implementing-network-segmentation-for-ot

Featured

This skill covers implementing network segmentation in Operational Technology environments using VLANs, industrial firewalls, data diodes, and software-defined networking. It addresses the Purdue Model-based segmentation strategy, migration from flat networks to segmented architectures without disrupting operations, configuring OT-aware firewalls with industrial protocol deep packet inspection, and validating segmentation effectiveness through traffic analysis.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing Network Segmentation for OT ## When to Use - When an OT security assessment reveals a flat network with no segmentation between Purdue levels - When implementing IEC 62443 zone/conduit architecture after completing risk assessment (IEC 62443-3-2) - When separating IT and OT networks as part of an IT/OT convergence security initiative - When deploying a DMZ between corporate IT and OT to protect industrial systems from IT-originating threats - When segmenting safety instrumented systems (SIS) from basic process control systems (BPCS) **Do not use** for IT-only microsegmentation without OT components (see implementing-zero-trust-in-cloud), or for initial zone design without prior traffic analysis (see performing-ot-network-security-assessment first). ## Prerequisites - Complete traffic baseline from passive monitoring (minimum 2-4 weeks of capture data) - Asset inventory with Purdue level classifications for all OT devices - Industrial-grade network switches with VLAN support and port security - OT-aware firewalls (Cisco ISA-3000, Fortinet FortiGate Rugged, Palo Alto with OT Security) - Maintenance window schedule for network changes - Rollback plan approved by operations management ## Workflow ### Step 1: Design Segmentation Architecture Based on Traffic Baseline Use the traffic baseline to design VLAN and firewall architecture that preserves all legitimate communication paths while isolating zones. ```python #!/usr/bin/env python3 """OT Network Segment...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

implementing-purdue-model-network-segmentation

Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, enforcing strict traffic control between OT and IT domains.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-iec-62443-security-zones

This skill covers designing and implementing security zones and conduits for industrial automation and control systems (IACS) per IEC 62443-3-2. It addresses zone partitioning based on risk assessment, assigning Security Level targets (SL-T), designing conduit security controls, implementing microsegmentation with industrial firewalls, and validating zone architecture through traffic analysis and penetration testing against the Purdue Reference Model.

12,642 Updated today
mukul975
AI & Automation Featured

performing-ot-network-security-assessment

This skill covers conducting comprehensive security assessments of Operational Technology (OT) networks including SCADA systems, DCS architectures, and industrial control system communication paths. It addresses the Purdue Reference Model layers, identifies IT/OT convergence risks, evaluates firewall rules between zones, and maps industrial protocol traffic (Modbus, DNP3, OPC UA, EtherNet/IP) to detect misconfigurations, unauthorized connections, and attack surfaces in critical infrastructure.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-network-segmentation-with-firewall-zones

Design and implement network segmentation using firewall security zones, VLANs, ACLs, and microsegmentation policies to restrict lateral movement and enforce least-privilege network access.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-conduit-security-for-ot-remote-access

Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly.

12,642 Updated today
mukul975