336-886-3282[email protected]
Preferred Data Logo
Schedule

Network Segmentation for Manufacturers: Isolating OT from IT in NC Plants

Learn how NC manufacturers implement network segmentation to protect OT systems from IT threats. VLANs, DMZs, and the Purdue Model explained. Call (336) 886-3282.

Cover Image for Network Segmentation for Manufacturers: Isolating OT from IT in NC Plants

Network segmentation for manufacturers separates operational technology (OT) networks controlling production equipment from IT networks handling email, internet, and business applications. This isolation prevents cyberattacks that compromise IT systems from reaching PLCs, SCADA systems, and production controllers that run manufacturing operations.

Key takeaway: According to the Fortinet 2025 State of OT Cybersecurity Report, 75% of OT attacks begin as IT breaches that move laterally into production networks. Ransomware attacks on industrial organizations spiked 87% year-over-year in 2024, making manufacturing the top ransomware target for four consecutive years. Proper network segmentation is the most effective defense against lateral movement from IT to OT.

Need help segmenting your manufacturing network? Preferred Data Corporation provides cybersecurity, network infrastructure, and OT/IT integration services for North Carolina manufacturers. BBB A+ rated with 37+ years of experience. Call (336) 886-3282 or schedule your assessment.

Why IT/OT Convergence Creates Risk

North Carolina's manufacturing sector is embracing Industry 4.0 technologies, connecting previously isolated production systems to IT networks for data analytics, remote monitoring, and cloud-based management. While this convergence delivers operational benefits, it also exposes critical production systems to cyber threats.

The Convergence Challenge

For Piedmont Triad and Charlotte manufacturers, the shift is dramatic:

What Happens Without Segmentation

When a flat network connects office workstations directly to production controllers, a single phishing email can lead to:

  1. Initial compromise: Employee clicks malicious link, malware installs on office PC
  2. Lateral movement: Attacker scans network, discovers PLCs and SCADA systems on same subnet
  3. Production access: Attacker reaches HMI stations and production controllers
  4. Operational impact: Production halted, equipment damaged, or safety systems disabled

For a High Point furniture manufacturer, a Greensboro food processor, or a Winston-Salem automotive supplier, this scenario can mean days or weeks of production shutdown.

Understanding the Purdue Model

The Purdue Enterprise Reference Architecture (PERA) provides a framework for organizing and segmenting industrial networks into distinct security zones.

Level 0: Physical Process

  • Actual production equipment: sensors, actuators, motors
  • Direct interface with the manufacturing process
  • No network connectivity at this level

Level 1: Basic Control

  • PLCs (Programmable Logic Controllers)
  • RTUs (Remote Terminal Units)
  • Direct digital controllers
  • Safety instrumented systems

Level 2: Area Supervisory Control

  • HMI (Human Machine Interface) stations
  • SCADA servers
  • Engineering workstations
  • Historian servers (local)

Level 3: Site Manufacturing Operations

  • MES (Manufacturing Execution System)
  • Batch management systems
  • Quality management systems
  • Laboratory information systems

Level 3.5: Industrial DMZ (Demilitarized Zone)

  • The critical security boundary between OT and IT
  • Data diodes for one-way data transfer
  • Proxy servers for controlled access
  • Jump servers for authorized remote access
  • Patch management repositories

Level 4: Business Planning and Logistics

  • ERP systems
  • Email and office applications
  • Business intelligence tools
  • Corporate databases

Level 5: Enterprise Network

  • Internet connectivity
  • Cloud services
  • Remote access gateways
  • Partner connections

Implementing Segmentation for NC Manufacturers

A practical segmentation implementation for Piedmont Triad, Charlotte, and Raleigh-area manufacturers involves multiple technology layers.

