OT AI Network Segmentation: Deploying AI in Air-Gapped Industrial Environments

How energy utilities and industrial operators deploy AI in operational technology environments while maintaining SCADA security, meeting NERC CIP requirements, and protecting critical infrastructure.

The Unique Challenge of AI in OT Environments

Operational Technology (OT) networks that control industrial processes — power generation, transmission, water treatment, oil and gas pipelines, manufacturing facilities — exist in a fundamentally different environment than IT networks. They are designed for reliability, safety, and continuous operation above all else. Connectivity was minimal by design. Systems were air-gapped, protocols were proprietary, and security through obscurity reigned.

That era is over. Digital transformation initiatives have connected OT networks to corporate IT networks to enable data analytics, remote monitoring, and predictive maintenance. But this IT/OT convergence has expanded the attack surface dramatically. High-profile incidents like Stuxnet, Colonial Pipeline, and Ukraine grid attacks demonstrated that OT networks can be compromised from network perimeters, third-party vendor connections, and even air gaps bridged by insider threat or supply chain compromise.

Now organizations want to deploy AI in these OT environments — for predictive maintenance, anomaly detection, process optimization, and automation. But AI introduces new challenges:

  • Data collection requirements — AI models need large volumes of sensor data, time-series readings, and historical logs from OT systems. Accessing this data may require connecting to previously isolated networks.
  • Computing constraints — Many OT environments run on legacy hardware that cannot support AI inference workloads. On-premise AI requires additional infrastructure that must coexist with critical control systems.
  • Real-time requirements — Some OT applications require deterministic, real-time responses that cloud AI or even local AI could disrupt if not properly engineered.
  • Protocol diversity — OT networks use specialized protocols (Modbus, DNP3, BACnet, OPC-UA, PROFINET) that may not integrate easily with modern AI toolchains.
  • Safety implications — A malfunctioning AI system in an IT environment loses productivity. In OT, a failure can damage equipment, cause environmental harm, or endanger lives.

Success requires a security architecture that enables AI capabilities while preserving the isolation, reliability, and safety that OT systems demand.

Purdue Model and Layered Segmentation

The Purdue Reference Model for Control Hierarchy provides the foundation for OT network segmentation. Understanding these layers is essential for designing secure AI deployments.

Purdue Level Network Zone Description AI Feasibility
Level 0: Physical Process Sensors, actuators, and physical machinery. No digital networking capability in most cases. Not applicable. AI cannot operate at the physical layer directly.
Level 1: Basic Control PLCs, DDC controllers, RTUs, field devices. Real-time control loop execution. Riskiest zone for AI. Direct connection risks control disruption. Only highly vetted, offline analysis tools acceptable.
Level 2: Area Supervisory HMI, SCADA servers, local data historians. Aggregates and displays data from Level 1. Primary zone for AI deployment. Can collect data from Level 1 without direct controller access.
Level 3: Operations MES, production scheduling, quality management. Enterprise-level visibility across multiple areas. Favorable for AI. Historical data aggregation, cross-area analytics, machine learning models trained on operational data.
Level 4: Enterprise ERP, business systems, corporate IT network. Financial and business planning. Standard IT environment. Can host enterprise AI systems. Data flows from lower levels via DMZ.

Segmentation Design Principles

  • Zoning — Divide OT network into discrete zones based on functional area (generating plant, transmission, substation). Each zone has independent controls and monitoring.
  • Conduits — Define controlled pathways between zones. Typically implemented as firewalls or demilitarized zones (DMZs) with strict allowlists.
  • Unidirectional flow — Where possible, configure data flows as one-way (from OT toward IT) to prevent any potential lateral movement from IT into OT.
  • Industrial DMZ — Place data collectors and protocol translators in a DMZ that buffers IT/OT traffic. Nothing passes without explicit rules.
  • Jump hosts and bastion hosts — Require administrative access through designated jump hosts with comprehensive logging and MFA enforcement.

SCADA Security and AI Integration

Supervisory Control and Data Acquisition (SCADA) systems form the backbone of many industrial operations. Protecting these systems while enabling AI capabilities requires careful architectural choices.

SCADA Security Fundamentals

  • Network isolation — SCADA networks should never be directly accessible from the internet or corporate networks. All communication must flow through defined, secured channels.
  • Protocol awareness — Industrial protocols (Modbus TCP, DNP3, IEC 60870-5-104, IEC 61850) often lack built-in authentication or encryption. Traffic inspection and validation are essential.
  • Whitelisting — Whitelist allowed protocols, ports, IP addresses, and commands. Deny-by-default policies minimize exposure.
  • Change monitoring — Monitor for changes to configuration files, firmware versions, and parameter settings. Unexpected changes may indicate compromise.
  • Vendor access controls — Third-party vendor remote access requires break-glass procedures, session recording, and time-limited credentials.

