Segmenting OT networks across thirteen plants without stopping production

The frame

OT security and IT security are not the same job. Treating them as the same job is the most common failure mode in industrial environments, and it is the one that produces the most expensive incidents. The IT side is built on rapid patching, identity, and assumed network reachability. The OT side is built on uptime, deterministic behavior, and assumed network isolation. A control that improves the first will often degrade the second. The category error is the work; the rest of the engagement is just engineering.

What "running" means on a manufacturing floor

A representative environment: thirteen plants inside a $1B national manufacturer, each running its own production cadence, each with change windows measured in scheduled outages, each with PLCs and HMIs that predate the corporate firewall by a decade. "Running" means a floor that loses money in five-minute increments, and engineers who measure trust in the network by the number of unscheduled stops the network has caused. A segmentation project that does not understand that timeline does not get past the first plant.

The segmentation pattern that survives

Zones and conduits, in the IEC 62443 sense, are the pattern. Each plant is a zone. Each connection between a plant zone and the corporate zone is a conduit, named, monitored, and explicit. Inside each plant, sub-zones isolate process control from supervisory layers, and supervisory from engineering workstations. The conduits do the security work. Everything else is a baseline. This is unglamorous and well-documented; the failure mode is not the pattern, it is the discipline to maintain it after the consultant leaves.

Visibility without disruption

Active scanning has a non-zero probability of taking a control system offline. On a running floor, that probability is unacceptable. The right approach is passive collection at the conduit, baselining for thirty to sixty days before any alert is wired up, and a clear distinction between "this is unusual" and "this is wrong." The SIEM ingests OT telemetry on a separate pipeline, with separate retention, and with rules written by engineers who know what a normal day looks like. Without that last step, the SIEM produces noise.

Who owns the boundary

The standing dispute on every OT engagement is who owns the conduit. Plant engineering wants to own it because they know the process. Corporate security wants to own it because they own the SIEM and the response process. Neither answer is right alone. The conduit belongs to plant engineering for design and change control, and to corporate security for monitoring and incident response. The split has to be written down before the segmentation work starts, or every change request becomes a negotiation.

What this is not

This is not a controls checklist. The controls are derivative of the zones, the conduits, and the ownership map. This is not a tooling decision. The tooling is interchangeable; the discipline is not. And this is not something a corporate security team should run alone. Without plant engineers in the room, every design choice optimizes for the SIEM and against the floor. The floor is the product. The security program serves the floor, not the other way around.