Our Plant Floor and Office Network Can’t Talk to Each Other: Solving IT-OT Network Segmentation Issues

A production manager called in a panic. Their shipping system couldn’t pull order data from the plant floor. Products were backing up on the line, but the office had no visibility into what was actually being produced. The culprit? Their IT and OT networks were completely isolated. So isolated that critical business processes had ground to a halt.

If you’re dealing with network segmentation for OT security, you’re not alone. This is one of the most common challenges we see in manufacturing environments. The problem is that most manufacturers end up at one of two extremes: either their plant floor and office networks can’t communicate at all, or they’re so interconnected that a ransomware attack in accounting could shut down production.

Let’s talk about how to find the middle ground.

Why IT and OT Networks Get Separated in the First Place

The separation between Information Technology (IT) and Operational Technology (OT) networks usually happens for good reasons. Your plant floor runs on systems that can’t afford even a momentary interruption. A network blip that would merely annoy someone checking email could cause a PLC to lose control of a process, potentially creating safety hazards or ruining an entire batch of product.

So at some point, someone decided to completely isolate the OT network. No connection to the office network means no risk of office problems affecting production, right?

The problem is that modern manufacturing requires data flow between these environments. Your ERP system needs production data. Your shipping department needs to know what’s coming off the line. Your quality team needs real-time metrics. Your maintenance staff needs to monitor equipment health from their desks.

When these networks can’t communicate, you end up with workarounds: manual data entry, USB drives being carried between networks, or production reports that are hours or days old by the time they reach decision-makers.

The Real Security Risks You’re Trying to Avoid

Before we talk about solutions, let’s be clear about what we’re protecting against. Network segmentation for OT security exists because:

• Ransomware doesn’t care about production schedules. When ransomware enters through a phishing email or a compromised website, it looks for everything it can encrypt. If your plant floor systems are on the same network, they’re fair game.
• OT systems often can’t be patched quickly. That HMI running your production line might be on an operating system that’s years out of date. It can’t be updated without taking down production, scheduling vendor support, and testing extensively. Meanwhile, it’s vulnerable to exploits that were patched in the office environment years ago.
• A blip can cause a catastrophe. In an office environment, if a system reboots unexpectedly, someone loses a few minutes of work. On a plant floor, an unexpected interruption to a PLC could mean losing control of temperature, pressure, or flow, potentially creating dangerous conditions or destroying product.

These are legitimate concerns. The answer isn’t to ignore them. It’s to implement proper segmentation that provides security without creating operational blind spots.

What Proper Network Segmentation Actually Looks Like

Effective network segmentation for OT security isn’t about building walls. It’s about building controlled pathways.

The DMZ Approach

Think of this like an airlock. You create a demilitarized zone (DMZ) between your IT and OT networks. Systems in the DMZ can communicate with both sides, but the two sides can’t communicate directly with each other.

For example, you might place data historians in the DMZ. These systems collect data from the plant floor and make it available to business systems. If something compromises the business network, it can’t reach through to the plant floor. The DMZ acts as a buffer.

One-Way Data Flows

In many cases, data only needs to flow in one direction. Production data needs to go from the plant floor to business systems, but there’s rarely a need for business systems to send data back to PLCs.

One-way data diodes enforce this at the hardware level. Data can flow out from the OT network, but nothing can flow back in. This makes it physically impossible for malware on the business network to reach the plant floor.

Zone-Based Security

Not everything on your plant floor has the same security requirements. Your SCADA system that controls the entire plant needs more protection than a quality inspection station that just records measurements.

Zone-based segmentation creates different security levels:

• Level 0: The actual production equipment (PLCs, drives, sensors)
• Level 1: Control systems (HMIs, SCADA)
• Level 2: Supervisory systems (MES, historians)
• Level 3: Business systems (ERP, office network)

Each level can only communicate with adjacent levels through controlled gateways. This limits how far a security incident can spread.

Making It Work Without Breaking Operations

Here’s where theory meets reality. You can design the perfect segmented network on paper, but if it prevents your production manager from accessing the data they need, it won’t last.

• Start with data requirements, not security requirements. Map out what information actually needs to flow between IT and OT. What systems need to talk to each other? How often? Is the data time-sensitive, or can it be batched?
• Use industrial protocols properly. Your plant floor probably uses protocols like OPC or Modbus. These can be secured and routed through firewalls when configured correctly. Don’t assume you need to replace all your existing systems.
• Implement monitoring, not just blocking. The goal isn’t just to prevent unauthorized communication; it’s to detect when something unusual is happening. Monitoring tools can alert you if a PLC starts communicating on unexpected ports or if data flow patterns change dramatically.

Common Mistakes That Create More Problems

We’ve seen plenty of segmentation projects that made things worse instead of better. Here’s what to avoid:

• Over-segmentation. Creating so many network zones that nobody can keep track of what’s allowed to communicate with what. This usually results in firewall rules getting opened up until the segmentation becomes meaningless.
• Under-documentation. Six months after implementation, nobody remembers why certain rules exist or what systems are in each zone. Changes get made without understanding the security implications.
• Ignoring wireless. You carefully segment the wired network, but then wireless access points on the office network provide an unintended bridge to the plant floor.
• Forgetting about remote access. Vendors need to access systems for support. If you don’t plan for this, you’ll end up with VPN connections that bypass all your segmentation.

The Path Forward

If your IT and OT networks can’t communicate or if they’re dangerously interconnected, the fix doesn’t have to start with a full network redesign.

Start with one critical data flow. Maybe it’s production data feeding your ERP system, or quality metrics that need to reach your dashboard. Secure that one pathway first. Prove it works. Prove it’s stable. Then build from there.

Proper network segmentation for OT security isn’t about choosing between protecting your plant and running your business. It’s about building an environment where both happen at the same time. Controlled communication between IT and OT means no more manual workarounds, no more outdated production reports, and no more risk that a single phishing email in accounting brings your entire plant floor to a halt.

Getting there requires the right expertise. Our Manufacturing IT services are purpose-built for production environments, covering OT network design, segmentation strategy, cybersecurity, and ongoing infrastructure support so your plant floor and business systems stay connected, secure, and fully operational.