Photo: Technician wearing a safety helmet and holding a tablet while standing among industrial pipelines, valves, and technical plant components.

IT networks in OT and critical infrastructure

IT network architectures for critical environments.
Segmented, controlled, and resilient.

Networking critical infrastructure and operational technology

Critical infrastructure and operational technology (OT) environments are among the most sensitive structures in our society. Disruptions or even outages in essential healthcare, utility, education, or production facilities often have dangerous or even life-threatening consequences. For this reason, the critical infrastructure and OT sector requires an IT architecture model that continuously ensures availability, operational reliability, and traceability. Protection and operations must be considered together: with clearly defined zones, structured communication paths, controlled interfaces, and an operating model that remains sustainable even under disruptive conditions.

Due to these special protection requirements, the NIS-2 (EU 2022/2555) and CER directives (Critical Entities Resilience, EU 2022/2557) aim to increase the resilience of European critical infrastructures through standardized minimum requirements. These include, among other things, new registration obligations, stricter risk analyses and protective measures, as well as mandatory reporting of security incidents for operators of critical infrastructure facilities.

From a technical perspective, these requirements can be implemented with a suitable IT reference architecture for critical infrastructure and OT networks, which we will introduce below.

Get individual advice now with no obligation

Critical infrastructure and OT networks require a reliable IT architecture model

Critical infrastructure and OT environments are built on the same security foundation as traditional IT: systems, applications, connections, and access points must be protected.

For OT security, however, this alone is not enough. The focus here is not on flexible IT services, but on the secure and stable operation of facilities, processes, and technical infrastructures. That is precisely why OT security requires a reliable IT architecture model.

General IT security plus additional OT security

Traditional IT security primarily focuses on secure systems, regular updates, highly available remote access, resilient connections, centralized management, and cloud connectivity. In OT environments, however, additional requirements apply.

These include: planned operations within maintenance windows, remote access only when required and for a limited time, strict segmentation and control of connections, as well as local and autonomous functionality even without internet connectivity.

In critical infrastructure-related environments, this results in a clear target model: minimal and technically justified communication, controlled interfaces, and operations that remain manageable even under disruptive conditions.

Two-part square LANCOM infographic illustrating the basic security foundation of IT and OT security as well as additional OT security requirements: upper half with dark blue background (basic IT security foundation) featuring 5 icons for “Secure system: secure data and applications,” “Regular updates and patches,” “Secure, highly available remote access,” “Resilient and scalable connections (instead of an open network with many connections),” and “Centralized management and secure cloud connectivity”; lower half with light blue background (additional OT requirements) featuring 5 icons for “Secure operation: secure facilities and processes,” “Scheduled maintenance windows,” “Remote access only when needed and time-limited,” “Strict segmentation and control of connections,” and “Local and autonomous functionality (without internet)”

What characterizes resilient critical infrastructure and OT networks?

Anyone planning or modernizing networks for critical infrastructure and OT must consider the following aspects:

Zone and conduit concept (segmentation according to IEC 62443 / BSI)

Critical infrastructure and OT networks must be consistently structured into security zones and conduits. A strict separation between IT and OT must be implemented. Communication between zones may only take place through defined and hardened communication paths (e.g., gateways, firewalls) and must be secured according to the principle of least privilege and role-based access control. Undocumented or historically evolved direct connections are not permitted.

Minimized, protected, and auditable communication

Communication relationships must be limited to the operationally necessary scope and explicitly approved (“default deny”). Data transmissions must be protected with regard to confidentiality, integrity, and authenticity (e.g., through encryption and secure protocols). All access activities, data flows, and security-relevant events must be logged in an audit-proof manner in accordance with BSI requirements, centrally analyzed, and continuously monitored.

Secure and robust operations, even during changes, maintenance, and data requests

Operational processes such as remote maintenance, configuration changes, and data provisioning must be secured through appropriate security measures (e.g., access controls, approval workflows, and session monitoring) and must not interfere with continuous plant operations. Critical OT functions must be designed to remain operational even in the event of disruptions to external networks (IT / WAN), ensuring resilience and partial autonomy.

