YouTube on the control network equals a robot missing a critical signal. A flat factory network where corporate email, SCADA control, AI vision, and IoT sensor data share the same infrastructure is a guaranteed path to both performance failures and security breaches. Mixed networks cause packet collision (delayed robot commands, HMI freezes) and create attack surfaces where ransomware jumps from an office laptop to production controllers in seconds. The average cost of a cyberattack on an unsegmented manufacturing network: $4.4M in damages, plus weeks of production loss. In 2026, the fastest-growing threat vector in manufacturing isn't sophisticated nation-state attacks — it's basic network hygiene failures that greenfield design eliminates entirely. We design physically separated IT/OT networks with VLAN segmentation, industrial firewalls, DMZ zones, and IEC 62443 compliance from the build phase — so your production network is isolated, deterministic, and defended from day one. Secure Your Factory Network
What Happens Without Separation
Ransomware: IT → OT in 90 Seconds
A phishing email opens a backdoor on a corporate PC. Without network segmentation, the malware traverses from Level 5 directly to Level 2 SCADA and Level 1 PLCs. Production stops. Safety systems compromised. Recovery takes weeks. Average manufacturing ransomware cost: $4.4M. Greenfield fix: industrial DMZ with firewalls and data diodes at Level 3.5 — zero direct IT-to-OT path exists.
Bandwidth Collision: ERP Chokes SCADA
MES pushes a 500 MB batch report to ERP across the same switches that carry PLC scan traffic. SCADA response spikes from 10ms to 300ms. HMI screens freeze. Operators lose real-time visibility during a critical process step. Greenfield fix: dedicated SCADA VLAN with QoS priority (DSCP EF) — OT traffic is never competing with business data.
Vendor Backdoor: Uncontrolled Remote Access
Equipment vendor installs a cellular router directly on a machine for remote support — bypassing all firewalls and security controls. This creates an unmonitored backdoor from the public internet directly into the control network. Greenfield fix: all vendor remote access routed through DMZ jump server with multi-factor authentication, session recording, and time-limited access.
Lateral Movement: Flat L2 Network
Firewalls separate Level 3 from Level 2, but within Level 2 everything is flat — every HMI, PLC, and engineering workstation can reach every other. One compromised HMI gives an attacker access to every controller on the floor. Greenfield fix: micro-segmentation within OT zones using IEC 62443 zone/conduit model — not just Purdue level boundaries.
Building a new factory and want IT/OT separation done right from day one? Secure Your Factory Network — we deliver Purdue-aligned, IEC 62443-compliant network architecture as construction-ready documentation.
Level-by-Level Design Specification
| Purdue Level | Systems | Network Type | Security Controls | Greenfield Design |
|---|---|---|---|---|
| L5: Enterprise | Email, internet, corporate apps, cloud | Standard IT Ethernet/WiFi | Corporate firewall, endpoint protection, NAC | Physically separate cable plant from all OT; standard IT design |
| L4: Business | ERP (SAP), CRM, supply chain, BI | IT LAN with server VLAN | Application firewall, database security, access control | Separate server room or cloud; no direct OT network connections |
| L3.5: DMZ | Jump servers, historian replica, OPC broker, remote access gateway | Dual-homed firewalled zone | Industrial firewall (Fortinet/Palo Alto), data diode for one-way flow, IDS/IPS | Dedicated DMZ rack in server room; dual firewall (IT-facing + OT-facing) |
| L3: Site Operations | MES, historian, patch server, AV server, OT backup | OT managed Ethernet (dedicated) | OT firewall, application whitelisting, OT-specific AV, network monitoring | OT server rack separate from IT; dedicated OT VLAN trunk to L2 switches |
| L2: Supervisory | SCADA servers, HMI, engineering workstations | Industrial managed Ethernet | Micro-segmentation per cell/zone; USB lockdown; no internet access | Industrial switches per production zone; fiber uplinks to L3 |
| L1: Control | PLCs, RTUs, DCS controllers, safety PLCs | Industrial Ethernet (EtherNet/IP, PROFINET) | Static IPs; no DHCP; ACLs on switch ports; protocol-specific filtering | Dedicated control VLAN per machine cell; no routing to L4/L5 |
| L0: Process | Sensors, actuators, drives, valves, I/O modules | Fieldbus or industrial Ethernet | Physical isolation; no IP connectivity to higher levels | Hardwired or fieldbus to L1 controller only; no direct network access |
Zone & Conduit Architecture (IEC 62443)
While Purdue describes where systems live, IEC 62443 defines how they must be protected. IEC 62443-3-2 introduces zones (groups of assets with common security requirements) and conduits (controlled communication paths between zones). This risk-driven approach goes beyond Purdue's static levels — grouping assets by criticality and function, not just hierarchy.
