Operational Technology (OT) networks operate critical industrial processes and must deliver safety and availability over long asset lifecycles. However, IT–OT convergence, Industrial IoT (IIoT) expansion, and remote operations have increased exposure to malware, ransomware, and targeted attacks. This paper proposes a practical hardening approach that combines (i) structured network segregation aligned with the Purdue reference hierarchy and IEC 62443 zones-and-conduits, and (ii) hardware-rooted security using Trusted Platform Modules (TPMs) and Trusted Execution Environments (TEEs) to anchor device identity and integrity. We compare legacy air-gapped designs, current segmented architectures, and a future hybrid model that incorporates Zero Trust principles, micro-segmentation, continuous attestation, and centralized monitoring. Our contribution is an integrated architecture and implementation guidance for brownfield OT environments, including controlled conduits, secure remote access, device attestation, cryptographic agility, and measurable detection-and-response. We further discuss Industry 4.0 and Industry 5.0 considerations—mass connectivity, cyber-physical safety, human-centric operations, sustainability, and resilience—and show how they influence security requirements and design choices. The analysis indicates that combining segmentation with hardware-backed trust reduces lateral movement, limits blast radius, and increases assurance that critical endpoints remain in a known-good state, enabling safer operations in increasingly connected industrial ecosystems.