Network Security Architecture in Abu Dhabi · OT & Gov

Macksofy delivers defensive network engineering for Abu Dhabi’s critical-infrastructure operators, ADGM financial entities, government bodies and DoH-licensed healthcare, with the capital’s defining characteristic — a heavy OT estate — at the centre of the work. The ADNOC ecosystem, the utilities operators and the industrial estates across Mussafah, KIZAD and the Ruwais corridor run process networks that, almost universally, started life flat: PLCs, DCS, SCADA, historians and engineering laptops sharing broadcast domains, with vendor-mandated flat designs and a maintenance-vendor remote-access path that is rarely segmented. Our engagement makes that estate auditable and then layers zones and conduits in a sequence the change-advisory board and the plant-availability constraints can absorb.

IT/OT segmentation per IEC 62443-3-2 is the headline engagement class in Abu Dhabi, not an afterthought. We map the estate to the Purdue model, define security zones and conduits by criticality, and design the IT-to-OT boundary the way NESA Critical Information Infrastructure Protection expects an operator to demonstrate it — a controlled north-south path, a hardened jump-host / remote-access route for maintenance vendors, the engineering-workstation and historian exposure closed, and the safety-instrumented-system network deliberately isolated. The redesign is calibrated to operational reality: a process plant cannot take a flag-day cutover, so the rollout is staged around turnaround windows and the safety case, with passive discovery (NetFlow / span ports / OT-aware passive sensors) doing the heavy lifting rather than active scanning inside a live process zone.

Firewall rule-base cleanup is risk-managed, not bulk. A long-lived Abu Dhabi enterprise firewall estate carries the usual fifteen-year accretion — thousands of rules, a third or more dead or shadowed, and a tail of overly-permissive ANY-service exceptions with no business owner. We classify each rule into dead (zero hits in 90 days), shadowed, overly-permissive and unjustified; every removal gets a rollback window and an explicit business-owner sign-off; and the client network team executes during scheduled maintenance windows with Macksofy senior on standby. The workflow is conservative by design — a single business-impacting rollback forces re-scoping, so we do not bulk-delete.

The regulator-evidence layer is what closes the engagement. NESA / UAE IAS expects trust-zone isolation a critical-infrastructure operator can demonstrate; ADDA sets the information-security standards a government entity is held to; FSRA cyber expectations and ADGM data-protection govern the financial free-zone estate; and ADHICS governs DoH-licensed healthcare. Macksofy’s deliverable is the segmentation-evidence binder that maps the current-state and target-state architecture to whichever of those sets governs the client — so the same engagement produces the federal evidence and the sector-regulator evidence from one body of work, in the format the Abu Dhabi reviewer reads.

SASE / ZTNA vendor selection and microsegmentation are part of roadmap-scale projects, and Macksofy is vendor-neutral — we do not resell Zscaler, Netskope, Cisco, Palo Alto Prisma, Cloudflare, Illumio, Guardicore or NSX licences. The short-list is driven by the client’s existing investment, the connectivity vendor’s edge presence in the UAE, the data-residency posture on cloud-mediated traffic (a real constraint for government and energy scope), and the rollout cadence the change calendar can absorb. Microsegmentation pilots typically run on a 250-host scope before expanding, validating agent footprint, policy-modelling effort, SIEM integration and the change-failure rate — and for a critical-infrastructure operator the full rollout is planned as a multi-quarter programme, never a six-week sprint.

Deliverables include the NESA / ADDA / FSRA / ADHICS-mapped segmentation-evidence binder, the current-state and target-state network and IT/OT architecture diagrams, the IEC 62443 zone-and-conduit model, the phased rollout plan with change-window discipline tied to plant turnarounds, the change-management playbook with rollback-tested templates, and an optional quarterly drift audit. Senior consultants fly Mumbai BKC → AUH (~3.5 hours) for the discovery workshop, the design review and the rollout-supervision touchpoints, with a UAE-resident lead for multi-quarter programmes; billing is in AED with the 5% VAT line.