Safety Zone
Safety Instrumented Systems (SIS), emergency shutdown (ESD), fire and gas. Physically isolated from all other zones. No remote access. Separate power supply. Highest security level — protection against intentional attacks using sophisticated means.
Control Zone
PLCs, DCS controllers, and their associated I/O. One zone per production cell or process unit. Conduits to supervisory zone only — no direct path to enterprise. Protocol-specific filtering on conduit boundaries (allow EtherNet/IP CIP; block all else).
Supervisory Zone
SCADA servers, HMI stations, engineering workstations. Conduits to control zone (read/write) and to operations zone (read-only). Application whitelisting on all workstations. USB ports disabled. No internet browser installed.
Operations Zone
MES, historian, OT patch management, backup servers. Conduit to supervisory (data collection) and to DMZ (historian replication). OT-specific antivirus and endpoint detection. Controlled update mechanism for patches.
DMZ Zone
Buffer between IT and OT. Hosts jump servers for remote access, historian replicas for business reporting, and OPC UA brokers for data exchange. Dual-firewall boundary (IT-facing and OT-facing). No system in the DMZ has simultaneous connections to both IT and OT.
Enterprise Zone
Standard corporate IT: ERP, email, internet. Receives production data from DMZ historian replica only — never from OT directly. Standard IT security stack: next-gen firewall, endpoint detection, SIEM, identity management.
Secure Remote Access Architecture
Vendor connects to remote access gateway in the DMZ via encrypted VPN. Multi-factor authentication (hardware token + password) required. Identity verified against approved vendor list with time-limited access window.
Vendor accesses a hardened jump server — never connects directly to OT systems. The jump server provides RDP or VNC to specific approved targets only. No file transfer, no clipboard sharing, no USB passthrough unless explicitly approved.
Every keystroke, screen, and command is recorded for audit trail. OT security team can monitor sessions in real-time and terminate immediately if anomalous behavior is detected. Session logs stored for compliance review.
Access automatically expires after the approved maintenance window. No persistent credentials. No standing VPN tunnels. Each session requires fresh authentication. Vendor cellular routers on machines are prohibited — all access through the centralized gateway.
Need secure vendor remote access designed into your greenfield factory? Secure Your Factory Network — we design jump server architecture, MFA integration, and session monitoring as part of the IT/OT separation blueprint.
OT Network Monitoring & Intrusion Detection
Passive OT Network Monitoring
Non-intrusive monitoring via SPAN/mirror ports on OT switches. Captures all traffic without injecting packets or affecting control system performance. Builds asset inventory automatically — discovers every device, protocol, and communication path on the OT network.
Anomaly Detection (AI-Powered)
ML models learn normal OT traffic patterns: which PLCs talk to which HMIs, at what frequency, using which commands. Any deviation — new device, unusual protocol, unexpected command — triggers an alert. Detects both cyber threats and misconfigured equipment.
Deep Packet Inspection (OT Protocols)
Understands industrial protocols (EtherNet/IP CIP, Modbus TCP, PROFINET, OPC UA, S7comm) at the application layer. Detects malicious commands that standard IT firewalls miss — for example, a PLC firmware download that wasn't authorized or a safety PLC mode change.
SIEM Integration & Incident Response
OT security events fed into plant SIEM or SOC alongside IT events for unified threat visibility. Automated playbooks for OT-specific incidents: isolate compromised zone, preserve forensic evidence, notify operations and engineering simultaneously.
Key Benefits & ROI
Separation Is Cheaper Than Recovery
iFactory designs physically and logically separated IT/OT networks for greenfield factories — Purdue Model architecture, IEC 62443 zones and conduits, industrial firewalls, DMZ design, secure remote access, and OT monitoring — all as construction-ready documentation.
Frequently Asked Questions
$4.4M Average Ransomware Cost vs. $50K for Greenfield Network Separation
The math is simple. Design IT/OT separation into the building — separate cables, firewalls, DMZ, and monitoring — and eliminate the attack surface before the first machine connects.
