Author
Abstract
The convergence of Operational Technology (OT) and Information Technology (IT) has expanded the cyber–physical attack surface of critical industrial systems by introducing routable IT-originated paths toward protocol-native OT interfaces. Conventional segmentation and firewalling reduce exposure but do not eliminate the architectural condition that enables command injection. This paper presents a deterministic and immutable OT–IT enforcement architecture realized as a bare-metal, dual-interface gateway that enforces protocol-level isolation by construction rather than by runtime inspection. The contribution lies in formalizing protocol-semantic unreachability as a design-level security primitive at the OT–IT boundary, rather than in proposing a new firewall configuration or segmentation technique. All permissible OT interactions are fixed at firmware level, while IT-side influence is restricted to authenticated, time-bounded setup procedures governed by signed policy artifacts. Under explicitly stated assumptions—including intact, locally provisioned firmware without remote update paths and absence of physical compromise—the architecture renders entire classes of IT-originated write and command-injection attacks structurally unreachable during runtime operation, outside explicitly governed setup windows. Empirical traces from a live industrial deployment with a Siemens S7–1500 PLC demonstrate tightly bounded southbound timing, independence of OT execution from IT-side congestion, and confinement of configuration changes to governed setup windows. The proposed immutability model intentionally trades operational flexibility for architectural assurance, prioritizing deterministic control integrity over continuous remote reconfiguration. By shifting OT–IT security from detection-based filtering to architectural enforcement, the framework establishes a practical security pattern for critical infrastructure protection in which specific attack classes are eliminated under clearly defined deployment and integrity assumptions.
Suggested Citation
Download full text from publisher
As the access to this document is restricted, you may want to
for a different version of it.
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijocip:v:53:y:2026:i:c:s1874548226000260. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-critical-infrastructure-protection .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.
Printed from https://ideas.repec.org/a/eee/ijocip/v53y2026ics1874548226000260.html