9.1 OT vs IT Networks

The previous chapters covered networking from Ethernet frames through cloud infrastructure. All of that assumed the primary goal is moving data efficiently. Industrial networks have a different priority: controlling physical processes without interruption. This chapter explains why that difference changes everything about network design.

Why the Distinction Matters

OT (Operational Technology) networks control physical processes: assembly lines, power grids, water treatment plants. IT (Information Technology) networks handle data and business applications. They share the same Ethernet hardware but have fundamentally different failure consequences.

	IT Network	OT Network
Failure consequence	Data unavailable, productivity loss	Physical damage, safety hazard
Acceptable downtime	Minutes to hours	Milliseconds to seconds
Patch cycle	Weeks to months	Years, or never
Primary concern	Confidentiality	Availability and safety

A PLC that reboots during a firmware update stops the production line. A PLC running outdated firmware but controlling a process reliably is acceptable. This inversion of priorities drives every design decision in OT networking.

The Purdue Model

The Purdue Model (PERA, Purdue Enterprise Reference Architecture) defines a hierarchical model for industrial network segmentation. Theodore Williams developed it in the 1990s. It remains the standard reference architecture for OT network design.

The DMZ (Level 3.5) is the critical boundary. It prevents direct connections between OT (Levels 0 to 3) and IT (Levels 4 to 5). All cross-boundary traffic passes through the DMZ.

Understanding the hierarchy explains where devices sit. Understanding real-time requirements explains why certain protocols bypass IP entirely.

Real-Time Requirements

OT networks deliver data within guaranteed time bounds. Missing a deadline is not a performance problem. It causes a machine fault or a safety incident.

Category	Latency	Consequence of Missing Deadline	Protocols
Hard real-time	< 1 ms	System failure	PROFINET IRT, EtherCAT
Soft real-time	1 to 10 ms	Degraded performance	PROFINET RT, EtherNet/IP I/O
Non-real-time	> 10 ms	Best-effort acceptable	OPC UA, Modbus TCP, SNMP

TCP retransmission introduces variable and unbounded latency. A retransmitted segment arrives 200 ms late. For a PLC with a 4 ms cycle time, this is catastrophic. PROFINET RT uses raw Ethernet frames (EtherType 0x8892) to eliminate this variability.

These protocols need a way to exchange data with PLCs. Modbus TCP is the simplest and most widely deployed option.

Modbus TCP — Reading PLC Data with Python

Modbus TCP encapsulates Modbus RTU frames in TCP/IP on port 502. It is the most widely deployed industrial protocol. The following script reads holding registers from a Modbus TCP device using pymodbus.

from pymodbus.client import ModbusTcpClient
from pymodbus.exceptions import ModbusException

def read_plc_registers(host: str, port: int = 502,
                        start: int = 0, count: int = 10) -> list[int] | None:
    client = ModbusTcpClient(host, port=port)
    if not client.connect():
        print(f"Cannot connect to {host}:{port}")
        return None
    try:
        result = client.read_holding_registers(address=start, count=count, slave=1)
        if result.isError():
            print(f"Modbus error: {result}")
            return None
        return result.registers
    except ModbusException as e:
        print(f"Exception: {e}")
        return None
    finally:
        client.close()

registers = read_plc_registers("192.168.10.11")
if registers:
    for i, val in enumerate(registers):
        print(f"Register {i:4d}: {val:5d}  (0x{val:04X})")

Each register value maps to a process variable: motor speed, temperature setpoint, or conveyor position. The register map is device-specific and documented in the PLC’s manual.

For new installations, OPC UA provides the security and data modeling that Modbus lacks.

OPC UA — The Modern Industrial Protocol

OPC UA (OPC Unified Architecture) provides a rich data model, built-in security (authentication and encryption), and a publish/subscribe model. The following script connects to an OPC UA server and browses its address space.

import asyncio
from asyncua import Client

async def browse_opcua_server(url: str) -> None:
    async with Client(url=url) as client:
        root = client.get_root_node()
        objects = await root.get_child(["0:Objects"])
        children = await objects.get_children()
        for child in children:
            name = await child.read_browse_name()
            print(f"  {name.Name} ({child.nodeid})")

asyncio.run(browse_opcua_server("opc.tcp://192.168.10.11:4840"))

The output lists every object the server exposes: conveyor speed, motor temperature, production counters. Unlike Modbus register numbers, OPC UA uses human-readable names and structured data types.

Key Takeaways

OT prioritizes availability over confidentiality

A patched but rebooted PLC is worse than an unpatched but running one. Design OT networks for availability first.

Modbus TCP has no security

Any device with network access reads and writes PLC registers. Protect Modbus with VLAN isolation and firewall rules.

OPC UA is the modern standard

OPC UA provides authentication, encryption, and a rich data model. Use it for new installations.

What Comes Next

OT networks evolved from serial fieldbus systems that predate Ethernet. The next chapter covers those fieldbus systems (PROFIBUS, Modbus RTU, DeviceNet), explaining why they still exist and how gateways integrate them into modern Industrial Ethernet networks.

References

Williams, T. J. (1994). The Purdue Enterprise Reference Architecture. Computers in Industry, 24(2-3), 141-158.
Modbus Organization. (2012). Modbus Application Protocol Specification V1.1b3.
OPC Foundation. (2022). OPC Unified Architecture Specification, Part 1: Overview and Concepts.
NIST SP 800-82 Rev. 3 — Guide to Operational Technology (OT) Security (2023).