Most greenfield factory failures don't happen in production — they happen in the network closet. Wrong cable runs, no segmentation between IT and OT, Wi-Fi dead zones over robot cells, no cybersecurity baseline. By the time symptoms appear, retrofitting costs 5-10x the original spend. This checklist walks through every layer of factory IT network infrastructure — physical to cloud — so you commission a network built for the next 30 years. Book a network architecture review before you lock in your greenfield design.
06
Cloud · Edge · Monitoring
IT Tier
05
Cybersecurity (IEC 62443)
Defense Layer
04
IT/OT Convergence (DMZ)
Bridge Layer
03
Wireless (Wi-Fi 6E + Private 5G)
Access Layer
02
Industrial Ethernet Backbone
OT Core
01
Physical & Cabling Infrastructure
Foundation
Why Network Design Is the #1 Greenfield Decision
You can swap a PLC. You can move a robot. You cannot easily re-cable a factory once production starts. Greenfield is the single window where IT and OT teams can sit at the same table, design jointly, and avoid the integration debt that plagues every brownfield site. Skip this work, and every AI use case, every IoT sensor, every digital twin you bolt on later runs on a network that wasn't built for it.
If you skip segmentation
A single phishing email can shut down production
If you skip wireless planning
Dead zones force operators back to clipboards
If you skip cable design
Every future expansion becomes a six-figure project
Layer 01 · Physical & Cabling Infrastructure
Every other layer rides on the cables you pull on day one. Get this wrong and the network suffers for decades. Industrial floors are filled with VFDs, switchgear, and inductive loads generating significant electromagnetic interference — your physical layer has to survive all of it.
Cat 6A copper installed in production zones with conduit shielding from VFDs
Critical
Single-mode fiber backbone between IDFs and main distribution frame
Critical
Redundant fiber rings between switching cores (≥2 diverse paths)
Critical
IP67-rated industrial connectors for production-floor terminations
Recommended
PoE+ (60W) or PoE++ (90W) capacity at every access switch port
Recommended
25% spare capacity in every cable tray and pathway
Recommended
As-built cable schedules documented in CAD with port-level labeling
Recommended
Layer 02 · Industrial Ethernet Backbone
The OT network core needs deterministic latency, ring redundancy, and microsecond-level failover. Standard enterprise switches do not survive factory floors. Specify industrial-rated hardware from day one.
Managed industrial switches with ring topology support (MRP, ITU G.8032)
Critical
Sub-50ms failover times tested and documented
Critical
PROFINET, EtherNet/IP, or OPC-UA protocol support on all switches
Critical
QoS configured for time-critical traffic (TSN where supported)
Critical
Industrial DIN-rail switches rated for -40°C to +75°C operation
Recommended
Legacy fieldbus gateways (Modbus RTU, Profibus, DeviceNet) specified
Recommended
IEC 62443-4-2 certified network hardware preferred
Recommended
Validate Your Network Architecture Before Cabling Begins
iFactory's greenfield consulting team reviews your physical and backbone designs against industrial best practices — catching specification gaps while they're still cheap to fix. Two-hour review, decades of avoided rework.
Layer 03 · Wireless Strategy (Wi-Fi 6E + Private 5G)
Wireless isn't a nice-to-have anymore — it's how forklifts navigate, how AGVs talk to dispatch, how operators access HMIs from anywhere. The question isn't whether to deploy wireless; it's choosing the right mix of Wi-Fi 6E and Private 5G for your use cases.
Wi-Fi 6E / Wi-Fi 7
For most factory floors
Coverage30-50m per AP
Latency5-15ms
CAPEX$
Best forOffice, scanners, HMIs, AGVs
+
Deploy both
where needed
Private 5G
For mission-critical low-latency zones
Coverage200m+ per small cell
Latency<1ms (URLLC)
CAPEX$$$
Best forRobotics, vision, AR/VR, mobile control
RF heat map completed for full facility footprint (production + warehouse + outdoor)
Critical
Wi-Fi 6E or Wi-Fi 7 access points specified with PoE+ uplinks
Critical
Private 5G evaluated for AGV, AMR, robotics, or mobile control zones
Recommended
Separate SSIDs for corporate, guest, OT, and IoT traffic
Critical
WPA3-Enterprise authentication via RADIUS/802.1X
Critical
Spectrum analysis to identify interference sources (microwave, VFDs)
Recommended
Unsure whether your factory needs Wi-Fi 6E, Private 5G, or both? Schedule a wireless strategy session with our industrial network architects.
