IT/OT Separation Services: What They Cover and How to Evaluate Them

General BASIT/OT separationOT securitysegmentationNIST SP 800-82
June 5, 2026|9 min read

IT/OT separation services design and implement the network, identity, and protocol controls that isolate operational technology — building automation, ICS, and other control systems — from corporate IT, while preserving the data flows the business actually needs. The work typically spans architecture (zones, conduits, VLANs, firewalls), boundary controls (protocol filtering, brokered remote access), identity and credential management, and ongoing monitoring. A defensible service maps to the IEC 62443 zone-and-conduit model and aligns with NIST SP 800-82 guidance; anything that stops at “we put a firewall between them” is incomplete.

The Scenario That Triggers This Conversation

Most building owners and plant operators don't go looking for “IT/OT separation” on their own. The phrase enters the room through one of a few predictable channels:

The owner then calls a provider, the provider says “we do IT/OT separation,” and the proposal that comes back ranges from a two-week VLAN engagement to a year-long redesign with monthly retainer fees. The gap is real: the term doesn't mean one thing. Knowing what the work should actually contain is how you tell a complete proposal from a partial one.

What “IT/OT Separation” Actually Means

IT and OT serve different goals and have different failure modes. IT prioritizes confidentiality and integrity of data; an outage is disruptive but rarely physical. OT prioritizes availability and safety; a write to a register or a BACnet Present_Value moves something physical — a damper, a valve, a chiller stage, an access-control relay. Separating the two means more than putting them on different VLANs. The goal is to ensure that:

That set of properties is what a separation service is supposed to deliver. It is a network engagement, a governance engagement, and an identity engagement — in that order.

How the Work Maps to Standards

Two public references are doing most of the load-bearing work in this space:

The older Purdue Enterprise Reference Architecture (commonly referenced as Levels 0–5) still shows up in vendor decks and remains a useful mental model, but modern guidance treats it as a starting point rather than a prescription — the strict hierarchy doesn't map cleanly onto cloud-connected building stacks, IoT gateways, or remote-access brokers.

A practical translation of the 62443 zone model for building automation is covered in IEC 62443 Security Zones for Building Automation. That entry is the right next read if you're trying to figure out where your zones actually are before you talk to a provider.

What a Complete Separation Service Includes

Use the following list as a scope checklist against any provider proposal. A complete engagement covers all of these; a partial engagement should be explicit about which it is leaving out.

What the Engagement Looks Like in Practice

  1. Discovery and assessment (typically 2–6 weeks). Passive traffic capture on the existing network, asset enumeration, interviews with facilities and IT. Output is a current-state diagram and a gap list against NIST SP 800-82 or IEC 62443.
  2. Target architecture design. Zones, conduits, firewall rule design, remote-access broker placement, identity model. Reviewed jointly by facilities, IT security, and the integrator.
  3. Phased implementation. Network changes are staged to avoid breaking control logic. Common phases: stand up the new boundary infrastructure → migrate non-critical flows → migrate critical flows in a planned maintenance window → decommission the old paths.
  4. Verification. Re-scan to confirm only allowed flows traverse the conduits. Test that the off-ramp works: when a credential is revoked or a session expires, access actually disappears.
  5. Documentation handoff. Diagrams, policies, runbooks, and a known-state baseline that survives the provider leaving.
  6. Ongoing monitoring (optional retainer). Many providers offer continued log review, quarterly architecture reviews, and a defined process for adding flows safely.

How to Evaluate a Provider

Questions that separate complete proposals from partial ones:

Before committing to a provider, a structured self-assessment of the current environment is a useful baseline. The checklist in How to Run a BAS Cybersecurity Audit covers most of what a provider's discovery phase will surface, and walking through it first lets you scope the engagement more tightly.

Common Pitfalls

When to Escalate

Bring in dedicated OT security expertise — either internal or an outside firm with verifiable references — when any of the following are true:

Source Attribution

The guidance in this entry draws on the following publicly available sources:

Additional patterns and field guidance from SiteConduit's work with building owners and integrators.

IT/OT separationOT securitysegmentationNIST SP 800-82IEC 62443

Was this article helpful?

Related Articles

Need to do this remotely? SiteConduit provides secure Layer 2 remote access to BAS networks with protocol-level controls. Join the waitlist.

SC

SiteConduit Technical Team

Idea Networks Inc.

SiteConduit builds managed remote access for building automation. Our knowledge base is maintained by BAS professionals with hands-on experience deploying and troubleshooting BACnet, Niagara, Modbus, and Facility Explorer systems.