A PRAGMATIC DECISION-TREE BASED APPROACH FOR OT NETWORK SEGMENTATION FOR SMALL AND MEDIUM BUSINESSES

Abstract

Industrial operators face pressure to connect operational technology (OT) to business systems, partners, and cloud analytics—often without the staff or budget to implement expansive standard frameworks. We present a concise decision framework that maps business dataflow needs to four pragmatic outcomes for network segmentation: air-gapping, next-generation firewalls (NGFW) with deep packet inspection (DPI), constrained serial links, or data diodes. The guiding principle is pragmatic risk reduction: fit controls to real dataflows, operational maturity, and lifecycle cost. Testing the framework on two hypothetical Small and Medium Business (SMB) scenarios demonstrated its effectiveness: 1) For a small manufacturer with low security maturity and no automatic data transfer needs, the framework determined that Air-Gap was the optimal choice, yielding zero CAPEX and maximum risk reduction. 2) For a medium enterprise requiring only one-way cloud analytics export from a low-maturity OT environment, the framework correctly selected a Data Diode, providing physical security guarantees and superior long-term OPEX efficiency compared to implementing an NGFW.