Walk into most small and mid-sized manufacturing facilities in Northwest Arkansas and you’ll find the same setup: one network. The HR manager’s laptop, the accounting software, the engineer’s workstation, the SCADA system running the production line — all on the same flat network, talking to each other freely.
It’s simple. It’s cheap to set up. And it’s one of the most dangerous configurations a manufacturer can run.
Network segmentation isn’t a buzzword. It’s the single most effective architectural change you can make to limit the damage from a cyberattack — and it’s one of the first things we address when we take on a new manufacturing client.
What Is a Flat Network?
A flat network is exactly what it sounds like: all devices sit on the same network segment and can communicate directly with each other with no barriers in between. There’s no separation between your business systems and your operational technology, no restrictions on which devices can talk to which.
In practice, it means a ransomware infection that starts on a phishing email opened in the front office can reach your PLCs within minutes. A compromised vendor laptop plugged into a conference room port has a path to your SCADA system. A single weak password on one machine can become a foothold across your entire operation.
What Is Network Segmentation?
Network segmentation divides your network into isolated zones — each with its own access controls and traffic rules. Devices in one zone can only communicate with devices in other zones when there’s an explicit rule allowing it.
For a manufacturer, the most important separation is between:
- IT (Information Technology): office computers, email servers, ERP systems, file shares
- OT (Operational Technology): PLCs, HMIs, SCADA systems, industrial sensors, CNC equipment
- DMZ (Demilitarized Zone): systems that need to talk to both IT and OT, or to the internet — like data historians, remote access gateways, or vendor portals
Each zone is protected by a firewall or industrial-grade switch that enforces rules about what traffic is allowed to cross. A ransomware infection contained to the IT segment stays in the IT segment.
Why Manufacturers Need This More Than Most
Standard IT security frameworks treat segmentation as best practice. For manufacturers, it’s closer to essential — for a few reasons specific to industrial environments.
OT systems can’t be patched like IT systems. A PLC running firmware from 2012 can’t be updated without vendor certification and often a production shutdown. You can’t patch your way to security on the plant floor. Segmentation is how you compensate — by reducing the attack surface and limiting exposure.
Downtime has a direct dollar cost. A cyberattack that reaches your OT network doesn’t just encrypt files — it can stop production, damage equipment, or force a safety shutdown. For most manufacturers, every hour of unplanned downtime costs thousands of dollars. Segmentation is the barrier between a bad IT day and a catastrophic OT event.
Regulatory and compliance requirements. If you’re a defense contractor subject to CMMC, network segmentation is explicitly required. NIST 800-171 — the underlying framework — calls for protecting controlled unclassified information (CUI) by isolating it from general-purpose systems. A flat network fails that requirement automatically.
Vendor and remote access risk. Most manufacturers have third-party vendors who need occasional access to specific equipment — a conveyor OEM running remote diagnostics, a controls integrator updating PLC logic. On a flat network, that vendor access is access to everything. Segmented networks let you create narrow, time-limited access paths to specific equipment only.
What Good Segmentation Looks Like
There’s no single right architecture, but a well-segmented manufacturing network typically includes:
| Zone | What Lives Here | Access Rules |
|---|---|---|
| Corporate IT | Workstations, email, ERP, file servers | Internet access with filtering; no direct OT access |
| OT / Plant Floor | PLCs, HMIs, SCADA, industrial sensors | No internet; no direct IT access; tightly controlled |
| DMZ | Data historian, remote access gateway, vendor portal | Can receive data from OT; can pass summary data to IT |
| Guest / IoT | Visitor Wi-Fi, building management systems | Isolated; no access to IT or OT |
The connections between zones go through firewalls with explicit allow-rules. Everything else is denied by default.
Common Segmentation Mistakes
Getting the architecture right matters, but so does the implementation. The mistakes we see most often:
Segmentation on paper only. A firewall was installed between IT and OT, but the rules are so permissive they might as well not exist. “Any-to-any” rules defeat the purpose entirely.
Forgetting about wireless. A guest Wi-Fi network that’s on the same VLAN as production equipment is not segmented. Wireless access points need the same zone discipline as wired infrastructure.
Not accounting for legacy equipment. Older industrial equipment often uses protocols like Modbus or DNP3 that assume open network access. Segmenting these systems requires protocol-aware firewalls that understand industrial traffic — not standard IT firewalls that will break them.
No monitoring at zone boundaries. Segmentation limits what attackers can reach. Monitoring at the zone boundaries tells you when someone is testing those limits. Without visibility at the firewall, you’re flying blind.
Vendor access that’s too broad. A VPN that gives a vendor access to the entire OT network instead of a single machine is a flat network by another name.
Getting Started
Segmentation doesn’t have to be a rip-and-replace project. Most manufacturers can implement it in phases:
- Asset discovery first. You can’t segment what you can’t see. Start with a full inventory of every device on your network — including OT equipment that IT may not know exists.
- Define your zones. Map which systems need to communicate with which, and where the natural boundaries are.
- Start with the IT/OT boundary. Even a basic firewall between office and plant floor systems dramatically reduces risk.
- Add monitoring. Deploy logging at zone boundaries so you have visibility into cross-zone traffic.
- Tighten rules over time. Segmentation is a living architecture, not a one-time project.
The goal isn’t perfection on day one. It’s meaningful separation that limits blast radius — so a bad day on the IT side doesn’t become a crisis on the plant floor.
Not sure how your network is currently structured? Our free IT assessment includes a network architecture review. We’ll show you exactly where your exposure is and what it would take to fix it. Get in touch.