Every CISO and CIO of a manufacturer we meet wants OT/IT segmentation. Every operations director who has lived through a botched segmentation project becomes a permanent veto. Both are right. The way to reconcile is a sequence — not a project — that respects both.

Why segmentation became urgent

Ransomware targeting plant operations grew significantly over the past 24 months. The economics work for attackers: a halted production line costs millions per day; ransom demands are calibrated against that. Industrial control protocols like Modbus, OPC-UA and PROFINET were never designed with authentication in mind. Once a corporate user clicks a phishing link and an attacker pivots from IT to OT, lateral movement to a PLC is often trivial.

Insurance carriers now require evidence of OT/IT segmentation. Customers — especially in regulated verticals like food, pharma and aerospace — increasingly include it in supplier audits. The cost of not having it is rising faster than the cost of doing it well.

The sequence we use

Step 1: OT asset discovery before anything else. Most plants have 30-50% more connected devices than the asset register shows. Run passive discovery (no active scanning — that itself can crash older PLCs) for 4-6 weeks to catalog everything talking on the network.

Step 2: Map real-world traffic flows. Which engineering workstation talks to which PLC? Which MES needs to reach which historian? Document the legitimate flows before designing the segmentation policy. We have seen segmentation projects that broke the production reporting because nobody noticed the historian was pulling data from the corporate ERP every 15 minutes.

Step 3: Design the zone architecture per the Purdue model (or your variant of it), with explicit DMZs between corporate IT and OT. The boundary devices — typically next-gen firewalls or unidirectional gateways for the most critical segments — become the enforcement points.

Step 4: Deploy in monitor mode first. For 4-8 weeks, the segmentation policy is in place but allows everything while logging violations. This surfaces the flows the discovery phase missed without halting production.

The mistakes we keep seeing

Mistake 1: starting with the firewall purchase. Vendors love a hardware-first approach because they sell hardware. The right sequence is discovery → flow mapping → architecture → enforcement, in that order. The firewall is the last decision, not the first.

Mistake 2: skipping monitor mode. Going from “no enforcement” to “block by default” is what kills production. Monitor mode is unsexy but irreplaceable.

Mistake 3: doing it without OT engineers in the room. Network engineers and SOC analysts cannot do this alone. The plant’s automation engineers know things about how their equipment actually behaves that no diagram captures.

What good looks like

A well-segmented plant has documented zones, enforced boundaries, monitored east-west traffic and a SOC playbook for OT-specific anomalies (e.g., an engineering workstation suddenly issuing PLC writes outside of its baseline). Mean time to detect an OT intrusion drops from never-detected to under 24 hours, often faster.

The production team gets faster troubleshooting because the network is now legible. The CISO gets the evidence the insurance carrier requires. Neither team has to fight the other. That is the goal.