Selection & Interfaces
Chapter 5 — Core product selection criteria, interface specifications, typical wiring logic, and product capability comparison tables
5.1 Core Product Categories
The OT/IT network segmentation solution requires five categories of core products, each serving a distinct security function in the zone architecture. Product selection within each category must satisfy both the functional requirements of the specific deployment scenario and the environmental requirements of the installation location (temperature range, ingress protection, vibration tolerance, power supply). The following product showcase presents representative equipment from each category.
Figure 5.1: Core Product Lineup — From left to right: Industrial Firewall (1U rack-mount), Unidirectional Gateway/Data Diode, Industrial Managed Switch (DIN rail), Bastion/PAM Server Appliance, and OT IDS Sensor (passive TAP). Each product is labeled with key specifications.
| Product Category | Primary Function | Deployment Location | Form Factor Options | Key Standards |
|---|---|---|---|---|
| Industrial Firewall (OT-FW) | Zone boundary enforcement, DPI, protocol whitelist | Industrial DMZ (OT side) | 1U rack-mount, DIN rail | IEC 62443-4-2, NERC CIP |
| Unidirectional Gateway (Data Diode) | Hardware-enforced one-way data transfer | Industrial DMZ (high-security path) | 1U rack-mount, appliance | IEC 62443-3-3 SR 5.1 |
| Industrial Managed Switch | Zone-internal switching, VLAN, port security | Control Zone, OT Core Zone | DIN rail, rack-mount, IP67 | IEC 61850-3, IEEE 1613 |
| Bastion / PAM Server | Privileged access control, session recording | Industrial DMZ | 1U rack-mount, VM appliance | IEC 62443-2-4, NIST 800-53 |
| OT IDS / Network Sensor | Passive traffic monitoring, anomaly detection | OT Core Zone, Control Zone | Passive TAP, 1U rack-mount | IEC 62443-3-3 SR 6.1 |
5.2 Industrial Firewall — Interface and Connection Logic
The industrial firewall is the primary enforcement device at the OT/IT boundary. Its interface configuration must be carefully planned to ensure that IT-side and OT-side traffic is physically separated at the port level, with no shared physical interfaces between zones. The management interface must be on a dedicated, out-of-band management network that is separate from both the IT and OT production networks.
Figure 5.2: Industrial Firewall Interface and Connection Logic — Shows IT-side connections (IT-LAN1 to IT-LAN4, blue), OT-side connections (OPC UA/Modbus/PROFINET to OT Switch, green), SFP fiber backbone, management port (orange), and out-of-band management network with Syslog server.
| Interface | Type | Zone Assignment | Permitted Protocols | Speed | Notes |
|---|---|---|---|---|---|
| GbE 1–4 (IT side) | RJ45 Copper | IT Network | HTTPS, Syslog, NTP, SFTP | 1 Gbps | Connected to IT switch/DMZ switch IT segment |
| GbE 5–8 (OT side) | RJ45 Copper | OT Network | OPC UA, Modbus TCP, PROFINET | 1 Gbps | Connected to OT switch; DPI enforced |
| SFP 1–2 (Fiber) | SFP+ LC | OT Backbone | OPC UA (high-speed historian) | 1/10 Gbps | Long-distance OT backbone; fiber only |
| MGMT Port | RJ45 Copper | OOB Management | HTTPS (management UI), SNMP | 100 Mbps | Must be on isolated management VLAN |
| Console Port | RJ45/DB9 | OOB Management | Serial console (9600/115200 baud) | N/A | Emergency access; physical access required |
| USB Port | USB-A | Local only | Firmware update, config backup | USB 3.0 | Disable USB if not required; log all USB events |
5.3 Core Product Feature Comparison
The following table provides a comprehensive feature comparison across the five core product categories, covering the key technical specifications that differentiate products within each category and guide selection decisions. The specifications listed represent the minimum requirements for a standard industrial deployment — high-security or high-availability deployments may require enhanced specifications in specific areas.
| Feature / Specification | Industrial Firewall | Data Diode | Industrial Switch | Bastion/PAM | OT IDS Sensor |
|---|---|---|---|---|---|
| Throughput | ≥500 Mbps (FW), ≥200 Mbps (DPI) | ≥100 Mbps (one-way) | ≥1 Gbps (line rate) | ≥100 concurrent sessions | ≥1 Gbps (passive) |
| OT Protocol Support | Modbus, DNP3, OPC UA, PROFINET, EtherNet/IP, IEC 61850 | OPC UA, Modbus, DNP3 | PROFINET, EtherNet/IP (VLAN aware) | RDP, SSH, VNC, Telnet | All OT protocols (passive) |
| DPI / Inspection | Command-level whitelist, read/write control | N/A (hardware one-way) | Port security, MAC filtering | Session recording, keystroke log | Anomaly detection, signature-based |
| Operating Temperature | -20°C to +60°C | 0°C to +50°C | -40°C to +75°C | 0°C to +40°C | -20°C to +60°C |
| Ingress Protection | IP20 (rack) / IP30 (DIN rail) | IP20 (rack) | IP30 (DIN rail) / IP67 (field) | IP20 (rack) | IP20 (rack) |
| Power Supply | AC 100–240V or DC 12–48V | AC 100–240V | DC 12–48V (DIN rail) | AC 100–240V (redundant) | AC 100–240V or PoE |
| HA / Redundancy | Active-passive HA pair | Dual-unit option | Ring redundancy (MRP/RSTP) | Active-passive cluster | Dual TAP option |
| Management Interface | Web GUI, CLI, REST API, SNMP | Web GUI, CLI | Web GUI, CLI, SNMP, NETCONF | Web GUI, REST API | Web GUI, REST API, SIEM integration |
| Certifications | IEC 62443-4-2, CE, FCC, UL | IEC 62443-3-3, Common Criteria EAL4+ | IEC 61850-3, IEEE 1613, CE, UL | IEC 62443-2-4, SOC 2 | IEC 62443-3-3, CE |
| MTBF | ≥100,000 hours | ≥150,000 hours | ≥200,000 hours | ≥80,000 hours | ≥100,000 hours |
5.4 Selection Decision Matrix
The selection of specific products within each category depends on the combination of deployment scenario requirements, environmental constraints, and budget parameters. The decision matrix below maps the key scenario requirements to the recommended product specifications, providing a structured approach to product selection that ensures all critical requirements are addressed.
| Requirement | Recommended Specification | Applicable Scenarios | Priority |
|---|---|---|---|
| Safety-critical process (SIL 2/3) | Data diode on all outbound paths; no bidirectional firewall on SIS boundary | S2 (Substation), S6 (Oil & Gas) | Critical |
| High-frequency protocol (GOOSE, SV) | Firewall with ≤1ms added latency; hardware bypass option | S2 (Substation), S5 (Rail) | Critical |
| Harsh environment (outdoor, vibration) | Industrial switch IP67, -40°C to +75°C, conformal coating | S4 (Water), S6 (Oil & Gas) | High |
| Regulatory audit trail (FDA/GMP) | Bastion with tamper-evident session recording; validated change control | S7 (Pharma) | High |
| High availability (99.99%+) | Active-passive HA for all DMZ devices; redundant power | S2, S5, S6 | High |
| Large-scale OT network (>500 devices) | OT IDS with full-packet capture; centralized SIEM integration | S1 (Manufacturing), S3 (Building) | Medium |
| Remote site connectivity (WAN RTU) | Encrypted WAN gateway with certificate-based auth; DNP3 DPI | S4 (Water), S6 (Oil & Gas) | High |