Most manufacturing environments were not designed with cybersecurity in mind. Production systems were installed when connectivity meant a serial cable between a PLC and an HMI, not a network path that touches your ERP, your email server, and the open internet. Over time, those systems got connected because the business benefits were real: remote monitoring, ERP integration, cloud analytics, and vendor diagnostics.

What did not keep pace with the connectivity was the architecture to control it. In most mid-size manufacturing facilities today, the corporate IT network and the production OT network are either directly connected or separated by a single firewall that was never configured for industrial environments. That means an attacker who compromises a workstation in the front office has a potential path to the systems running your production line.

Network segmentation is the architectural control that closes that path. This post explains what proper network segmentation manufacturing IT OT environments require, what the architecture looks like in practice, and how a qualified MSP designs and maintains it.

Why an Unsegmented Manufacturing Network Is a Serious Risk

When IT and OT networks share the same flat architecture, every device can potentially reach every other device. That is a problem for two reasons.

The first is lateral movement. Ransomware operators do not enter a network and immediately detonate a payload. They enter through one system, typically a phishing email or a compromised credential, and then move laterally through the network to find the highest-value targets before executing. In a manufacturing environment, the highest-value target is the production system. An attacker who reaches your SCADA server or locks your PLCs out of their configuration has the leverage to demand a ransom payment you are under serious pressure to make.

The second reason is blast radius. Even without a targeted attack, a malware infection on the IT side of the network can spread to OT systems that were never intended to interact with corporate infrastructure. IT malware reaching a PLC does not behave predictably. The result can be equipment damage, production data corruption, or a complete loss of control system visibility.

A properly segmented network limits what can talk to what. An infection on the corporate network cannot reach production systems because the architecture physically prevents that traffic from crossing the boundary. That is the core value of network segmentation in manufacturing environments.

What the Architecture Looks Like: Zones and the Industrial DMZ

Proper network segmentation divides the manufacturing environment into defined zones, each with its own access controls and monitoring. The Purdue Model is the most widely referenced framework for this, and Level 3.5 in that model is where the critical security boundary sits.

Here is what a properly segmented manufacturing network looks like in practice.

The corporate IT zone contains office workstations, email servers, business applications, and the ERP system. This zone connects to the internet through a standard enterprise firewall. Users in this zone have no direct access to production systems.

The industrial DMZ sits between the corporate IT zone and the OT network. This is the controlled boundary where the two environments are permitted to exchange specific, defined data flows. Historian servers that push production data to the ERP live here. Remote access infrastructure for vendor connections lives here. Nothing crosses this boundary without an explicit rule permitting it, and traffic flows are one-directional wherever possible. Data from production systems can be pushed to the DMZ for business consumption. Commands and connections from the corporate zone cannot flow back into the production network without going through controlled access points.

The OT network contains SCADA servers, engineering workstations, HMIs, and the PLCs controlling production equipment. This zone has no direct internet access and no direct connectivity to the corporate IT zone. All communication to and from this zone passes through the industrial DMZ.

The production floor device zone contains the PLCs, RTUs, and field devices themselves. These devices communicate only with the OT network layer above them and have no pathway to corporate systems at all.

This is the before-and-after distinction that matters for most manufacturers. Before segmentation: a flat or minimally separated network where the ERP server and the SCADA server share a broadcast domain. After segmentation: defined zones with controlled crossing points, one-directional data flows where possible, and no direct path from corporate IT to production equipment.

How a Manufacturer Should Segment IT and OT Networks to Reduce Cyber Risk

Proper IT/OT segmentation for a manufacturing environment follows a sequence that starts with understanding current traffic flows before changing anything.

The first step is discovery. Before placing firewall rules or reconfiguring switch infrastructure, a qualified MSP maps all existing communication paths between IT and OT systems. This includes vendor remote access connections, historian data feeds, ERP integrations, and any applications that span the two environments. Segmenting without this map means breaking legitimate production workflows. The discovery phase prevents the segmentation project from causing the operational disruption it is supposed to prevent.

The second step is zone definition. Based on the discovery findings, the MSP defines the zone architecture: which systems belong in the corporate zone, which belong in the OT network, and which need to sit in the industrial DMZ because they serve a bridging function. Data historians almost always land in the DMZ. Engineering workstations that are used to program PLCs but also connect to corporate tools require careful placement and additional controls.

