OT/IT Network Segmentation: Protecting Your Production Floor From Ransomware

On most manufacturing floors, the network that runs your ERP system can reach the same switches that talk to your PLCs and SCADA systems. That’s a problem. When your OT (Operational Technology) and IT networks share the same flat architecture, a single phishing email can cascade into a production shutdown. Network segmentation is the fix — and it’s more achievable than most plant managers expect.

What Are OT and IT Networks?

IT (Information Technology) networks handle the business side: email, ERP, file shares, accounting, CRM. These systems prioritize data confidentiality and integrity and are updated frequently.

OT (Operational Technology) networks control physical processes: PLCs (Programmable Logic Controllers), SCADA systems, HMIs (Human-Machine Interfaces), conveyor controls, temperature monitoring, robotics. These systems prioritize availability and real-time reliability — and they often run software that hasn’t been patched in years because downtime for updates isn’t acceptable.

The problem: most small and mid-size manufacturers built their networks organically, adding equipment over time without a deliberate architecture. The result is a flat network where everything can talk to everything else.

Why Flat Manufacturing Networks Are a Liability

Consider how a real attack plays out on a flat network:

1. An accounting employee opens a malicious invoice attachment.
2. Malware installs on their workstation and begins scanning the network.
3. The scanner discovers PLC programming interfaces on the same subnet.
4. Ransomware encrypts both the ERP database and the HMI historian files.
5. Production halts. Engineering scrambles. Recovery takes weeks.

The Cl0p ransomware group exploited exactly this pattern against food processing manufacturers in 2023. The ransomware didn’t need to “hack” the OT network — it simply walked across a flat network from an infected Windows workstation.

What Network Segmentation Actually Means

Segmentation creates isolated network zones that can only communicate with each other through controlled, inspected pathways. For manufacturers, a practical model includes:

Zone 1: Corporate IT

Email, ERP front-end access, file servers, user workstations. Standard IT security controls apply here: EDR, patch management, MFA, email filtering.

Zone 2: Demilitarized Zone (DMZ)

Systems that need to communicate between IT and OT live here — historian servers, MES interfaces, reporting tools. The DMZ acts as a buffer. Traffic flows through firewalls in both directions and is logged and inspected.

Zone 3: OT / Control Network

PLCs, SCADA, HMIs, field devices. This zone should have no direct internet access. Vendor remote access happens through a jump server in the DMZ with MFA and session recording, not through an always-on VPN tunnel.

Zone 4: Safety Systems (if applicable)

Safety Instrumented Systems (SIS) should be physically and logically isolated from all other zones whenever possible.

The Purdue Model (And Its Practical Application)

The Purdue Enterprise Reference Architecture is a well-established framework for OT/IT segmentation. Originally developed for process control, it defines five levels — from physical field devices at Level 0 to enterprise business systems at Level 4, with a DMZ between Levels 3 and 4.

Most manufacturers don’t need to implement the full Purdue model. A practical three-zone approach (IT / DMZ / OT) provides 80% of the protection with far less complexity. The key principle holds regardless of the model: no direct routable path from the internet to your control systems.

Starting Points for Manufacturers Without a Security Team

You don’t need to rebuild your network from scratch. A phased approach works:

Phase 1: Visibility (Weeks 1–4)

You can’t segment what you can’t see. Use passive network discovery tools (Claroty, Dragos, or even basic switch port scanning) to map every device on every VLAN. Document which OT assets are on the IT network today.

Phase 2: Low-disruption separation (Months 2–3)

Create separate VLANs for OT devices using your existing managed switches. Apply ACLs (Access Control Lists) to restrict cross-VLAN traffic. At this stage you’re not blocking anything — just logging what crosses the boundary so you understand legitimate traffic flows.

Phase 3: Enforce and monitor (Months 4–6)

Deploy a next-generation firewall at the IT/OT boundary. Build allow-list rules for legitimate flows (historian queries, MES data pulls, vendor remote access). Block everything else. Set up alerting for any attempts to cross the boundary outside of approved rules.

The Vendor Remote Access Problem

Most manufacturers have 3–15 vendors with some form of remote access to OT equipment. This is one of the highest-risk attack surfaces in manufacturing — and one of the most neglected.

The SolarWinds attack and the Oldsmar water treatment breach both involved compromised vendor access. The pattern is the same: a vendor uses a shared credential or an unmonitored VPN tunnel, and attackers exploit that pathway.

Best practice: route all vendor access through a dedicated jump server or privileged access workstation (PAW) in the DMZ. Require MFA. Record sessions. Disable access when maintenance windows close — not “when the vendor is done.”

What This Costs (And What It Saves)

A phased OT/IT segmentation project for a 100–300 employee manufacturer typically runs $25,000–$80,000 in professional services and equipment, depending on the current state of the network and the number of production lines involved.

The median cost of a manufacturing ransomware incident that shuts down production: $1.9 million in downtime alone, not counting recovery costs, data loss, or customer penalties for missed delivery windows.

For most manufacturers, segmentation is among the highest-ROI security investments available — precisely because the production floor is so exposed and the downtime costs are so concrete.

NBIT’s Approach for Midwest Manufacturers

NBIT specializes in OT/IT network assessments for manufacturers in the 50–500 employee range. We work directly with your plant engineers and IT staff (if you have one) to map your current environment, identify the highest-risk exposure points, and develop a segmentation roadmap that fits your production schedule — not a generic framework designed for chemical refineries.

If you’re not sure what’s currently crossing between your office network and your production floor, a network assessment is the right starting point. We typically complete initial assessments in two to three days without disrupting operations.

Schedule a discovery call to discuss what a segmentation assessment would look like for your facility.