9.1 OT vs IT Networks

The previous chapters covered networking from Ethernet frames through cloud infrastructure. The primary goal in those chapters was moving data efficiently. Industrial networks have a different priority: controlling physical processes without interruption. This chapter explains why the difference changes everything about network design.

Why the Distinction Matters

OT (Operational Technology) networks control physical processes: assembly lines, power grids, water treatment plants. IT (Information Technology) networks handle data and business applications. Both share the same Ethernet hardware but have fundamentally different consequences when a disruption occurs.

	IT Network	OT Network
Consequence of disruption	Data unavailable, productivity loss	Physical damage, safety hazard
Acceptable downtime	Minutes to hours	Milliseconds to seconds
Patch cycle	Weeks to months	Years, or never
Primary concern	Confidentiality	Availability and safety

A PLC rebooting during a firmware update stops the production line. A PLC running outdated firmware but controlling a process reliably is acceptable. This inversion of priorities drives every design decision in OT networking.

The Purdue Model

The Purdue Model (PERA, Purdue Enterprise Reference Architecture) defines a hierarchical model for industrial network segmentation. Theodore Williams developed the model in the 1990s. The Purdue Model remains the standard reference architecture for OT network design.

The DMZ (Level 3.5) is the boundary between OT and IT. The DMZ blocks direct connections between OT (Levels 0 to 3) and IT (Levels 4 to 5). Cross-boundary traffic passes through the DMZ.

Understanding the hierarchy explains where devices sit. Understanding real-time requirements explains why certain protocols bypass IP entirely.

Real-Time Requirements

OT networks deliver data within guaranteed time bounds. Missing a deadline is a machine fault or a safety incident, not a performance degradation.

Category	Latency	Consequence of Missing Deadline	Protocols
Hard real-time	< 1 ms	System becomes inoperable	PROFINET IRT, EtherCAT
Soft real-time	1 to 10 ms	Degraded performance	PROFINET RT, EtherNet/IP I/O
Non-real-time	> 10 ms	Best-effort acceptable	OPC UA, Modbus TCP, SNMP

TCP retransmission introduces variable and unbounded latency. A retransmitted segment arrives 200 ms late. For a PLC with a 4 ms cycle time, the delay is catastrophic. PROFINET RT uses raw Ethernet frames (EtherType 0x8892) to eliminate this variability.

These protocols need a mechanism to exchange data with PLCs. Modbus TCP is the simplest and most widely deployed option.

Modbus TCP — Reading PLC Data with Python

Modbus TCP encapsulates Modbus RTU frames in TCP/IP on port 502. Modbus TCP is the most widely deployed industrial protocol. The following script reads holding registers from a Modbus TCP device using pymodbus.

from pymodbus.client import ModbusTcpClient
from pymodbus.exceptions import ModbusException

def read_plc_registers(host: str, port: int = 502,
                        start: int = 0, count: int = 10) -> list[int] | None:
    client = ModbusTcpClient(host, port=port)
    if not client.connect():
        print(f"Cannot connect to {host}:{port}")
        return None
    try:
        result = client.read_holding_registers(address=start, count=count, slave=1)
        if result.isError():
            print(f"Modbus error: {result}")
            return None
        return result.registers
    except ModbusException as e:
        print(f"Exception: {e}")
        return None
    finally:
        client.close()

registers = read_plc_registers("192.168.10.11")
if registers:
    for i, val in enumerate(registers):
        print(f"Register {i:4d}: {val:5d}  (0x{val:04X})")

Each register value maps to a process variable: motor speed, temperature setpoint, or conveyor position. The register map is device-specific and documented in the PLC manual.

For new installations, OPC UA delivers the security and data modeling that Modbus lacks.

OPC UA — The Modern Industrial Protocol

OPC UA (OPC Unified Architecture) delivers a rich data model, built-in security (authentication and encryption), and a publish/subscribe model. The following script connects to an OPC UA server and browses the address space.

import asyncio
from asyncua import Client

async def browse_opcua_server(url: str) -> None:
    async with Client(url=url) as client:
        root = client.get_root_node()
        objects = await root.get_child(["0:Objects"])
        children = await objects.get_children()
        for child in children:
            name = await child.read_browse_name()
            print(f"  {name.Name} ({child.nodeid})")

asyncio.run(browse_opcua_server("opc.tcp://192.168.10.11:4840"))

The output lists every object the server exposes: conveyor speed, motor temperature, production counters. Unlike Modbus register numbers, OPC UA uses human-readable names and structured data types.

Key Takeaways

OT prioritizes availability over confidentiality

A patched but rebooted PLC is worse than an unpatched but running PLC. Design OT networks for availability first.

Modbus TCP has no security

Any device with network access reads and writes PLC registers. Isolate Modbus with VLAN segmentation and firewall rules.

OPC UA is the modern standard

OPC UA delivers authentication, encryption, and a rich data model. Use OPC UA for new installations.

What Comes Next

OT networks evolved from serial fieldbus systems predating Ethernet. The next chapter covers fieldbus systems (PROFIBUS, Modbus RTU, DeviceNet), explaining why fieldbus systems still exist and how gateways integrate fieldbus devices into modern Industrial Ethernet networks.

References

Williams, T. J. (1994). The Purdue Enterprise Reference Architecture. Computers in Industry, 24(2-3), 141-158.
Modbus Organization. (2012). Modbus Application Protocol Specification V1.1b3.
OPC Foundation. (2022). OPC Unified Architecture Specification, Part 1: Overview and Concepts.
NIST SP 800-82 Rev. 3 — Guide to Operational Technology (OT) Security (2023).