The third step is firewall and switch configuration. An industrial DMZ requires dedicated firewall infrastructure, not just an additional VLAN on an existing IT firewall. Industrial protocols including Modbus, DNP3, and EtherNet/IP need application-layer awareness at the DMZ boundary that standard enterprise firewalls often do not provide without additional configuration or purpose-built industrial security appliances.

The fourth step is verification and monitoring. After segmentation is implemented, traffic analysis confirms that the intended isolation is working and that no unexpected cross-zone communication is occurring. Passive monitoring tools on the OT network segments provide ongoing visibility into production traffic and detect any anomalies that suggest the boundary has been bypassed.

This process connects to the broader work of "SCADA and PLC security for manufacturing environments," where network segmentation is the architectural foundation that makes every other OT security control more effective.

VLANs Are Not the Same as Real Segmentation

This is a distinction worth being explicit about because it comes up in nearly every manufacturing network conversation.

VLANs separate broadcast domains on a switch. They are a useful network management tool. They are not a security control equivalent to a properly configured firewall boundary between IT and OT zones.

A VLAN separation with no firewall enforcement between zones means that a device with the right routing configuration can still reach systems in another VLAN. It means there is no inspection or blocking of traffic crossing the boundary. It means an attacker who compromises a device in the corporate zone and can manipulate routing has a potential path to the OT network.

Real network segmentation uses a firewall or industrial security appliance at the boundary between zones with explicit rules defining what traffic is permitted, in which direction, and under what conditions. Everything else is denied by default. VLANs can be part of the implementation, but they are not a substitute for the enforcement layer.

When evaluating any MSP's approach to network segmentation manufacturing IT OT environments, ask specifically what enforcement exists at the IT/OT boundary. A description that leads with VLANs and does not include a firewall or industrial DMZ appliance is a signal that the segmentation is not providing the protection it appears to.

The Role of Zero Trust and Microsegmentation in Manufacturing Networks

Zero trust as a network principle means that no device or user is trusted by default based on network location. Access is granted based on verified identity and context, not based on being inside the perimeter.

For manufacturing OT environments, zero trust is implemented at the network architecture level rather than the device level, because most OT devices cannot run the authentication clients that zero trust endpoint policies require. PLCs cannot verify identity. Legacy HMIs cannot run a compliance check before accessing the network.

What zero trust looks like in practice for OT is microsegmentation within the OT zone: defining which specific devices are permitted to communicate with which other specific devices, using allowlists of expected protocol communications, and alerting on any traffic that does not match the established baseline. A PLC that suddenly begins communicating with a device it has never talked to before is an anomaly worth investigating.

This level of control requires a monitoring layer on the OT network, which connects to the broader topic of "endpoint security for manufacturing companies" and the passive monitoring platforms that provide visibility into industrial protocol traffic without disrupting the devices themselves.

What to Expect From an MSP Designing Network Segmentation for Your Facility

A qualified MSP providing network segmentation manufacturing IT OT services should deliver a documented architecture with defined zones, explicit traffic policies at each boundary, and ongoing monitoring across all zones.

The engagement should start with a discovery phase that maps current communication flows before any changes are made. Zone definitions should be documented and reviewed with your operations team before implementation begins. The industrial DMZ should be purpose-built with appropriate enforcement at the boundary, not retrofitted from existing IT firewall rules.

After implementation, the MSP should provide ongoing monitoring that covers both the IT side and the OT side, with alerting for any traffic that crosses zone boundaries outside of defined policy. Vendor remote access should be managed through the DMZ with session-based controls and full activity logging.

If an MSP cannot describe the difference between a VLAN and an industrial DMZ, cannot explain how they handle existing IT/OT integrations during a segmentation project, or cannot name the monitoring approach they use for OT network traffic, those are signals that their segmentation capability is not what your production environment requires.

Proper segmentation is foundational to "manufacturing cybersecurity and IT solutions" that actually protect production systems. Everything else, including OT monitoring, patch management, and incident response, is more effective when the network architecture controls lateral movement first.