North-south traffic flows vertically across security zones—from corporate networks (north) through DMZs toward production networks (south). East-west traffic flows laterally within zones, device to device, or between peer zones. Most segmentation strategies focus on limiting east-west movement because a compromised device that can freely communicate laterally to hundreds of peer devices becomes a platform for propagating attacks.
In manufacturing, the relationship between north-south and east-west is clearer than in IT because it maps directly to operational architecture. Production zones contain devices that work together on specific processes. Inter-zone communication is typically data flow (from production to historians or dashboards), not control flow. This clear separation makes OT segmentation tractable.
North-South: Controlled and Infrequent
Traffic flowing from corporate networks into OT should be strictly controlled and limited in scope. A supervisor requesting production status from a historian server is legitimate north-south traffic. A corporate IT technician pushing configuration to a PLC directly is lateral propagation of IT change velocity into OT. Design zone boundaries so north-south flows have minimal control or safety impact.
Historian servers, MES gateways, and reporting systems naturally sit at zone boundaries and consume north-south traffic. They are appropriate zone-edge devices precisely because they are designed to buffer corporate systems from OT systems.
East-West: Designed for Function, Restricted by Default
Within a production zone, east-west traffic supports the manufacturing process. A press controller sends status to a recipe manager, which reports to an HMI. A safety controller monitors inputs from multiple sensors across the zone. Legitimate east-west traffic is typically point-to-point (device A to device B) or limited multicast (all devices in a zone to a central monitoring station).
Problematic east-west traffic—lateral scanning, credential propagation, command execution across multiple devices—should be impossible by default. Configure access control so each device can reach only the specific devices it requires for its function. This is granular, but it is the only way to prevent a single compromise from cascading across a zone.
Traffic Analysis for Segmentation Design
- Baseline Capture: Use passive network taps to capture and analyze production traffic when the system is functioning normally. Identify which devices communicate, which protocols they use, and traffic patterns (frequency, size, timing).
- Dependency Mapping: Build a conversation matrix showing which devices must communicate with each other. Add confidence levels: devices that communicate daily (high confidence they need connectivity) versus devices that communicate only during maintenance (low confidence they need open access).
- East-West Segmentation Points: Identify natural boundaries within zones where firewall rules or access control would prevent lateral propagation with minimal impact on production. These become micro-segmentation points.
- Anomaly Detection Baseline: Once you understand normal traffic patterns, you can configure IDS or flow-analysis tools to alert on deviations. Unexpected east-west traffic, unusual source addresses, or protocol abuse becomes detectable.
Practical Enforcement
East-west segmentation in manufacturing is typically enforced using host-based firewalls on critical devices (PLCs, safety controllers, data servers) rather than network-layer filters, because network topology often does not support inserting firewalls between every pair of devices. A PLC might have a host-based ACL that accepts commands only from specific engineering workstations and rejects all peer-to-peer communication from other PLCs.
If you'd like to discuss traffic analysis and segmentation for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.