OT/IT Network Separation in Manufacturing: A Practical Architecture for SME Factories
Summary: Separating OT (operational technology) and IT (information technology) networks in manufacturing, PLC/SCADA segmentation, and industrial firewall architecture.
Summary: When the IT (information technology) and OT (operational technology) networks of a manufacturing site share the same flat network, a single phishing email opened in the office can jump to the PLC and the production line. Correct OT/IT separation is based on the Purdue Model: the office IT network, the manufacturing DMZ, the control layer (SCADA), and the field devices (PLCs, sensors) live in different segments. Between them sit industrial-class firewalls, strict one-way traffic rules, and monitoring tuned for OT; this architecture is applicable at SME scale and seriously reduces the risk that ransomware will stop production.
In a factory, a fake invoice attachment opened by the accounting department starts spreading encryption across the network. The office file server, employee PCs — and within hours, the production line's SCADA station is locked too. Production stops, finished products are stranded on the lines, customer shipments are pushed out. Ransomware incidents in factories are no longer rare; the most common cause is the absence of deliberate OT/IT separation.
In this article we cover the practical architecture for OT/IT network separation, aimed at SME manufacturing site owners and factory IT leads. Our target scale is SME factories with 20-300 employees and one or two production lines.
OT and IT Should Not Be on the Same Network — Why?
OT and IT networks serve different purposes and have different threat profiles.
IT (Information Technology)
- Office PCs, email, web, file servers, ERP
- High pace of change, frequent updates
- Broad internet access
- Main risks: phishing, ransomware, user error
OT (Operational Technology)
- PLCs (Programmable Logic Controllers), SCADA, sensors, robotic arms
- Low pace of change, the "if it works, don't touch it" culture
- Usually closed to the internet, or very limited access
- Legacy operating systems (Windows XP/7 SCADA stations are common)
- A fault = production stop or physical damage
When these two environments share the same broadcast domain, a threat in one technically can hop to the other.
Risk Comparison
| Office ransomware → IT | Office ransomware → reaches OT |
|---|---|
| Files are encrypted | The production line stops |
| Restore from backup | PLC program may be corrupted |
| 1-2 days to recover | 1-2 weeks to recover |
| Financial damage | Financial + customer + safety |
The Purdue Model and an SME Adaptation
The reference model for industrial network segmentation is the Purdue Reference Architecture. It has five layers and can be simplified at SME scale.
Standard Purdue Layers
| Level | Name | Contents |
|---|---|---|
| 5 | Enterprise | Office IT, ERP, email, web |
| 4 | Site business network | Production reporting, MES |
| 3.5 | DMZ | The isolation zone between OT and IT |
| 3 | Site operations | SCADA, HMI, historian |
| 2 | Control | PLC, RTU |
| 1 | Field | Sensors, actuators |
| 0 | Physical | Robotic arms, motors, valves |
Simplified Three-Layer Model for SMEs
For an SME factory, 3 layers are practical:
- IT (Office): ERP, email, web browsing, employee PCs
- DMZ (Transition zone): Production reporting server, manual data transfer
- OT (Field): SCADA, PLC, sensors, actuators
Between them sit industrial firewalls and strict rules.
Separating with an Industrial Firewall
OT/IT separation must use a firewall, not just VLANs. A standard enterprise firewall is not enough; to understand industrial protocols (Modbus, S7, EtherNet/IP, OPC UA, Profinet), an OT-aware firewall is recommended.
Typical Industrial Firewall Products
- Fortinet FortiGate Rugged — Industrial-class hardware, OT protocol awareness
- Cisco Industrial Security Appliance (ISA) — Tailored for automation environments
- Hirschmann EAGLE — Modular, harsh-environment hardened
- Tofino / Belden — Modbus and Profinet focused
- Phoenix Contact mGuard — Reasonable pricing at SME scale
Sample Traffic Rules
| Source | Destination | Allow |
|---|---|---|
| IT (office) | OT (PLC) | Deny (default) |
| IT | DMZ reporting server | Limited (reporting port only) |
| OT (SCADA) | DMZ (historian) | Allow (read-only) |
| OT | Internet | Deny |
| Engineer laptop | OT (specific session) | Allow (via jump host, MFA, recorded) |
Default-deny principle: anything not explicitly defined is rejected.
One-Way Data Diode
In very critical facilities, a data diode is used: data flows only one way, from OT to IT — not a single packet can travel from IT to OT. It is guaranteed by hardware. Rarely required at SME scale, but a sensible investment for factories that report to regulators (e.g., emissions monitoring).
Approach to Legacy Systems in OT
Most OT environments contain Windows XP/7 SCADA stations and unpatched PLCs. These devices may be unpatchable, or replacing them may require millions of TRY.
Wrap-Around Protection Strategy
- Move legacy devices into a fully isolated VLAN
- That VLAN has no internet access
- Engineer access only via a jump host (MFA, session recording)
- Strict USB policy: only whitelisted devices
- Every external access event is logged and monitored
- Monthly vulnerability scanning (non-intrusive to avoid crashing devices)
Asset Inventory Is Mandatory
Every OT device must be inventoried: brand, model, firmware version, IP, function, responsible engineer. Unknown device = unknown risk.
Backups in OT Environments
OT backups require a different approach than IT.
PLC Programs
The ladder logic or FBD program inside a PLC is as valuable as the factory's IP. It may live on an engineer's laptop, but without central management that is risky.
- PLC programs are backed up weekly to a central server
- Version control (Git or an industrial document management system)
- Vendor-independent format (otherwise the vendor's own format)
SCADA Image
SCADA stations change relatively little; a monthly disk image is enough. After a disk failure, the same system can be back online in 1-2 hours.
