Top 2 OT-SDN Deployment Options

Top 2 OT-SDN Deployment Options

The network of today has evolved to meet the changing needs of the industry. When topics like industrial security, IT/OT convergence, and IIoT (industrial Internet of Things) entered the scene, OT teams were forced to step back and take a hard look at how plant floor networks are being impacted.

Historically, common OT network best practices were air gaps, isolation between IT and OT networks, and the low number of sophisticated assets on the network. 20 years later, networks are much more complex from the reality of needing multiple management tools, lots of vendors, VLANs, ACLs, and other networking technologies that can lead to fragile networks.

Thanks to the emergence of connected, smart devices, not only are networks harder to manage but they require defense-in-depth industrial security programs. A proven IT technology, software defined networking (SDN), has been helping to simplify the management of IT networks for decades. More recently, industrial environments have experienced the benefits of applying OT-SDN to their industrial control system (ICS) networks.

Deploying an OT-SDN Network

Good news, an OT-SDN network allows for all the same devices that you likely have installed today. Those devices are still connected and communicating with one another but instead of using multiple legacy tools to manage everything, you can take control of your OT network from a single location. This OT-SDN software allows for straight-forward set-up, management, and maintenance of the OT network. It brings easier administration, lower operating costs, and more visibility into the network. By default, OT-SDN creates a micro-segmented network which adds more granular security with less disruptions.

The concept of OT-SDN brings clear business value but we often field questions about how to get started. There are two primary ways that OT teams typically deploy OT-SDN to get started:

  1. Distribution level – enables quick segmentation to a flat network
  2. Workcell – low-risk implementation for a critical area / cell


Distribution Level

The most common rack mount switch is the Cisco 9300 Catalyst distribution switch. This switch also happens to use OpenFlow, which is required for configurating the OT-SDN solution. Once you install the Veracity OT Network Controller software in the virtualization stack, simply put your Cisco 9300 into OpenFlow mode, and any communication going through that switch will be automatically segmented. Check out our blog highlighting the steps to take in this scenario.


The other common deployment tactic is to apply OT-SDN to a small section – or workcell – of the network. The benefit in this scenario is the OT team can quickly implement and realize the business benefits of having a micro-segmented network. From there, the teams can prioritize other areas of the plant to enhance with OT-SDN. Once you install and activate the OT-SDN solution, you will have full visibility and control of everything talking to that switch. For legacy networks, this also includes east / west traffic that is passing through the SDN switch.

The Veracity OT Network Security Appliance is a great option for smaller networks and still works in a hybrid environment mixing SDN switches and legacy switches making implementations easy, just like the Controller software.

There are many ways to take advantage of OT-SDN in the industrial environment. Starting with the distribution layer or a workcell are the two most common, but the Veracity solution can be deployed in many ways to meet your needs. Want to learn more? Sign up for the next monthly demo.


You Might Also Like...

Subscribe to Our

Subscribe now to receive expert insights, latest cybersecurity news, and practical tips to protect your business from evolving threats.