SCADA/ICS VLAN segmentation - Discussion

I'd recommend moving to a more modern conceptualisation of security around OT networks, like 62433.

Then you'd apply a risk management approach to the assets (and data), and separate your system into security zones and conduits between the security zones.

The security zones may align with the Purdue model zones, but often will also entail some 'silos' to separate areas within the same Purdue layer.

We have customers that have very flat open networks, once you're in the OT space it's a free for all, with essentially no firewalls / security controls.  We also have customers that have each remote site which often just contains a modem and an RTU as a separate IPSec subnet with full firewall rules (and IDS) isolating it from every other remote site (and the SCADA).

These kind of decisions come down to the corporate risk appetite vs the financial availability.

There's no one 'correct' answer.

I would generally consider identifying your core functional assets and applying significant resources to secure these.

For things like alarming and control this would often be the SCADA Servers, but for onsite operation it would often be the PLC/RTU controller.

For something like a Sewer Pump Station the consequence of an RTU/PLC triggered event may not be as severe as for something like a Fluoride / Chlorine dosing unit.. so a lesser degree of security may be warranted on SPS sites vs Chlorinators.

There's not really a 'standard SCADA/ICS environment', all of the operating conditions are different for each situation, so each should be assessed separately (again the likes of 62443 provide some guidance on how the assessments should be performed for certain aspects).