Cyber SecurityUK NCSC

Building more resilient CNI: what industry pen testers told us

One of the clearest examples of ‘secure by design’ is the adoption of network segmentation, particularly where it has been considered as part of the system design rather than added later. Network segmentation involves splitting a network into smaller segments, either through high-level network design, the use of VLANs or firewalls, or through the management of users or groups with separate accounts for different network areas.

OT systems should always be designed with clear separation between the OT control systems and the rest of your business infrastructure: the IT. From a security standpoint, segmentation helps to prevent hackers from moving laterally through your network, hampering pen testers who may have gained a foothold from making further progress. In the context of OT, this can mean avoiding impacts on your process and a potential loss of availability.

Segmentation is not just about separating IT from OT; it is about controlling what crosses that boundary. Cross-domain thinking helps define zones of trust and tightly manage data flows between them. Secure OT connectivity should minimise exposed connections, standardise access routes, and harden boundaries, while privileged access workstations (PAWs) provide trusted devices for privileged administration, reducing shortcuts and making lateral movement harder.

Source: UK NCSC (Cyber) (1 July 2026)

Related Articles

Back to top button