The Role of L3 Routing in OT Segmentation

Introduction

Operational Technology (OT) environments have evolved substantially, with increased digitization and the convergence of IT and OT systems. Effective network segmentation is recognized as a foundational pillar for achieving security and resilience in industrial contexts such as manufacturing plants, utilities, and transportation infrastructures. Layer 3 (L3) routing, an established technology in traditional IT settings, is now seeing renewed focus as a mechanism for robust segmentation of OT networks.

This post delves into the history, technical foundations, and deployment considerations of L3 routing for OT segmentation, offering practical insights for CISOs, IT Directors, Network Engineers, and critical infrastructure operators.

Historical Context: The Journey of Network Segmentation

The Flat Network Era and Its Risks

Early industrial networks were typically flat Layer 2 (L2) broadcast domains, favoring simplicity and ease of deployment. Switches and unmanaged devices proliferated on factory floors, often with little thought given to segmentation or access controls. This architecture, while operationally convenient, exposed the entire OT environment to lateral movement and broadcast storms — vulnerabilities that could be catastrophic in the context of malware or unintended misconfiguration.

Evolution to Layer 3 Routing

Layer 3 routing, foundational to the architecture of the modern internet, was introduced to industrial networks primarily to improve scalability and fault containment. Routers provided the ability to partition networks into isolated subnets, enforcing basic traffic filtering at the IP layer and breaking up broadcast domains. This advance, initially driven by performance and manageability concerns, is now being leveraged for its security and resilience benefits.

Technical Underpinnings: Layer 3 Segmentation in OT

Layer 3: Basic Principles

At its core, Layer 3 routing leverages IP addressing and subnets, using routers or Layer 3 switches to forward traffic between network segments based on destination IP addresses. Unlike Layer 2 segmentation—typically realized through VLANs—in L3 architectures, inter-segment traffic is subject to access control policies and can be inspected or rate-limited.

Key advantages:

• Fault isolation: Routing boundaries contain broadcast storms, limiting the scope of accidental or malicious disruptions.

• Access control: Inter-VLAN routing rules restrict which systems can communicate, supporting the principle of least privilege.

• Integration with IT security tools: L3 boundaries are natural points to implement firewalls, intrusion detection, and monitoring solutions.

Protocols and Technologies

The most widely used routing protocols—OSPF, EIGRP, and static routing—have matured for industrial use, with deterministic behavior and minimal overhead. Modern industrial switches often support L3 routing natively, permitting flexible topologies.

Note:
While routing protocol selection is critical in wide area, dynamic IT environments, most OT deployments favor static routing or tightly controlled OSPF areas to ensure predictability and auditability.

Design Approaches: From VLANs to Routed Segments

VLAN-Based Segmentation: Strengths and Weaknesses

VLANs have long served as the first step in OT segmentation. However, VLANs alone do not prevent devices in different subnets from communicating if routed inter-VLAN access is allowed, and their security guarantees degrade rapidly if VLAN hopping attacks or misconfigurations occur. More critically, L2 broadcast domains can permit attack propagation at scale.

L3 Routing as a Security Boundary

Routing at L3 not only enables separation of network traffic but also allows tight definition of permissible flows via Access Control Lists (ACLs) or firewalls. This approach aligns closely with best practices recommended in frameworks such as ISA/IEC 62443.

Example topology:

• Zone 1: Process Control Network (e.g., DCS/PLC networks)

• Zone 2: Corporate IT interface zone

• Zone 3: Demilitarized Zone (DMZ)/Jump hosts

Each zone is assigned its own IP subnet. Transitions between these zones are enforced via routed interfaces—each can have different security postures, monitoring, and access policies.

IT/OT Collaboration: Bridging Knowledge and Responsibility

Alignment of Standards and Language

Historically, IT teams have taken the lead on network routing, while OT engineers have focused on operational continuity. Today, successful L3 segmentation requires both teams to agree on network addressing plans, interoperable protocols, change management, and monitoring strategies.

Recommendations:

• Use asset inventory and protocol allow-lists to map out necessary cross-segment traffic prior to deployment.

• Establish joint review processes for changes to routing policies or ACLs, minimizing unplanned downtime caused by misconfiguration.

• Prioritize deterministic and documented routing topologies, minimizing asymmetric routing or NAT usage unless absolutely necessary.

Best Practices and Pitfalls in Secure Connectivity Deployment

Incremental Segmentation

Few organizations can rearchitect their industrial network overnight. Progressive approaches—isolating critical subnets first, enabling inter-segment routing only for essential protocols, and gradually increasing segmentation—strike the right balance between risk reduction and operational impact.

Visibility and Monitoring

Every L3 boundary is a chokepoint for visibility; leverage this by deploying monitoring, intrusion detection, and logging at routed interfaces. Consider the tradeoffs between inline and out-of-band monitoring for both security efficacy and OT system stability.

Common Pitfalls

• Maintaining "any-any" rules in ACLs for convenience—undermining the value of segmentation.

• Relying on legacy, unmanaged routers without patch management or access control, introducing new vulnerabilities.

• Neglecting Layer 2 attack surfaces on either side of routed boundaries, resulting in incomplete risk mitigation.

Conclusion

Layer 3 routing is more than just a carry-over from enterprise IT; in industrial environments, it is a crucial enabler for segmentation, risk reduction, and operational assurance. By embracing L3 routing with precision, industrial organizations can build defensible, resilient networks that maximize uptime and minimize exposure to lateral movement and disruption.

As with all architectural interventions in OT, success hinges on thorough planning, close IT/OT collaboration, and rigorous governance. In doing so, organizations can transform their networks from flat vulnerabilities to layered, adaptive structures well-suited for a rapidly evolving risk landscape.

References

• ISA/IEC 62443-3-2: Security Risk Assessment and System Design

• NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security

• RFC 1812: Requirements for IP Version 4 Routers