VLAN-Based Segmentation

VLANs (Virtual Local Area Networks) provide logical network separation:

Production VLANs:

  • VLAN 100: PLC/Controller network (Level 1)
  • VLAN 110: HMI/SCADA stations (Level 2)
  • VLAN 120: Engineering workstations (Level 2)
  • VLAN 130: MES/Quality systems (Level 3)

IT VLANs:

  • VLAN 200: Corporate workstations
  • VLAN 210: Servers and applications
  • VLAN 220: Guest/visitor network
  • VLAN 230: IoT devices and cameras

DMZ VLANs:

  • VLAN 300: Data transfer servers
  • VLAN 310: Remote access jump servers
  • VLAN 320: Patch/update repositories

Firewall Rules Between Zones

Inter-VLAN traffic must pass through firewalls with strict rules:

IT to OT (highly restricted):

  • Default deny all traffic
  • Allow specific data queries through DMZ proxy only
  • Allow remote access through DMZ jump server only
  • Log all cross-boundary traffic for audit

OT to IT (controlled):

  • Allow production data to DMZ historian/proxy
  • Block direct internet access from OT systems
  • Allow DNS through internal resolvers only
  • Allow NTP for time synchronization only

DMZ rules:

  • Accept data from OT for business system delivery
  • Broker authorized remote connections
  • Stage patches and updates for OT deployment
  • Terminate all connections, never pass through directly

Industrial DMZ Implementation

The industrial DMZ is the linchpin of IT/OT segmentation:

  • Data diodes: Hardware-enforced one-way data transfer from OT to IT for maximum security
  • Historian proxy: OT historian pushes data to DMZ mirror, IT systems read from mirror
  • Jump servers: Authorized technicians connect to DMZ, then to specific OT systems
  • Patch repository: Updates downloaded to DMZ, scanned, then deployed to OT on schedule
  • Remote access broker: Multi-factor authenticated, time-limited, fully logged sessions

Addressing Common Implementation Challenges

North Carolina manufacturers face practical challenges when implementing segmentation.

Legacy Systems and Protocols

Many High Point and Greensboro plants run decades-old equipment:

  • Older PLCs using Modbus, PROFIBUS, or DeviceNet cannot be easily secured
  • Windows XP/7 HMI stations that cannot run modern security agents
  • Proprietary protocols that firewalls cannot inspect or filter
  • Equipment vendors who require direct internet access for support

Solutions:

  • Encapsulate legacy systems in micro-segmented zones
  • Use protocol-aware industrial firewalls that understand OT traffic
  • Deploy network monitoring that detects anomalies without requiring agents
  • Establish vendor remote access through controlled jump servers in the DMZ

Operational Continuity Concerns

Plant managers worry that segmentation will disrupt production:

  • Phased implementation starting with monitoring before blocking
  • Maintenance windows for firewall rule deployment and testing
  • Fallback procedures ensuring production can continue if segmentation devices fail
  • Performance testing verifying that latency-sensitive control loops are unaffected

Monitoring and Visibility

Organizations deploying unified security across IT and OT reported a 93% reduction in cyber incidents and 7x improvement in response time. Visibility tools for segmented networks include:

  • OT-specific network monitoring (Nozomi Networks, Claroty, Dragos)
  • Industrial protocol analysis for Modbus, EtherNet/IP, PROFINET
  • Anomaly detection identifying unusual communication patterns
  • Asset inventory tracking all devices on OT networks
  • Log aggregation from firewalls, switches, and monitoring tools

Ready to segment your manufacturing network? PDC provides comprehensive network infrastructure design and cybersecurity implementation for North Carolina manufacturers. Call (336) 886-3282 or visit pdcsoftware.com/contact.

Microsegmentation for Advanced Protection

Beyond traditional VLAN-based segmentation, microsegmentation provides granular protection:

  • Identity-based policies: Access determined by user, device, and role rather than network location
  • Application-aware rules: Policies that understand manufacturing protocols and data flows
  • Dynamic enforcement: Policies that adapt based on threat intelligence and behavior
  • East-west traffic control: Protection against lateral movement within zones

According to industry analysis, microsegmentation delivers 76% TCO reduction versus traditional firewalls, 60-80% reduction in policy management overhead, and 15-30% cyber insurance premium decreases.