The goal is to ensure operations remain as uninterrupted as possible while meeting the legally required protection standards.

Infographic titled “LANCOM Reference Network Architecture for Critical Infrastructure and OT Networks” showing a secure, zone-based IT/OT architecture following the defense-in-depth principle. On the right, a schematic diagram illustrates the layers from top to bottom: WAN, IT DMZ, IT, OT DMZ, control center, controllers/cells, field devices, and physical process. The diagram includes VPN gateways, perimeter firewalls, switches, proxy and update servers, Active Directory, ERP, SCADA, HMI and engineering systems, PLC networks, safety controllers, sensors, actuators, as well as machines and physical processes. External service providers, manufacturers, cloud services, and providers access the environment only through controlled transfer points and DMZ zones. The graphic describes a strictly segmented security architecture with clear separation between internet, IT, and OT networks. Communication between zones is denied by default and only permitted via firewalls, DMZs, and allow lists. External access is encrypted, role-based, time-restricted, and fully logged. Remote maintenance is only possible through jump hosts. The OT environment remains operational independently from the IT infrastructure and prevents direct access or lateral movement into control and field levels. The lower levels include PLC and safety controllers, sensor and actuator networks, remote I/O, and physical plants and processes with high safety and operational reliability requirements. — LANCOM IT reference architecture as a recommended structure for critical infrastructure and OT networks: overview of zone-based security levels, transition zones (DMZs), commonly used network components, and industrial OT components, including general design principles and requirements for each level.

LANCOM IT reference architecture as a blueprint for critical infrastructure and OT networks

The LANCOM IT reference architecture for critical infrastructure and OT networks visually illustrates how a critical infrastructure network should be divided into zones, how transfer points and communication paths should be designed, and what should be considered when building the IT and OT network.

Feel free to click on the image to view the enlarged PDF version and download it if required.

Secure critical operational pathways in critical infrastructure and OT networks appropriately

In practice, OT security repeatedly comes down to three recurring operational pathways: access, data flows, and changes. These three pathways should therefore be considered from the outset as recurring operational realities and integrated into the overall design.

Which operational pathways require special protection in critical infrastructure and OT networks?

Infographic: Illustration of a remote maintenance chain with session break across multiple IT and OT security zones. The levels “LEVEL 5: WAN”, “LEVEL 4.5: IT DMZ”, “LEVEL 4: IT”, “LEVEL 3.5: OT DMZ”, and “LEVEL 3: Control room” are shown on the left. The graphic includes a WAN VPN gateway on Level 5, a WAN/LAN perimeter firewall on Level 4.5, an IT/OT perimeter firewall on Level 3.5, switches (across various levels), and a jump host on Level 3.5. An external service provider connects via “VPN remote access, time-limited, strongly authenticated”. Access is routed through both firewalls, a “session break”, and a “user switch (authentication against OT AD)” on Level 3.5. The OT area contains SCADA, Engineering, and “Local OT services (AD, DNS, NTP)”. Arrows visualize the controlled data and access flow between the IT and OT networks. — Secure remote maintenance chain with session break between IT and OT networks in critical infrastructures through VPN access, firewalls, jump host, authentication, and controlled connections to SCADA and engineering systems.

Remote maintenance without loss of control

A VPN alone is not a sufficient protection concept in critical infrastructure environments. Remote maintenance must be designed as a controlled process, including the following measures:

strong identity verification,
termination in a dedicated remote / DMZ segment (demilitarized zone, transition zone),
session break via a jump host,
time restrictions within defined maintenance windows, and
comprehensive logging.

External or privileged access should never lead directly into productive OT zones.

Providing data without exposing productive OT environments

Reporting, analytics, and compliance requirements demand data from critical infrastructure OT environments – but not every IT application requires direct access to productive OT systems for this purpose.

The recommended approach is secure data decoupling:

The OT environment writes the required data in a controlled manner to a historian/replica instance within or close to the OT DMZ, while IT systems access this data with read-only permissions.

This keeps productive OT databases and SCADA systems isolated from IT queries.

