Securing brownfield OT networks using a three-pronged approach

Operational Technology (OT) environments, particularly those classified as brownfield networks, often contain legacy systems that were deployed years—or even decades—ago. These systems typically run outdated software, rely on proprietary or insecure protocols, and were not originally designed with cybersecurity in mind. Modernising these networks poses a significant challenge:

How to enhance security without interrupting critical industrial processes or risking downtime?

To effectively secure brownfield OT networks, organisations can implement a three-pronged security strategy. This approach focuses on gaining visibility into the OT environment, protecting non-patchable legacy systems, and enforcing granular control over communications. By combining these elements, organisations can build a resilient, layered defence tailored to the unique constraints of industrial environments.

How to secure a brownfield OT network in practice

Each OT environment is unique, but brownfield networks tend to share common security pain points. Addressing these effectively requires a practical, layered strategy. Below, we explore three critical areas that form the foundation for securing brownfield OT networks without disrupting operations.

1️. Asset visibility and monitoring

Goal:

To discover, monitor, and understand every device and communication flow within the OT environment.

Key practices:

• Use passive monitoring tools that can identify all connected devices without interfering with operations.
• Build an inventory of assets including device types, firmware versions, and network behaviour.
• Establish baseline behaviour profiles to detect deviations and potential threats.
• Continuously monitor traffic to identify rogue devices or unauthorised communications.

Why it matters:

Brownfield OT environments often contain undocumented devices and unsegmented networks. Without visibility, security teams cannot accurately assess risk or respond to incidents. Asset visibility lays the foundation for all subsequent security measures, enabling informed decision-making and targeted remediation.

2️. Protection for legacy systems

Goal:

To safeguard legacy OT devices that cannot be updated, patched, or replaced due to operational or compliance constraints.

Key practices:

• Deploy protocol-aware firewalls or security appliances that can inspect and filter OT-specific protocols (e.g., Modbus, DNP3).
• Utilise host-based protections where possible, such as intrusion prevention or application whitelisting, designed for industrial endpoints.
• Implement network segmentation or isolation devices (e.g., one-way gateways) to control data flow into or out of sensitive areas.

Why it matters:

Legacy systems are often the most vulnerable points in an OT network. Since direct remediation (e.g., patching) is typically not feasible, using compensating controls to isolate and protect these assets is essential to reducing exposure and preventing compromise.

3. Traffic segmentation and access control

Goal:

To control and minimise communications between devices, enforcing the principle of least privilege.

Key practices:

• Create network zones based on device function, criticality, or risk profile.
• Implement micro-segmentation, where traffic is restricted not just between zones but between individual devices or applications.
• Use firewalls or policy enforcement tools to automate access control based on defined rules.
• Continuously adjust policies based on asset behaviour, threat intelligence, and operational changes.

Why it matters:

Segmentation limits the ability of threats to move laterally across the network. In the event of a compromise, well-defined zones and policies can contain the incident and protect critical operations. Automating segmentation also ensures that security policies scale effectively as the environment evolves.