Recipes and Configuration
Production formulas, calibration values, alarm thresholds — losing them means production downtime. They must be backed up separately.
Data Flow Between OT and IT: Reporting
Production data has to reach management: daily output counts, line downtime, quality metrics. How is that flow designed without becoming dangerous?
One-Way Reporting Architecture
OT (SCADA) → DMZ (historian/reporting server) → IT (ERP, dashboards)
(read-only) (read-only)
- SCADA data writes to a historian in the DMZ
- IT reads from the DMZ historian — never reaches OT directly
- The reporting server is tightly managed and runs little software
- Up-to-date patches, EDR protection
MES (Manufacturing Execution System)
More advanced integrations use an MES. If a standard enterprise MES (e.g., Wonderware, AVEVA, SAP MES) is used, the integration can be two-way; but still through the DMZ and under strict rules.
Preventing Ransomware from Reaching OT
The most common ransomware spread paths in SME factories:
1. The Engineer's Laptop
The engineer is hit by phishing while working from home; the next day the laptop is plugged into OT → encryption begins.
Mitigation: The engineer's laptop is centrally managed, EDR-protected, and OT access is only through a jump host — personal laptops never connect directly to OT.
2. Vendor Maintenance
A vendor representative comes in for PLC maintenance and plugs their own laptop into OT.
Mitigation: Vendor devices are scanned in an enterprise "hot zone," only that device gets limited access to the specific system, and the session is recorded.
3. Data Transfer via USB
Carrying data between OT and IT via USB.
Mitigation: A USB scanning kiosk (any inserted USB is auto-scanned), only encrypted corporate USBs allowed, transfers logged.
4. Office and OT on the Same VLAN
The simplest and most common mistake.
Mitigation: VLAN separation and a firewall.
What Yamanlar Bilişim Offers
End-to-end support areas at production scale:
- OT/IT inventory and risk assessment
- Industrial firewall selection and configuration
- VLAN segmentation (Purdue model adaptation)
- Isolation architecture for legacy OT devices
- PLC backup and versioning
- DMZ reporting server deployment
- Jump host for engineer access
- Annual OT security exercise
Frequently Asked Questions
Conclusion
Putting IT and OT on the same network in a manufacturing facility is no longer a debatable decision — it is already a violated security principle. A simplified version of the Purdue model applies at SME scale as well; a three-layer architecture (IT, DMZ, OT) combined with an industrial firewall sharply reduces the chance of ransomware reaching the production line. Even when legacy SCADA stations cannot be patched, the right wrap-around protection turns them from a risky element into a manageable one.
At Yamanlar Bilişim, we run network-separation projects customized to your factory's scale and existing OT inventory — turning production downtime from an expensive emergency into a scenario you prevent by design.
Frequently Asked Questions
Isn't the Purdue Model overkill for an SME factory?
The simplified 3-layer version is fully applicable and economical at SME scale. The full Purdue (5 layers) is for facilities like petrochemicals and OEM automotive. The SME version: IT — DMZ — OT. Even the three-layer structure largely prevents ransomware from jumping into OT.
My SCADA station runs Windows XP — what should I do?
If a replacement would cost millions of TRY, it is not feasible right now; in that case, wrap-around protection : a fully isolated VLAN, zero internet access, engineer access only via jump host, strict USB policy. With this approach the XP device keeps running but the attack surface is minimized. Plan for replacement in the longer term.
Are industrial firewalls much more expensive than standard enterprise firewalls?
It depends on the brand and features. Products like Phoenix Contact mGuard or Hirschmann EAGLE can be found in the USD 1,500-5,000 range at SME scale. That is 30-100% more than a standard enterprise firewall, but OT protocol awareness and environmental ruggedness justify the difference. If the budget is tight, you can start with an enterprise-class firewall + strict VLAN/ACL.
The engineer wants direct OT access — isn't a jump host extra friction?
A well-built jump host grants access in seconds. The overhead is minimal, the payoff large: every access is logged, MFA is enforced, and a threat on the engineer's laptop does not reach OT. The security, not speed rule applies in OT.
How do cloud-based SCADA / industrial IoT stand on KVKK and security?
Cloud SCADA / IIoT providers (Siemens MindSphere, GE Predix, AWS IoT, Azure IoT) have mature security architectures. On the KVKK side, if personal data is processed (e.g., employee shifts, production tracking), be careful — prefer Türkiye/EU data residency, sign a data processor agreement. Production measurement data (temperature, pressure) is usually not personal data and is treated more flexibly.
How should patch management be handled in OT?
The apply every patch immediately approach is dangerous in OT — a patch can crash the production line. The right flow: (1) wait for the vendor's blessing once a patch is released, (2) test it in a test environment, (3) apply it in a planned maintenance window. The same flow applies even for emergency security patches; the windows just open more often. The test environment should be smaller than production but topologically similar.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Industry IT Solutions solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Contract Archive and KVKK Architecture for Fleet-Leasing Companies
Contract archives, driver-data KVKK alignment, e-signature integration, and site-to-site VPN for branches in fleet and car-rental companies.
Endpoint Security on Doctor and Clinic Computers: An EDR Playbook
Choosing EDR for doctor workstations in clinics and private practices, extra controls for endpoints carrying patient data, and a USB policy.
IT Infrastructure for Residential Site Management: IP Cameras, Elevator IoT, and Dues Systems
An integrated IT infrastructure and KVKK compliance guide for IP cameras, elevator IoT, dues collection, and resident management systems in residential complexes.