Most industrial networks start flat. One switch, one subnet, every device on the same broadcast domain. It works until it does not: a compromised workstation reaches every PLC on the floor, broadcast storms take down control loops, and auditors flag the entire network as non-compliant.
This post compares flat and segmented architectures, the real costs of each, and how to move from one to the other without production downtime.
Flat Networks
A flat network puts all devices in a single Layer 2 broadcast domain. Every device can reach every other device directly.
Where Flat Networks Work
- Small installations with fewer than 20 devices where complexity is not justified
- Lab or test environments where security is not a production concern
- Temporary setups during commissioning or migration
Where They Fail
Lateral movement. Once an attacker compromises any device on a flat network, they can reach every other device. A phishing email that compromises an office workstation gives the attacker direct access to PLCs, HMIs, and safety controllers on the same subnet.
Technical detail: On a flat Layer 2 network, ARP broadcasts reach every device. An attacker can ARP-spoof the default gateway, intercept all traffic, and pivot to any device without crossing a routing boundary. There is no enforcement point to block this.
Broadcast storms. All devices share the same broadcast domain. A misconfigured device or a network loop can generate broadcast traffic that saturates the network. In IT, this causes slow email. In OT, this causes missed PLC scan cycles and control instability.
No compliance path. CMMC, NIS2, and NIST 800-171 all require network segmentation. A flat network cannot satisfy these requirements regardless of what other controls are in place.
Segmented Networks
A segmented network divides devices into separate subnets or VLANs, each with its own broadcast domain. Traffic between segments passes through a router, firewall, or access gate that enforces policy.
Security Benefits
Breach containment. A compromised device in one segment cannot reach devices in another segment without crossing an enforcement point. If the enforcement point blocks the traffic, the breach stays contained.
Per-zone access control. Each segment boundary is an opportunity to enforce who can access what. An operator on the production VLAN can reach the PLCs they manage. They cannot reach the safety system VLAN or the enterprise servers.
Audit trail. Every cross-segment connection passes through a logging point. You know who crossed which boundary, when, and using what protocol.
The Cost
Complexity. Segmented networks require more planning: subnet design, VLAN configuration, routing rules, firewall policies. Misconfiguration can block legitimate traffic and cause production issues.
Hardware. Segmentation needs routers or Layer 3 switches at segment boundaries. Depending on the architecture, this may require additional firewalls or access control appliances.
Operational overhead. Adding a new device means assigning it to the right segment. Moving a device means updating VLAN membership and firewall rules. This requires documentation and change management.
Technical detail: The most common segmentation mistake is creating VLANs without enforcing routing policy between them. If inter-VLAN routing is enabled on a Layer 3 switch without ACLs, the VLANs provide broadcast isolation but zero security benefit. Traffic still flows freely between segments. Segmentation without enforcement is cosmetic.
Trade-offs for Industrial Environments
Compliance Requirements
CMMC Level 2 and NIS2 both mandate network segmentation for environments handling controlled information or critical services. Defense contractors, energy operators, and manufacturers in regulated sectors do not have a choice: segmentation is required.
| Framework | Segmentation Requirement |
|---|---|
| CMMC Level 2 | AC.L2-3.1.3: Control information flow between security domains |
| NIS2 | Article 21: Risk-based measures including network segmentation |
| NIST 800-171 | SC-7: Boundary protection with controlled interfaces |
| IEC 62443 | Zone and conduit model with defined security levels |
Operational Impact
Segmentation adds latency at each boundary (typically under 1ms for a firewall or access gate). For most OT applications, this is negligible. For hard real-time control loops with sub-millisecond requirements, place all devices in the same segment and enforce security at the segment boundary rather than between individual devices.
Migration Path
Moving from flat to segmented does not require a forklift replacement:
- Map your network. Document every device, its IP, its function, and what it communicates with.
- Define zones. Group devices by function and security requirement. Production PLCs in one zone, HMIs in another, enterprise IT in a third.
- Deploy enforcement. Place a firewall, access gate, or Layer 3 switch with ACLs at each zone boundary.
- Start permissive, then tighten. Begin with logging-only mode to capture actual traffic patterns. Use the logs to build allowlists. Then switch to enforcement mode.
- Monitor continuously. Baseline normal cross-zone traffic and alert on deviations.
Conclusion
Flat networks trade security for simplicity. That trade-off is acceptable in a lab. It is not acceptable in a production OT environment where a compromised device can reach safety controllers, where compliance mandates segmentation, and where broadcast storms can halt production.
Segment your network. Enforce policy at every boundary. Start with the highest-risk zones and expand from there.
