, and continuous support ensure the protection and efficiency of our clients’ systems.

Aruba's network devices and management solutions enable the secure segmentation of site and industrial networks, traffic regulation, and the reliable operation of wireless connections in an OT environment.

checkmk's comprehensive monitoring platform provides real-time insight into the status of OT and IT systems, enabling early fault detection, performance optimization, and the creation of NIS2-compliant supervision.

Cisco's network and security solutions play a key role in separating industrial and corporate networks, building the iDMZ, and encrypting data connections, thus minimizing cyber risks.

DIGI's reliable data connection and connectivity services ensure stable communication between sites and data centers, which is a prerequisite for the continuous availability of OT systems.

HPE's server and storage solutions provide high performance, high availability, and scalability for industrial control systems and related management platforms.

Infoblox's DNS, DHCP, and IP address management solutions help in the secure construction of the addressing structure for OT and IT networks, while offering advanced threat detection functions.

Microsoft's corporate platforms, such as Active Directory and Azure services, enable secure identity and access management, integrated with the authentication and authorization processes related to OT systems.

With SCCM, the workstations and servers connected to the OT environment can be centrally managed and updated, ensuring the up-to-dateness of the software environment and the rapid remediation of vulnerabilities.

Netscout's network traffic analysis and supervision tools provide real-time insight into the performance of the OT network, enabling the rapid identification of faults and security incidents.

Palo Alto's firewalls and intrusion prevention systems provide effective protection against threats directed at the OT layers, support the enforcement of iDMZ security rules, and the strict control of traffic.

Teltonika's industrial routers and gateway devices enable secure, encrypted access to remote sites and OT equipment, also supporting redundant communication paths.

Veeam's data backup and recovery solutions ensure the rapid restoration of critical configurations and data for OT systems, minimizing downtime.

VMware's virtualization technologies enable the flexible, high-availability operation of servers and applications used in the OT environment, reducing the exposure of the physical infrastructure.

Contact us and let's bring your IT vision to life.

Contact us
Unicorn CriticalTech
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.