In industrial environments, the separation between IT and OT isn’t accidental. It exists because OT systems control physical processes, safety mechanisms, and availability-critical workflows. These systems are designed to be deterministic, tightly controlled, and insulated from external influence. In many cases, that insulation takes the form of a strict air gap, with data flowing in only one direction for specific monitoring use cases.
This becomes a problem when enterprises start exploring wireless connectivity such as Wi-Fi and private 5G.
On the surface, private 5G looks like a shared connectivity fabric, i.e., one network that could support IT devices, OT systems, and everything in between. However, when viewed through a traditional lens, that shared fabric appears to violate the core OT principle of separation. The common response is to duplicate infrastructure, creating one private 5G network for IT and another for OT.
That approach preserves isolation, but at a cost. Two networks mean twice as many radios, twice the management overhead, and twice the operational complexity. It also undermines many of the efficiency benefits that made private 5G attractive in the first place.
At the same time, the real world is becoming less binary. There’s growing demand for selective interaction between IT and OT. Field operators may use tablets or handheld devices to access alarms, status information, or work orders from OT systems. This isn’t unrestricted access; it’s tightly governed, policy-driven communication.
So the real challenge isn’t “IT versus OT”, it’s how to enforce separation while allowing controlled interaction, all on a single infrastructure.
That’s fundamentally a policy and segmentation problem, not a radio problem.
One way to address this is to enforce hard isolation at the physical and logical levels using Microslicing™. With this approach, IT and OT traffic share the same spectrum and radios but are isolated at the physical layer - and remain separated through the edge and core.
On the backend, separation is maintained through explicit interfaces on Celona Edge. IT and OT traffic terminate on separate physical ports, each connected to its own switch, firewall, and policy stack. From a security perspective, OT remains isolated by default, with inbound access blocked unless explicitly allowed for specific IT use cases.
The critical distinction is that this does not flatten IT and OT into a single trust domain. Instead, it preserves air-gap behaviour while eliminating the inefficiencies of duplicate infrastructure.
This model is already in early-stage production deployments, and as private 5G scales, it’s likely to become the dominant pattern. Enterprises don’t want to choose between security and efficiency. With the right architecture, they don’t have to.
What to do next
Before planning multiple private 5G networks, step back and ask whether your isolation requirements are physical or policy-driven. In many cases, enforcing separation logically delivers the same security outcomes with far less complexity.
