Why segmenting OT from IT is the cheapest insurance a manufacturer can buy

Production teams don't want IT touching anything that's working. The plant has a hard-earned uptime record and a reasonable suspicion that 'we're going to put a firewall in' will end with somebody on the night shift unable to acknowledge an alarm.

IT teams don't want responsibility for kit they didn't specify, can't reboot at will, and probably can't even log into. The PLCs on the floor were commissioned by the OEM, the SCADA system is on a maintenance contract with someone else, and the HMI screens are running an operating system nobody has dared patch since 2017.

So the line stays flat because nobody has clean ownership of the problem. Insurers and auditors notice; everyone else gets used to it.

Almost no ransomware attack on a manufacturer starts on the shop floor. It starts in a mailbox. Someone in finance, operations or quality clicks a link, an attacker gets a foothold on a Windows laptop, and from there they move laterally. On a flat network there's nothing structural to stop them reaching file shares, the ERP server and, in the worst cases, control systems.

The plant doesn't get encrypted because attackers are targeting PLCs. It gets encrypted because the file shares the planning team uses to feed the line get encrypted, and without those files the line can't sequence work.

You don't need a full Purdue model on day one. A pragmatic mid-market segmentation looks like three zones: corporate IT, a middle 'industrial DMZ' for data exchange, and the production network itself.

Corporate IT is where users, email, ERP and general business systems live. The production network is where PLCs, SCADA, HMIs and control systems live. The industrial DMZ in the middle holds the historian, MES, jump hosts and anything else that needs to talk to both sides. Traffic between zones goes through firewalls with explicit allow rules. Nothing passes by default.

Map what's actually on the production network. Most plants don't have an accurate inventory. A passive discovery tool running quietly for two weeks will surface things that nobody has thought about in years, including the odd domestic router somebody plugged in to fix a coverage gap.

Agree which data genuinely needs to cross between IT and OT. Usually it's a handful of flows: production data into the historian and BI, planning data and recipes down to the line, and a remote support path for the OEM. Everything else can be denied without breaking anything.

Put a small, well-monitored bridge between the two networks. The bridge can grow over time; the principle that nothing passes by default is what matters from day one.

Every plant has at least one machine that runs on something nobody wants to talk about: a Windows XP HMI, a CNC controller from 2009, an HVAC system reached by Telnet. Patching is not realistic. Replacement is on a five-year plan if at all.

Segmentation is what makes living with these machines safe. Put them in their own micro-segment, allow only the specific traffic they need, and monitor what does flow. The machine doesn't have to be modern. It does have to be isolated.

Cyber insurance renewals now ask explicit questions about OT segmentation. So do automotive and aerospace tier-ones doing supply chain assurance. 'It's all one flat network' is increasingly answered with a premium increase or a contract clause that requires remediation within a defined window.

Treating this as a slow programme rather than an emergency is fine. Not having a programme at all is becoming visibly expensive.

Segmentation is unglamorous, slow, and resisted on both sides of the IT/OT line. It's also the single highest-leverage control a manufacturer can put in. The plants that survived the bad ransomware years tended to have it. The ones that lost a week of production usually didn't.

Two quick wins consistently emerge from a first-pass segmentation review. The first is removing the OEM remote support paths that have been left as permanent VPN tunnels into the production network. Replace them with on-demand, monitored access via a jump host, and you've closed one of the most common attacker entry points without changing anything operational.

The second is the historian and MES layer. These systems typically need to talk to both sides and are often deployed without much thought to which direction the data flows. Tightening that boundary - data out of production into the historian, recipes and schedules in from corporate via a controlled path - reduces the blast radius significantly with very little business impact.