Layer 04 · IT/OT Convergence (Purdue Model)
Roughly 75% of OT attacks originate from the IT side. The Purdue Model — referenced by IEC 62443, NIST SP800-82, and every major industrial cybersecurity framework — divides factory networks into hierarchical levels with controlled traffic between them. Without this segmentation, a single phishing email at headquarters can reach PLCs on your shop floor.
5
Enterprise Network
ERP, email, business apps, internet access
IT Zone
4
Site Business Planning
Site-level scheduling, logistics, business intelligence
IT Zone
DMZ — Industrial Demilitarized Zone
Buffer between IT and OT. All cross-zone traffic terminates here. Data brokers, jump servers, patch caches.
3
Site Operations
MES, historians, engineering workstations
OT Zone
2
Area Supervisory Control
SCADA, HMIs, batch controllers
OT Zone
1
Basic Control
PLCs, RTUs, DCS controllers
OT Zone
0
Physical Process
Sensors, actuators, drives, motors
OT Zone
Network segmented per Purdue Model levels with documented boundaries
Critical
Industrial DMZ implemented between Level 3 and Level 4
Critical
No direct connections from enterprise network to control layer
Critical
Data diodes or unidirectional gateways for one-way OT-to-IT flows
Recommended
VLAN segmentation within each Purdue level
Critical
IT and OT teams have joint operational responsibility documented
Recommended
Mapping your network to the Purdue Model? Connect with our IT/OT architects to validate segmentation before commissioning.
Layer 05 · Cybersecurity (IEC 62443)
Industrial cybersecurity is no longer optional. The ISA/IEC 62443 standard set is the de facto baseline for OT security worldwide, and many insurers now require it as a condition of coverage. Build security in at greenfield — bolting it on later is both expensive and incomplete.
Asset inventory complete for all OT devices (Levels 0-3)
Critical
Next-gen firewall at IT/OT boundary with deep packet inspection
Critical
OT-specific intrusion detection system (Claroty, Nozomi, Dragos)
Critical
Secure remote access via jump server with MFA
Critical
Role-based access control (RBAC) across all OT systems
Critical
Patch management plan that respects OT change windows
Critical
Incident response playbook with IT/OT joint runbooks
Recommended
Annual penetration testing of OT environment
Recommended
Layer 06 · Cloud, Edge & Monitoring
The top layer is where AI, analytics, and remote operations live. By 2025, 75% of enterprise data is generated and processed outside traditional data centers — your greenfield network needs edge compute capacity from day one, not as an afterthought.
Edge compute nodes specified for AI inference (vision, predictive maintenance)
Critical
Cloud platform selected (AWS, Azure, GCP) with IIoT services scoped
Critical
Redundant WAN links from two independent ISPs with auto-failover
Critical
Network monitoring system (NMS) deployed with SNMP/sFlow on all switches
Critical
Unified observability across IT and OT (logs, metrics, traces)
Recommended
Local buffering at edge for cloud outage resilience
Recommended
UPS + generator backing all network closets and edge compute
Critical
Designing your edge-to-cloud data flow? Book a demo of iFactory's edge-to-cloud platform purpose-built for greenfield factories.
Greenfield Network Readiness Scorecard
Tally your check marks against the 41 items above. The scorecard below shows where you stand and what to fix next. Most factories at design phase score 40-60% before consulting review — that's normal. The goal is 95%+ before commissioning.
90-100%
Commission Ready
Final pen test, then go-live
75-89%
Close to Ready
Address remaining Critical items
50-74%
Gaps Present
Architecture review needed
< 50%
Rebuild Required
Full redesign before procurement
Expert Perspective
The factories that thrive over 30 years aren't the ones with the biggest network budgets — they're the ones whose IT and OT teams sat at the same table during greenfield design. Network segmentation, wireless planning, and cybersecurity architecture all compound. Get them right at construction, and every digital initiative you launch for the next three decades runs on a foundation that won't fight you.
