For most Northwest Arkansas manufacturers, the conversation about network segmentation starts after something goes wrong — ransomware crawls from an office PC to a PLC, or a vulnerability on a connected sensor takes down production for a full shift. By then, the damage is done.
The good news is that network segmentation is one of the most cost-effective security controls a manufacturer can implement. It doesn’t require replacing your equipment, and it doesn’t require a massive IT team to manage. It does require understanding why your current setup is likely a problem — and having a clear plan for fixing it.
What Is Network Segmentation?
Network segmentation means dividing your network into separate zones so that devices in one zone can’t freely communicate with devices in another. Think of it like compartments in a ship — if one floods, the others stay dry.
In a manufacturing context, the most important boundary is between your IT network (office computers, email servers, business applications) and your OT network (PLCs, HMIs, SCADA systems, CNC machines, sensors). These two environments have fundamentally different security requirements, and mixing them together on a single flat network creates serious risk.
A flat network — one where every device can reach every other device — means that a phishing email opened by someone in accounting can become a pathway to your plant floor controllers. That’s not a theoretical risk. It’s the attack chain behind most manufacturing ransomware incidents.
Why Manufacturers Are Especially Vulnerable
OT systems were designed for reliability and uptime, not security. Many were built decades ago when air-gapping them from the internet was the assumed protection. Now that manufacturers have connected those systems to corporate networks (and sometimes directly to the internet) for remote monitoring, ERP integration, and vendor support, that assumption is dangerously out of date.
A few realities that make manufacturing networks particularly risky:
- OT devices rarely get patched. Vendors often prohibit patching without certification, or patching windows require production downtime that operations teams won’t accept.
- Legacy systems run outdated OS versions. Windows XP and Windows 7 are still common on plant floors, with no path to upgrade.
- Remote access is often unsecured. Vendor VPNs, jump boxes with shared credentials, and open RDP connections are standard in facilities that haven’t had an IT security audit.
- IT and OT teams don’t talk. The people managing your network switches don’t always know what industrial equipment is connected to them — and vice versa.
Segmentation doesn’t fix all of these problems, but it dramatically limits how far an attacker can move once they’re inside.
The Core Segmentation Model for Manufacturers
A practical segmentation architecture for a mid-sized manufacturer typically looks like this:
Zone 1 — Corporate IT Network
Standard office environment: workstations, email, file servers, ERP front ends, printers. This zone should be protected by your standard endpoint security stack and should have internet access controlled through a firewall.
Zone 2 — DMZ (Demilitarized Zone)
A buffer zone between your IT and OT environments. Systems that need to communicate between the two — like data historians, reporting dashboards, or ERP integration servers — live here. Nothing in this zone should be able to initiate connections into the OT zone directly.
Zone 3 — OT Network
Your plant floor: PLCs, HMIs, SCADA servers, CNC machines, robotics controllers, and industrial IoT sensors. This zone should have no direct internet access. Communication into and out of it should be tightly controlled, logged, and limited to defined protocols on specific ports.
Zone 4 — Industrial IoT / Sensor Network (Optional)
For facilities with a large number of connected sensors or IIoT devices, a separate zone for those devices limits the damage if one is compromised. IoT devices are notoriously difficult to patch and often run minimal firmware — keeping them isolated limits their exposure.
Segmentation vs. Air-Gapping — What’s the Difference?
| Air-Gapping | Network Segmentation | |
|---|---|---|
| Definition | Complete physical isolation — no network connection at all | Logical separation with controlled, monitored connections |
| Security level | Highest | High, with proper firewall rules |
| Operational impact | Significant — no remote monitoring, no ERP integration | Minimal — designed to enable safe connectivity |
| Maintenance complexity | High — data transfer requires manual processes | Moderate — requires ongoing firewall rule management |
| Best for | Highly sensitive systems with no need for connectivity | Most modern manufacturing environments |
True air-gapping is rarely practical today. Manufacturers need remote access for vendors, real-time production data for ERP systems, and remote monitoring for downtime reduction. Segmentation gives you most of the security benefit of air-gapping while keeping those workflows intact.
