Akademik Veri Yönetim Sistemi
International Journal of Critical Infrastructure Protection, cilt.53, 2026 (SCI-Expanded, Scopus)
The convergence of Operational Technology (OT) and Information Technology (IT) has expanded the cyber–physical attack surface of critical industrial systems by introducing routable IT-originated paths toward protocol-native OT interfaces. Conventional segmentation and firewalling reduce exposure but do not eliminate the architectural condition that enables command injection. This paper presents a deterministic and immutable OT–IT enforcement architecture realized as a bare-metal, dual-interface gateway that enforces protocol-level isolation by construction rather than by runtime inspection. The contribution lies in formalizing protocol-semantic unreachability as a design-level security primitive at the OT–IT boundary, rather than in proposing a new firewall configuration or segmentation technique. All permissible OT interactions are fixed at firmware level, while IT-side influence is restricted to authenticated, time-bounded setup procedures governed by signed policy artifacts. Under explicitly stated assumptions—including intact, locally provisioned firmware without remote update paths and absence of physical compromise—the architecture renders entire classes of IT-originated write and command-injection attacks structurally unreachable during runtime operation, outside explicitly governed setup windows. Empirical traces from a live industrial deployment with a Siemens S7–1500 PLC demonstrate tightly bounded southbound timing, independence of OT execution from IT-side congestion, and confinement of configuration changes to governed setup windows. The proposed immutability model intentionally trades operational flexibility for architectural assurance, prioritizing deterministic control integrity over continuous remote reconfiguration. By shifting OT–IT security from detection-based filtering to architectural enforcement, the framework establishes a practical security pattern for critical infrastructure protection in which specific attack classes are eliminated under clearly defined deployment and integrity assumptions.