Infographic titled “Data decoupling via historian / replica” showing a segmented IT/OT architecture with the layers “LEVEL 4 IT,” “LEVEL 3.5 OT DMZ,” “LEVEL 3 control room,” and “LEVEL 2 controllers / cells.” In the upper IT section on the left, a “LANCOM WAN/LAN perimeter firewall” is connected to “LANCOM switches.” On the right, a “BI / controlling team” is shown alongside the note “requests data.” In the “LEVEL 3.5 OT DMZ” layer, a “LANCOM IT/OT perimeter firewall” with connected “LANCOM switches” is displayed. To the right is a database symbol labeled “Historian / Replica.” Arrows indicate the data direction: “OT writes”; “IT reads.” Additional notes state: “Read-only permission for IT”; “Strictly controlled replication of data.” In the OT section “LEVEL 3 control room,” a “SCADA” system is shown connected via “LANCOM switches.” In the lower section “LEVEL 2 controllers / cells,” the following are displayed: “PLC networks” and “Safety controllers.” The graphic visualizes controlled data replication from OT toward IT using a historian/replica approach, where OT writes data and IT receives read-only access only. Communication is segmented via firewalls and switches between IT and OT zones. — Secure data decoupling between IT and OT networks through historian / replica systems with controlled data replication, read-only access for IT systems, and a segmented network architecture.

Infographic titled “Controlled update path in critical and OT systems” showing a segmented IT/OT architecture with the levels “LEVEL 5 Internet, external,” “LEVEL 4.5 IT DMZ,” “LEVEL 4 IT,” “LEVEL 3.5 OT DMZ,” and “LEVEL 3 control room.” In the upper “LEVEL 5” section, a “LANCOM WAN VPN gateway” and an “OEM / manufacturer” are shown. Above them is the note: “Security-relevant update for OT system.” In the “LEVEL 4.5 IT DMZ” layer, the following components are displayed: “LANCOM WAN/LAN perimeter firewall,” “LANCOM switches,” and “Proxy.” Next to them is the note: “Update synchronization.” In the “LEVEL 3.5 OT DMZ” section, the following are shown: “LANCOM IT/OT perimeter firewall,” “LANCOM switches,” and “Update and patch server.” To the right is the note: “Verify update integrity (signatures / checksums).” In the lower “LEVEL 3 control room” section, “SCADA” and “Engineering” are displayed. Next to them is the note: “Authenticated and documented updates / patches.” Arrows illustrate the controlled transfer of updates from the internet or manufacturer through the VPN gateway, proxy, firewalls, and update/patch server into the OT systems. The graphic visualizes a secured update process with integrity verification, documentation, and segmented communication between IT and OT zones. — Controlled update path for OT systems with VPN gateway, proxy, firewalls, update / patch server, and integrity verification within segmented IT / OT networks.

Organizing changes and updates in a controlled manner

Especially in OT-related environments, changes are not handled as spontaneous standard IT processes.

Updates and patches are delivered through defined DMZ pathways using a repository / patch server, their integrity and authenticity are verified, approvals are documented, and rollouts are tied to scheduled maintenance windows.

The OT environment does not obtain updates directly from the internet. This is precisely what makes changes auditable and reduces supply chain risks during operations.

From reference architecture to project reality: How LANCOM supports critical infrastructure and OT environments

LANCOM Systems stands for digital sovereignty, supply chain transparency, and compliance (e.g., NIS-2 and CER directives), supported by a high level of manufacturing depth in Europe.

With our IT reference architecture, we support the compliant implementation of resilient and secure IT infrastructures for critical infrastructure and OT environments. In addition, our products and networking solutions provide the required level of cybersecurity, operational continuity, and data sovereignty for critical infrastructures:

IT security

For example, LANCOM R&S®Unified Firewalls secure segment boundaries as WAN / LAN perimeter firewalls and IT / OT perimeter firewalls, enforce default deny policies and explicit approvals, and make transitions between IT, the IT demilitarized zone (IT DMZ), the OT demilitarized zone (OT DMZ), and productive OT environments controllable.

WAN & VPN

LANCOM VPN gateways terminate remote access connections securely outside the productive OT environment and provide the foundation for strong authentication, regulated maintenance windows, and traceable remote processes.