Compliance and Standards Alignment

Network segmentation aligns with multiple compliance frameworks relevant to NC manufacturers:

  • NIST Cybersecurity Framework: Network segmentation is a core Protect function control
  • IEC 62443: The international standard for industrial automation security requires zone-based architectures
  • CMMC: Defense manufacturers in the Research Triangle and Piedmont Triad need segmented CUI environments
  • NIST 800-82: Guide to ICS Security recommends network partitioning as a primary defense
  • Cyber insurance: Carriers increasingly require demonstrated network segmentation

Segmentation Implementation Roadmap

A practical timeline for NC manufacturers:

Phase 1: Assessment and Planning (Weeks 1-4)

  • Complete network asset discovery and mapping
  • Identify all communication flows between IT and OT
  • Document current network architecture
  • Define segmentation zones based on Purdue Model
  • Design target architecture with DMZ

Phase 2: Foundation (Weeks 5-8)

  • Deploy industrial firewalls at IT/OT boundary
  • Implement VLANs for logical separation
  • Establish industrial DMZ with initial services
  • Begin monitoring all cross-boundary traffic
  • Set firewall rules to alert (not block) initially

Phase 3: Enforcement (Weeks 9-12)

  • Transition firewall rules from alert to block mode
  • Migrate remote access through DMZ jump servers
  • Redirect data flows through DMZ proxies
  • Implement patch management through DMZ staging
  • Validate no production impact

Phase 4: Optimization (Ongoing)

  • Refine firewall rules based on monitored traffic
  • Implement microsegmentation for high-value assets
  • Deploy OT-specific threat detection
  • Conduct penetration testing across boundaries
  • Regular architecture reviews and updates

Why NC Manufacturers Trust PDC for Network Segmentation

Preferred Data Corporation has designed and implemented secure manufacturing networks across North Carolina since 1987, combining cybersecurity expertise, network infrastructure design, and OT/IT integration knowledge.

PDC's network segmentation services:

  • Network assessment mapping all IT and OT assets and communication flows
  • Architecture design implementing Purdue Model-based segmentation
  • Industrial firewall deployment with OT-protocol awareness
  • DMZ implementation for secure IT/OT data exchange
  • Ongoing monitoring through managed security services
  • On-site within 200 miles of High Point for hands-on implementation
  • BBB A+ rated with 20+ year average client retention

Ready to protect your production network? Contact Preferred Data Corporation for a free network segmentation assessment. Call (336) 886-3282 or visit pdcsoftware.com/contact.

Frequently Asked Questions

Why can't manufacturers just use a single firewall between IT and OT?

A single firewall provides a basic boundary but lacks the defense-in-depth that modern threats require. The Purdue Model recommends an industrial DMZ between IT and OT where all data exchange is brokered through intermediary systems. This prevents direct connections, provides inspection points, and ensures that a compromised IT system cannot directly reach OT controllers. Multiple layers of segmentation dramatically reduce the blast radius of any single breach.

Will network segmentation slow down our production systems?

Properly designed segmentation should not impact production performance. Control system communications within OT zones (PLC-to-PLC, PLC-to-HMI) remain on the same local network segment. Only cross-boundary traffic passes through firewalls, and this is typically non-time-critical business data. Latency-sensitive control loops should never cross zone boundaries.

How do we handle vendor remote access to OT systems with segmentation?

Vendor remote access should flow through the industrial DMZ using jump servers with multi-factor authentication, time-limited sessions, full session recording, and explicit authorization for each connection. Never allow vendors to VPN directly into OT networks. This approach provides accountability, limits exposure time, and ensures that vendor access cannot be exploited as an attack vector.

What is the difference between VLANs and true network segmentation?

VLANs provide logical separation at Layer 2 but do not inherently filter traffic. True segmentation combines VLANs with firewalls that enforce access policies between zones. A VLAN without firewall rules between segments offers limited security benefit, as any device that gains access to the switch infrastructure can potentially traverse VLANs. Complete segmentation requires both logical separation and enforced access controls.

How does network segmentation impact compliance for NC defense manufacturers?

For North Carolina defense manufacturers pursuing CMMC certification, network segmentation is essential for isolating Controlled Unclassified Information (CUI) processing environments. Proper segmentation reduces the scope of compliance assessments by limiting which systems handle regulated data. This can significantly reduce both compliance costs and security risks while satisfying NIST 800-171 requirements.

Support