AI-Specific SCADA Concerns

  • Data historian integration — Deploy AI systems that query data historians rather than making live queries to PLCs/RTUs. Historians provide historical context without risking control disruption.
  • Read-only monitoring — AI systems should never write to control systems. Use read-only accounts, monitor-only protocols, and validate output channels are disconnected.
  • Anomaly detection without intervention — For AI-based anomaly detection, the system flags issues for human review but does not automatically trigger shutdowns or changes.
  • Federated learning considerations — If using federated learning to train models across multiple sites, ensure each site's model updates stay within their perimeter until validated.

Air-Gapped AI Deployment Patterns

For the most critical OT environments, air-gapped deployment — complete network disconnection from IT and the internet — is mandatory. This section outlines safe patterns for deploying AI in air-gapped environments.

Air Gap Maintenance Strategies

  • No physical connectivity — Verify no Ethernet cables, Wi-Fi adapters, Bluetooth dongles, or cellular modems are installed on air-gapped systems.
  • USB port disablement — Physically block USB ports or disable via BIOS/UEFI to prevent accidental or malicious data transfer.
  • Physical separation verification — Conduct regular sweeps (physical, electromagnetic, and wireless) to confirm no unauthorized connections exist.
  • Security cameras and monitoring — Install cameras at air-gapped room entrances and monitor for unauthorized access attempts.

Safe Data Import Patterns for Air-Gapped AI

Data Transfer Method Description Security Controls Required
Secure import appliance Dedicated device that connects briefly to IT network, receives approved data, then disconnects completely before being transferred to air-gapped environment. One-way data diodes preferred. Scan imported data for malware. Encrypt transport. Log all import events.
Manual media transfer Write data to certified media (USB drives, optical discs) in IT zone, physically transport to air-gapped zone after scanning. Clean-room procedure. Anti-malware scan. Media integrity verification. Dual-person handling protocol.
Model transfer only Train models on IT-side data, export weights/models only (never training data), transfer model to air-gapped inference engine. Verify model binary. Signature verification. Separate transfer channel from data.
Gap bridge appliances Specialized hardware that permits data transfer under strict policy without allowing bidirectional communication. Firmware integrity checks. Audit logging. Policy enforcement. Regular security assessments.

NERC CIP Requirements for AI Systems

For North American electric transmission and bulk electric systems, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards impose strict cybersecurity requirements. AI systems that touch BES Cyber Systems fall under CIP jurisdiction.

Key NERC CIP Requirements

CIP Standard Requirement AI Relevance
CIP-002-6: Cyber Security Standards Identification and classification of BES Cyber Assets, Electronic Security Perimeters (ESPs). Determine whether AI systems connect to or receive data from BES Cyber Assets. Classify AI as separate ESP or within existing ESP.
CIP-003-6: Security Management Controls Documented security policies, procedures, and configurations. Role-based access control. Include AI systems in security policies. Document access controls for AI platforms. Configure role-based permissions.
CIP-004-6: Personnel Training Security awareness training for all personnel with authorized access. Include AI-specific training: proper usage, data handling, incident reporting for AI-related security concerns.
CIP-005-6: Electronic Security Perimeters Defined boundaries for cyber assets. Configuration standards. Unauthorized communication blocking. Define ESP boundary for AI system. Ensure no unauthorized outbound connections from AI infrastructure.
CIP-007-6: System Security Management Configuration management, vulnerability assessment, patch management. Configure AI software securely. Apply security patches to AI platform components. Conduct vulnerability scans of AI infrastructure.
CIP-008-7: Incident Reporting Reporting requirements for security incidents affecting BES Cyber Systems. Include AI-generated alerts and anomalies in incident detection program. Establish escalation procedures for suspected breaches.
CIP-009-6: Recovery Plans Backup and recovery procedures to restore functions after disruption. Include AI training data, models, and configurations in backup strategy. Plan for AI system restoration within recovery time objectives.
CIP-010-5: Configuration Change Management Procedures for evaluating, approving, testing, and implementing configuration changes. Model retraining, weight updates, and software changes constitute configuration changes requiring formal change control.
CIP-011-6: Information Sharing Information sharing about vulnerabilities and threats. Share threat intelligence about AI-specific attacks (adversarial examples, data poisoning) with E-ISAC and peers.
CIP-012-6: Supply Chain Risk Assessment and mitigation of supply chain risks associated with purchased products/services. Assess AI vendors for supply chain risk. Understand component provenance. Evaluate open-source AI library risks.