LAN & Switching

LANCOM switches ensure secure segmentation, port discipline, and resilient communication relationships across all zones – extending from the control room to cell and field levels.

Wi-Fi

Where wireless connectivity is appropriate and architecturally justifiable, LANCOM access points complement the target architecture as a clearly segmented part of the infrastructure.

In the OT DMZ, these network components are complemented by a jump host, update / patch server, and historian / replica systems to create a practical overall model that enables controlled remote maintenance, data provisioning, and change management without unnecessarily exposing the productive OT environment.

LANCOM Systems provides a robust, auditable, and sovereign networking foundation that enables organizations to implement critical infrastructure and OT requirements in a structured, compliant, and sustainably operable manner.

Typical use cases in critical infrastructure and OT networks

Photo: Two people sitting in front of multiple monitors displaying live camera feeds while monitoring a security and video surveillance system.

Security technology

Building an autonomous IT network for implementing security technology enables the secure and independent operation of critical security functions – isolated from productive corporate or public networks.

For example, cameras, monitoring and alarm systems, as well as electronic locking and access control systems, are consolidated within a dedicated, isolated network and centrally managed.

Learn more about security technology

Photo: Two people standing in front of a modern building while jointly looking at a smartphone and tablet.

Building automation

Modern buildings are evolving into highly interconnected digital systems.

An autonomous building management system (BMS) centralizes the control of energy, climate, lighting, access, and security while ensuring that operational building technology (OT) can be operated in a resilient, secure, and economically sustainable manner over the long term.

Secure automation is therefore a key efficiency factor.

Learn more about building automation and building control

Photo: Two people wearing safety helmets walk between tall stacks of containers at a container terminal; in the background, a container handler is operating, and a passenger aircraft is flying overhead.

Traffic control systems

Where integrity, non-interference, and resilient operations are as critical as they are in traffic control and signaling systems, both IT and OT must meet particularly demanding requirements.

In these environments, the target IT/OT network architecture requires clearly separated communication relationships, dedicated secured management zones, controlled transition points, and integrated security measures — without impermissibly affecting safety or operational behavior.

Learn more about traffic control and signaling systems

IT networks for critical infrastructure and OT with LANCOM

LANCOM Systems provides a networking infrastructure that supports the requirements of critical infrastructure and OT security in accordance with regulatory guidelines, such as the German the BSI IT Baseline Protection framework and IEC 62443.

The solutions enable the consistent implementation of segmentation and zone concepts, including secure transition points and centrally managed communication relationships based on the principles of least privilege and default deny.

By using standards-based technologies, integrated VPN mechanisms, and centralized management, protected, traceable, and audit-proof communication is ensured. Functions for logging, monitoring, and integration with higher-level security systems (e.g., NAC, SIEM) can be connected through the LANCOM IT Security Ecosystem. With a LANCOM critical infrastructure / OT network solution, you benefit from long-term availability, stable software maintenance, and reliable operations even in distributed infrastructures.

Feel free to contact us directly via the contact form – we will be happy to advise you individually and without obligation regarding your project.

We look forward to working together with you to strengthen digital sovereignty and resilience in Europe.

Photo: Person wearing a safety helmet and high-visibility vest operating a tablet in front of several wind turbines in a hilly landscape.

We answer your questions

First name *

Last name *

Email *

Postal code *

City *

Phone *

Company *

Subject *

Your message *

I have read the data privacy policy and agree to the storage and processing of my data by LANCOM Systems GmbH. LANCOM Systems uses this data to contact me, including through automated processing operations (enrichment, evaluations and measurements), to contact me itself or through third parties and to send me information about products, services and events. I can withdraw my consent at any time, electronically to datenschutz@lancom.de or by letter to: LANCOM Systems GmbH, Adenauerstr. 20/B2, 52146 Würselen, Germany. *

Your direct line to us

Friendly sales staff with headset take customer call in office

Most questions can be resolved best in direct contact.

We look forward to answering your questions and requests by phone or via the contact form.

Inside Sales International Team
+49 (0)2405 49936 122