Free IT tools for business owners — try them now, no sign-up
Manufacturing IT • 8 min read

OT/IT Network Segmentation for Manufacturing: How to Protect Your Production Systems

A cyberattack that starts on an office computer can reach your PLC, SCADA system, and production line in minutes if your network isn't segmented. Here's how to prevent it.

Quick Answer

OT/IT network segmentation separates industrial control systems (PLCs, SCADA, HMIs) from business IT systems using firewalls, DMZs, and VLANs. The Purdue Model provides the standard architecture: Level 0–2 (field devices and control systems) are isolated from Level 3–5 (business systems and internet). A properly segmented manufacturing network requires a DMZ between IT and OT networks with strict firewall rules controlling all traffic between zones.

Why Manufacturing Needs OT/IT Segmentation

In most manufacturing facilities, operational technology (OT) — PLCs, SCADA systems, DCS, HMIs — was designed to run in isolation. It was never meant to be connected to the internet or corporate networks. Over time, those connections got added for remote monitoring, data collection, vendor access, and ERP integration.

The result: production systems that weren't designed for cyber threats are now reachable through corporate networks that are under constant attack. The consequences of a successful attack aren't just data loss — they're production shutdowns, equipment damage, and safety incidents.

The 2021 Oldsmar water treatment attack (an attacker remotely changed chemical levels via remote access software), the 2021 Colonial Pipeline attack (ransomware in business systems led to a voluntary production shutdown), and dozens of smaller manufacturing incidents demonstrate that flat OT/IT networks are critical vulnerabilities.

The Purdue Model: The Standard Architecture

The Purdue Enterprise Reference Architecture (sometimes called the Purdue Model or ISA-95) defines a hierarchical model for industrial networks with five levels:

  • Level 0 — Field Level: Sensors, actuators, field devices directly connected to physical processes
  • Level 1 — Control Level: PLCs (Programmable Logic Controllers), RTUs (Remote Terminal Units)
  • Level 2 — Supervisory Level: SCADA systems, HMIs (Human-Machine Interfaces), DCS (Distributed Control Systems)
  • Level 3 — Manufacturing Operations: Manufacturing Execution Systems (MES), historians, batch management
  • Level 3.5 — Industrial DMZ: The security boundary between OT and IT — servers that need to communicate in both directions live here
  • Level 4 — Business Planning: ERP systems (SAP, Oracle), business network
  • Level 5 — Enterprise Network: Corporate IT, internet access

The key principle: traffic between levels should be minimized and explicitly controlled. A device at Level 1 has no business communicating directly with Level 4 or 5.

The Industrial DMZ: The Critical Boundary

The industrial DMZ (Level 3.5) is where OT/IT segmentation is implemented in practice. All traffic between the OT network and the IT network should pass through this zone:

  • Data historians that collect OT data and make it available to IT systems sit in the DMZ — they receive data from OT systems but don't give IT systems direct access to control systems
  • Vendor remote access servers sit in the DMZ — vendors connect to the DMZ, not directly to PLCs or SCADA
  • Patch servers sit in the DMZ — updates are staged here before being pushed to OT systems
  • File transfer servers sit in the DMZ — files for OT systems are scanned here before being transferred

The DMZ is protected by two firewalls: one controlling traffic from the IT side, one controlling traffic from the OT side. Both should be configured with explicit allow-lists (permit only required traffic) rather than deny-lists (block known bad traffic).

Practical Implementation Steps

  1. Asset inventory first. You cannot segment what you don't know about. Use passive network discovery tools (Claroty, Dragos, Nozomi — purpose-built for OT environments) or active scanning (carefully, as some OT devices crash under network scans) to enumerate all connected devices.
  2. Network topology mapping. Document how devices are currently connected. Many manufacturing facilities have informal connections added over years of operations that aren't documented anywhere.
  3. Identify required communication paths. For each device, determine what it legitimately needs to communicate with. A PLC controlling a packaging line needs to talk to its SCADA system — it doesn't need to reach the corporate domain controller or the internet.
  4. Design the segmented architecture. Typically involves: a managed switch with VLANs for OT device grouping, an industrial firewall (Palo Alto, Fortinet, or OT-specific Claroty or Rockwell) between OT and DMZ, and a standard enterprise firewall between DMZ and IT.
  5. Implement and test in stages. Don't flip the switch on all segmentation at once. Implement one production line's network at a time, verify operations are unaffected, then proceed.

Vendor Remote Access: The Most Common Gap

The most common entry point for OT cyberattacks is vendor remote access. Equipment vendors need remote access for troubleshooting, calibration, and updates — but most have it configured as a persistent, always-on VPN connection, often using shared credentials.

Best practice:

  • All vendor remote access goes through a jump server in the industrial DMZ — never direct connections to PLCs or SCADA
  • Vendor access is time-limited and session-based — enabled before a service call, disabled after
  • Session recording: all vendor remote sessions are recorded and logged
  • Separate credentials per vendor — no shared "vendor" account

A manufacturing-specialized IT provider should have a documented vendor access management process. See also our guide on supply chain cybersecurity for manufacturers.

Frequently Asked Questions

Do I need a separate IT team for OT security, or can my existing MSP handle it?

OT security requires different skills than standard IT support — familiarity with industrial protocols (Modbus, DNP3, EtherNet/IP), awareness of OT availability requirements (you can't patch a PLC during production), and knowledge of OT-specific risks. Most generalist MSPs are not qualified for OT work. Look for MSPs with OT security experience or GICSP (Global Industrial Cyber Security Professional) certified staff.

What is the difference between IT and OT cybersecurity?

IT security prioritizes confidentiality, integrity, then availability. OT security prioritizes availability, then integrity, then confidentiality — because a production shutdown or safety incident is the primary risk, not data theft. This reversal changes every prioritization decision: you can't just push a security patch at 2am on an OT system without testing it against the production process.

Can industrial control systems be patched like regular computers?

Only with extensive testing and vendor approval. PLCs and SCADA systems often run proprietary or legacy OS versions, and vendors must validate patches against the specific firmware and application running on the device. Applying an unauthorized patch can void support agreements and cause unpredictable behavior. Work with your equipment vendors to establish a tested patch cadence.

Is Your Production Network Properly Segmented From Your Business Network?

Most manufacturers don't know until an attack reveals the gaps. Get an assessment from a manufacturing IT specialist.

Get Manufacturing IT Quote