Compliance Implementation Checklist

  • [ ] BES Cyber Asset inventory — Confirm whether AI system qualifies as a BES Cyber Asset based on accessibility and impact level
  • [ ] ESP documentation — Document Electronic Security Perimeter boundaries for AI infrastructure
  • [ ] Security policies — Update policies to include AI system usage, access controls, and incident response
  • [ ] User access review — Review and document all users with access to AI systems, including their authorization levels
  • [ ] Penetration testing — Conduct annual penetration tests of AI infrastructure as part of CIP-007 requirements
  • [ ] Software protection — Implement application whitelisting and antivirus on AI infrastructure
  • [ ] Monitoring — Implement continuous monitoring of AI system activity and network connections
  • [ ] Training — Complete CIP-specific training for personnel managing AI systems

AI-Friendly Network Segmentation Architecture

This section outlines a practical network segmentation architecture that enables AI deployment while maintaining OT security posture.

Recommended Architecture

  1. Zone A: Production OT — Live control systems, PLCs, RTUs, sensors. Highest security requirements. No direct AI interaction.
  2. Zone B: Monitoring Network — Data collectors, historians, protocol analyzers. Read-only access to Zone A. Collects data for AI consumption.
  3. Zone C: AI Platform — Dedicated AI infrastructure for data processing, model training, and inference. Isolated from both OT and corporate IT.
  4. Zone D: DMZ — Buffer zone between OT and corporate IT. Contains data transfer services, firewall rules, and protocol gateways.
  5. Zone E: Corporate IT — Business applications, user workstations, collaboration tools. May host enterprise ML platforms for non-critical applications.

Communication Controls

From Zone To Zone Allowed Protocols Controls Required
Zone A (Production OT) Zone B (Monitoring) Industrial protocols (read-only): Modbus TCP, DNP3 SEC Firewall whitelist. Deep packet inspection. Anomaly detection.
Zone B (Monitoring) Zone C (AI Platform) TCP/IP: PostgreSQL, TimescaleDB, SFTP VLAN segmentation. Encrypted transport. Time-windowed data transfer.
Zone C (AI Platform) Zone B (Monitoring) None — strictly unidirectional (OT → AI) Physical or logical air gap. One-way data diode where feasible.
Zone C (AI Platform) Zone E (Corporate IT) TCP/IP: HTTPS (for results export only) DMZ buffer. Outbound firewall rules. Data sanitization before export.
Zone E (Corporate IT) Zone C (AI Platform) None — no incoming from corporate to AI Ingress filtering. Block all inbound connections.
Zone D (DMZ) Zone B/C/E As configured per specific service requirements Strict allowlisting. Session recording. IDS/IPS coverage.

OT Security Checklist for AI Deployment

  • [ ] Asset inventory — Complete inventory of all OT assets, including AI systems and data sources
  • [ ] Network mapping — Documented network topology showing all connections between zones
  • [ ] Access control — Role-based access implemented. Least privilege enforced. MFA deployed for all administrative access.
  • [ ] Firewall rules — Firewall rules reviewed quarterly. Default-deny policies applied. Rule changes documented and tested.
  • [ ] IDS/IPS deployment — Industrial IDS deployed in OT zones (e.g., Nozomi, Claroty, Dragos) to detect anomalous traffic.
  • [ ] Endpoint protection — Whitelisting and antivirus deployed on all OT-connected systems running AI software.
  • [ ] Vulnerability management — Scheduled vulnerability scanning. Patching procedures aligned with change management.
  • [ ] Data encryption — Data at rest encrypted (AES-256 minimum). Data in transit encrypted (TLS 1.2 minimum).
  • [ ] Logging centralized — Logs from AI systems forwarded to SIEM. Retention period meets compliance requirements.
  • [ ] Incident response — OT-specific incident response plan includes AI-related scenarios. Tabletop exercises conducted annually.
  • [ ] Third-party access — Procedures for vendor access with time limits, session recording, and approval workflow.
  • [ ] Physical security — Access controls for server rooms housing OT systems. Visitor logs maintained.

Next Steps

Deploying AI in OT environments requires deep understanding of both AI capabilities and OT security requirements. Start with a thorough asset inventory, map your network topology against the Purdue Model, and build segmentation incrementally while maintaining operational continuity.

BPI helps energy utilities and industrial operators deploy AI safely within their OT environments. Our Privacy-First AI engagements include OT security expertise and NERC CIP compliance planning. Learn more about our energy and utilities AI services or AI infrastructure services. Book a consultation to discuss your specific OT security requirements.

Related Resources

Need Help Securing AI Deployment in Your OT Environment?

Book a free 30-minute consultation. We'll discuss your current OT security posture, AI requirements, and how to segment your network for safe AI deployment. No pressure. No pitch deck.

Book a Free Consultation

No commitment. No sales pitch. Just a conversation. We respond within 24 hours.