Kyanite Blue
Security Solutions

Network Segmentation for Aviation: Separating IT, OT, and Passenger Networks

Network segmentation is to aviation cybersecurity what blast doors are to aircraft design: a fundamental control that limits the propagation of damage when something goes wrong. The NotPetya ransomware that swept through organisations globally in 2017 — reaching Boryspil Airport and disrupting operations — did so because IT networks lacked effective segmentation. Had robust IT/OT boundaries been in place, the impact on operational systems could have been contained. For aviation operators today, with the convergence of IT, OT, passenger Wi-Fi, and internet-connected ground systems, designing and maintaining effective network segmentation is both the most effective and most operationally complex security challenge they face.

Effective IT/OT network segmentation is the primary control preventing ransomware from reaching operational aviation systems — and is required by EASA Part-IS and CAA CAP 1753.

Aviation Network Zones: A Reference Architecture

Effective aviation network design establishes clearly defined network zones with controlled, monitored boundaries:

  • Enterprise IT zone: Corporate systems — email, finance, HR, corporate applications — with standard internet access and enterprise security controls
  • Operational IT zone: Airline/airport operational systems — reservations, DCS, flight operations, crew scheduling — isolated from corporate IT with controlled inter-zone access
  • OT/ICS zone: Industrial control systems — baggage handling, airfield lighting, HVAC, ground power — no internet connectivity, strict IT/OT boundary with firewall or data diode
  • Passenger/public network zone: Airport Wi-Fi, retail systems, public kiosks — completely isolated from all operational and OT networks
  • Guest/vendor zone: Controlled access zone for vendor remote access and ground handler systems — monitored, time-limited access to specific operational systems
  • Safety-critical zone: ATC systems, ILS, safety-critical avionics support — highest isolation, most restricted access, safety system vendor standards apply

Common Network Segmentation Failures in Aviation

Aviation network segmentation failures typically arise from operational convenience overriding security design:

  • IT/OT direct connections: Engineering workstations or historian servers connected to both IT and OT networks — a single compromise point that bridges the segmentation boundary
  • Flat operational networks: Airlines or airports where reservations, operations, and OT systems share the same network segment — no segmentation despite different risk profiles
  • Passenger network crossover: Cases where airport Wi-Fi shares infrastructure with operational networks or where passenger-facing kiosks have inadequate network isolation
  • Vendor access drift: Remote access accounts that were created for a specific maintenance task and never deactivated, providing persistent vendor access to OT networks
  • Shadow IT: Operational staff connecting personal or unofficial devices to operational networks — particularly common in ground handling and maintenance environments

Implementing Network Segmentation: Practical Steps

For aviation operators undertaking network segmentation improvement, a phased approach is most practical:

  • Phase 1: OT asset discovery — map all devices and network connections across IT and OT environments before attempting segmentation changes
  • Phase 2: Define the target architecture — design the target zone model with appropriate boundaries and inter-zone communication rules
  • Phase 3: Establish IT/OT boundary — deploy firewalls or data diodes at the IT/OT boundary as the highest-priority segmentation improvement
  • Phase 4: Isolate passenger/public networks — ensure passenger Wi-Fi and public systems are completely isolated from operational infrastructure
  • Phase 5: Implement micro-segmentation within OT — further segment OT zones by function to limit lateral movement within OT networks
  • Phase 6: Vendor access control — implement controlled, monitored vendor remote access replacing any standing VPN connections

Frequently Asked Questions

How does network segmentation interact with cloud-based aviation systems?

Many modern aviation systems (cloud-based DCS, SaaS flight operations platforms) access cloud services from operational network zones. Segmentation must account for these cloud connections: traffic from operational zones to cloud services should be proxied, inspected, and logged. Cloud application security (CASB) controls can extend segmentation principles to cloud-based aviation applications. Critically, cloud access from OT zones should be via a controlled proxy in an intermediate zone — not direct internet access from OT networks.

Does effective network segmentation satisfy EASA Part-IS and CAA CAP 1753 requirements?

Network segmentation is a core control expected by both EASA Part-IS and CAA CAP 1753, but it is not sufficient alone. Both frameworks require a comprehensive ISMS with risk assessment, access control, patch management, incident response, and staff training. Network segmentation satisfies the network security control requirement and substantially reduces the risk profile — but must be part of a broader security programme to demonstrate regulatory compliance.

Get a network segmentation assessment for your aviation environment

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides