Definition

OT/ICS network segmentation applies the Purdue Reference Model to isolate Levels 0–2 (field devices, PLCs, SCADA) from Levels 3–4 (site operations, enterprise) using unidirectional gateways, DMZs, and zone-based firewalling. This field note documents lessons from an 11-critical-zone programme at a national utility, including unified SOC integration without impacting operational continuity.

Why it matters

The pressure on Cybersecurity Advisory programmes is shifting in specific, observable ways:

• UAE NESA Critical Infrastructure Protection controls (CIP-005 equivalent) and NCA ECC-1 OT addendum require documented zone/conduit models per IEC 62443-3-2; the Purdue segmentation directly satisfies the asset-boundary requirement.
• ICS-CERT advisories 2023–24 document 140+ vulnerability disclosures in SCADA/HMI products; air-gap or unidirectional-gateway segmentation at Level 2–3 boundary is the only reliable mitigation for unpatched OT assets.
• Ransomware campaigns (TRITON/TRISIS successors) explicitly target the Level 3 historian to propagate downward; a hardened DMZ with data diodes prevents cross-zone propagation and protects AED 500M+ generation assets.
• Saudi Aramco CSCC and ADNOC cybersecurity supply chain requirements mandate IEC 62443-2-4 compliance from OT vendors; zone documentation is a mandatory contract deliverable.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• OT asset inventory (Claroty / Dragos / Nozomi Networks) — asset count per Purdue level, firmware version, open CVE count, and last-seen timestamp per zone.
• Zone and conduit diagram (IEC 62443-3-2 format) — approved zones, firewall rules per conduit, and unidirectional gateway placement per Level 2–3 boundary.
• Firewall rule audit log (Palo Alto / Fortinet NGFW) — east-west rule count, any-any rules in OT zones, and denied cross-zone traffic volume.
• SOC integration log — OT alert volume ingested into SIEM (Splunk / Microsoft Sentinel), use case coverage per MITRE ATT&CK for ICS tactic, and L1 analyst OT triage time.
• Patch and vulnerability register for OT assets — CVSSv3 score distribution, vendor-supported vs. end-of-life asset ratio, and compensating control documentation.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: OT Security Engineer deploys passive network monitoring (Claroty or Dragos) across Level 2–3 networks in the first three highest-risk zones; produces baseline asset inventory and open CVE count without touching live control networks.
• Day 31–60: Network Architect designs zone/conduit model per IEC 62443-3-2 for all 11 zones; submits firewall rule change requests to implement deny-by-default between Level 2 and Level 3, with whitelist exceptions documented.
• Day 61–90: SOC Lead defines 15 OT-specific SIEM use cases mapped to MITRE ATT&CK for ICS (e.g. TA0108 Inhibit Response Function, T0816 Device Restart/Shutdown); configures Claroty alert forwarding to Sentinel.
• Day 90+: CISO presents zone/conduit documentation to UAE NESA or NCA auditor as CIP-007 / ECC OT addendum evidence; schedules annual penetration test of the IT/OT DMZ using OT-safe tooling (Claroty xDome or Tenable OT Security).
• Ongoing: OT Security Engineer reviews Dragos WorldView threat intelligence monthly; applies firmware updates during planned maintenance windows with change advisory board approval.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Cross-zone unauthorised traffic events — target: 0 policy violations per month after segmentation deployment.
• OT asset inventory completeness — target: ≥95% of field devices visible in Claroty/Dragos within 60 days.
• Critical CVE (CVSSv3 ≥9.0) exposure on OT assets — target: ≤5% of assets with unmitigated critical vulnerabilities.
• SOC OT use case coverage (MITRE ATT&CK for ICS tactics) — target: ≥12 of 12 tactics with at least one detection rule.
• Time to detect anomalous OT network behaviour (MTTD) — target: ≤15 minutes for Purdue Level 2 lateral movement.

How it played out

The engagement began the way these always do — a specific trigger (lessons from an ot/ics programme covering 11 critical zones and a unified soc integration.) and an executive sponsor with limited patience for theoretical answers.

The first instinct on the client side was to add tooling. The first instinct on our side was to fix the board cyber pack so that whatever tooling was added would have somewhere defensible to land.

What surprised the team — and worth noting for anyone running similar Cybersecurity Advisory work — is how much of the value came from re-sequencing existing activities rather than introducing new ones.

• Trigger. The work was sponsored after a near-miss the executive team could no longer rationalise.
• First week. Stabilise the cyber strategy; pause anything that risked making it worse.
• Weeks 2–6. Rebuild the working evidence cadence; the regulator-facing story followed naturally once the internal cadence was honest.
• What we'd do differently. Engage the CISO on day one, not after the diagnostic.

Pitfalls we keep seeing

Across MAST Consulting Group's Cybersecurity Advisory portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: identity controls that stop at email but not at admin tooling. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: logging without a use case behind each source. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: a strategy that lists capabilities but not outcomes. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: IR plans untested against the company's actual likely scenarios. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Cybersecurity Advisory engagements because the integrations are cheap and the evidence is defensible:

• SIEM/XDR — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• identity (Entra, Okta, Ping) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• PAM (CyberArk, BeyondTrust, Delinea) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Cybersecurity Advisory programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this field note is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Cybersecurity Advisory programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.