I’m currently trying to analyze my network to increase resiliency. Right now, my OT network and my IT network aren’t physically separate. I have separate VLANs, but all my data is flowing through the same switches and cables.
I’m interested in physically isolating my OT network and just kind of wondering how everybody else arranges their OT network topology within a single facility.
- Should I use a totally separate router/firewall for my OT network? Should my OT network even have an Internet connection?
- I’m using Ignition… should my Ignition server have a connection to both the OT and IT networks? Would that be the only connection point between the networks?
- When I need to download to one of my controllers, I would assume best practice is to physically plug a laptop in to the OT network and then remove it once the download is complete?
- Is there a particular brand/type of switch that works well? I know that there are several brands of OT focused network hardware, but they seem to be optimized for specific protocols that aren’t necessarily applicable.
I apologize for the broad question(s), but I appreciate any advice this community is able to provide!