— Industrial Network Architecture Best Practice
75%
of OT attacks originate from IT networks
50%
of enterprise data processed at edge by 2026
<50ms
required failover for ring-topology OT networks
IEC 62443
global OT cybersecurity baseline
Get Your Greenfield Network Right — The First Time
iFactory's greenfield consulting team reviews your complete network architecture — physical, wireless, IT/OT, and cybersecurity — against this 41-item checklist. Catch design gaps before commissioning. Build a network that lasts 30 years.
Frequently Asked Questions
What does a factory IT infrastructure checklist cover?
A complete factory IT infrastructure checklist covers six layers: physical cabling (Cat 6A copper, single-mode fiber, redundant paths), industrial Ethernet backbone (managed switches, ring topology, sub-50ms failover, TSN/QoS), wireless connectivity (Wi-Fi 6E/7 and Private 5G where needed), IT/OT convergence (Purdue Model segmentation with DMZ), cybersecurity (IEC 62443 baseline with firewalls, OT IDS, RBAC, MFA), and cloud/edge/monitoring (edge compute for AI inference, redundant WAN links, unified observability). Each layer has its own critical and recommended items. The checklist exists because retrofitting any of these post-commissioning costs 5-10x more than building correctly at greenfield.
What is the Purdue Model and why does it matter for greenfield factory networks?
The Purdue Model is the foundational reference architecture for industrial control system networks, originally developed in the 1990s and now incorporated into IEC 62443, NIST SP800-82, and most major OT cybersecurity standards. It divides factory networks into hierarchical levels (0-5) plus a DMZ between IT and OT zones. Level 0 is physical processes (sensors, motors), Levels 1-3 are OT control systems (PLCs, SCADA, MES), Levels 4-5 are IT business systems (ERP, email). The DMZ acts as a buffer where data crosses between IT and OT under controlled conditions. This segmentation matters because roughly 75% of OT cyberattacks originate from IT networks — without Purdue-style separation, a single phishing email can reach PLCs on the shop floor.
Should I use Wi-Fi 6E or Private 5G for my factory wireless?
For most factory floor wireless needs — barcode scanners, handheld HMIs, office traffic, basic AGVs — Wi-Fi 6E or Wi-Fi 7 is the right choice. It's cheaper, easier to deploy, and well-understood by IT teams. Private 5G makes sense for specific mission-critical zones: high-density AGV/AMR fleets, real-time robotic control, AR/VR maintenance applications, and large outdoor or campus environments where Wi-Fi coverage breaks down. Private 5G delivers sub-1ms latency and 200m+ coverage per small cell versus Wi-Fi's 5-15ms latency and 30-50m coverage per access point, but at 3-5x the CAPEX. The most common greenfield strategy is Wi-Fi 6E/7 across the full facility with Private 5G overlay in specific high-value zones.
What is IEC 62443 and is it required for greenfield factories?
IEC 62443 (also called ISA/IEC 62443) is the international standard for industrial automation and control system cybersecurity. It defines security requirements for components, systems, and the people who operate them, organized into security levels (SL1-SL4) based on threat sophistication. While not legally required in most jurisdictions, IEC 62443 has become the de facto baseline for industrial cybersecurity worldwide. Many cyber insurers now require IEC 62443 alignment as a condition of coverage. Major equipment vendors (Siemens, Rockwell, Schneider) certify products to IEC 62443-4-2. For greenfield factories, designing to IEC 62443 from day one is dramatically easier than retrofitting later — bolting security onto an unsegmented network is both expensive and incomplete.
How much does greenfield factory network infrastructure cost?
Greenfield factory network infrastructure typically runs 1-3% of total facility CAPEX, but the range varies widely with size and ambition. A mid-size greenfield (100,000-300,000 sq ft) with full Purdue-aligned architecture, Wi-Fi 6E coverage, IEC 62443 cybersecurity baseline, and edge computing capacity typically falls between $1.5M-$5M for network infrastructure alone. Adding Private 5G overlay can raise that 30-50%. The critical insight: skimping at greenfield is the single most expensive decision you can make. Retrofitting segmentation, re-cabling for higher bandwidth, or bolting on cybersecurity after commissioning costs 5-10x more than including it in original design.
Book a network CAPEX consultation to scope your specific project.