How to Implement Segmentation in a Manufacturing Environment
Step 1 — Asset Discovery
You can’t segment what you don’t know about. Start with a passive network scan (tools like Nmap or industrial-specific solutions like Claroty or Dragos can do this without disrupting OT equipment) to build a full inventory of everything on your network.
Document every device: IP address, MAC address, function, operating system, and which network zone it currently lives in. This inventory is valuable on its own — many manufacturers discover equipment they didn’t know was connected.
Step 2 — Define Your Zones
Based on your asset inventory, decide which devices belong in which zone. This is where IT and OT teams need to work together. Operations staff know which machines need to communicate with each other and which vendor connections exist. IT staff understand the network architecture.
Don’t try to be perfect on the first pass. A reasonable initial segmentation — even just separating the OT network from the corporate network with a firewall — is dramatically better than a flat network.
Step 3 — Implement Firewall Rules Between Zones
A next-generation firewall (NGFW) between your IT and OT zones is the core enforcement mechanism. Rules should follow the principle of least privilege: only allow traffic that has a documented business need, on specific ports, between specific devices.
Common rules in a manufacturing environment:
- Allow historian server in DMZ to pull read-only data from OT historian
- Allow ERP system in IT zone to query production reporting server in DMZ
- Block all direct connections from corporate workstations to PLCs
- Allow vendor VPN access only to a jump server in the DMZ, not directly to OT devices
Step 4 — Secure Remote Access
Remote access is one of the most common entry points for attackers. Replace open RDP with a proper VPN with multi-factor authentication. Vendor access should be logged, time-limited, and scoped to specific systems — not a blanket VPN connection to your entire network.
Consider a privileged access workstation (PAW) or jump server in the DMZ that vendors connect to, rather than allowing direct connections to OT systems.
Step 5 — Monitor and Log Traffic Between Zones
Firewall rules alone aren’t enough — you need visibility into what’s actually crossing zone boundaries. Deploy logging on your zone-boundary firewalls and review alerts regularly. Unusual traffic patterns (a PLC trying to reach an external IP, a workstation scanning OT devices) are early warning signs of a problem.
Some NWA manufacturers are adding OT-specific monitoring solutions that can detect anomalous industrial protocol traffic without requiring agents on OT devices. These tools are increasingly affordable even for mid-market facilities.
Common Mistakes to Avoid
Over-permissive firewall rules. “Allow all traffic between IT and OT” defeats the purpose of segmentation. Take the time to define specific, least-privilege rules.
Forgetting about wireless. Plant floor Wi-Fi should be on its own SSID and VLAN, isolated from corporate wireless. Guest Wi-Fi should be completely separate from both.
Ignoring vendor connections. Third-party remote access is one of the biggest blind spots in manufacturing security. Audit every vendor VPN and remote support tool — you may find connections you didn’t know existed.
Treating segmentation as a one-time project. Networks change. New equipment gets connected, new software gets installed, firewall rules accumulate. Segmentation needs periodic review to stay effective.
What Segmentation Doesn’t Do
Network segmentation is a powerful control, but it’s not a complete security strategy. It won’t stop a malicious insider who has legitimate access to OT systems. It won’t prevent a compromised vendor account from accessing systems they’re authorized to reach. And it won’t catch malware that travels through an authorized communication channel.
Segmentation works best as part of a layered defense that also includes endpoint protection, multi-factor authentication, employee training, and regular security assessments.
Getting Started Without Shutting Down the Line
The biggest concern most operations managers have about network segmentation is production impact. The good news is that a properly planned segmentation project doesn’t require taking systems offline during implementation — or at least not for extended windows.
A phased approach works well for most NWA manufacturers:
- Phase 1: Passive asset discovery and network mapping (zero production impact)
- Phase 2: Deploy zone-boundary firewall in monitor-only mode to understand current traffic flows
- Phase 3: Implement block rules gradually, starting with the highest-risk connections
- Phase 4: Tighten rules over time as you gain confidence in the baseline
Working with a managed IT provider that understands both IT and OT environments makes this process significantly faster and lower-risk than attempting it with internal IT staff alone.
Ready to get a clearer picture of your network exposure? Get in touch.