IT-OT Network Segmentation for Manufacturing: Isolating Production from Corporate Networks
The single most impactful security control for manufacturing organisations is network segmentation between corporate IT and operational technology environments. In most manufacturing environments, this segmentation either does not exist or is implemented poorly — with flat networks allowing any compromised IT device to reach production PLCs, SCADA systems, and industrial control infrastructure. The business case is straightforward: without segmentation, a phishing email can become a production shutdown; with it, a compromised laptop remains a laptop problem, not a plant problem.
Adequate IT-OT network segmentation would have prevented production impact in 73% of manufacturing ransomware incidents in 2023 — yet fewer than 35% of UK manufacturers have implemented it.
Designing IT-OT Network Segmentation for Manufacturing
Effective IT-OT network segmentation for manufacturing is built around the Purdue Model — a reference architecture that organises industrial networks into hierarchical zones: Level 0 (field devices — sensors, actuators), Level 1 (basic control — PLCs, DCS), Level 2 (supervisory control — SCADA, HMIs), Level 3 (manufacturing operations — MES, historian), DMZ (data exchange zone between OT and IT), Level 4 (business logistics — ERP, corporate IT). Each level is separated by industrial-grade firewalls with default-deny rules and only specifically authorised traffic permitted between zones. Remote access to OT systems is channelled through a hardened jump server in the DMZ with MFA and session recording.
Implementing Segmentation Without Disrupting Production
The challenge of IT-OT segmentation in manufacturing is implementing it without disrupting production — a constraint that does not exist in IT environments. Practical implementation requires: a discovery phase to map all current network connections and data flows between IT and OT (passive discovery tools that do not disrupt production); a design phase to plan the target segmentation architecture that preserves necessary data flows (ERP integration, remote OEM access, historian data replication) while eliminating unnecessary IT-OT connectivity; a phased implementation that introduces segmentation controls incrementally, testing each change in maintenance windows; and ongoing maintenance to manage the firewall rules as production systems change. Kyanite Blue's Collective IP services provide OT network segmentation design and implementation support for manufacturing clients.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.