BLOG

Author
Denrich Sananda

Date
27-04-2026

Manufacturing

How to Conduct an OT/IT Network Segmentation Audit in a Manufacturing Plant

Network segmentation is the foundational control in OT security. Without it, a compromised laptop on the corporate IT network can reach every PLC on the factory floor. With it, an adversary who penetrates the IT environment faces a defined, enforced boundary before they can touch production systems. Every other OT security control - monitoring, access governance, incident response - depends on knowing where that boundary is and being able to trust that it holds.

The problem in most manufacturing plants is that the actual segmentation boundary differs from the documented one. Over years of incremental connectivity additions - a new cloud analytics platform here, a vendor remote monitoring connection there, an engineering workstation reconfigured to access both IT and OT networks for convenience - the real network topology has diverged from the architecture diagram. The gaps between the two are where attacks succeed.

A network segmentation audit closes that gap. It maps the actual network topology of the manufacturing environment, identifies every connection between OT and IT systems, compares that topology against what the security architecture requires, and produces a prioritized list of remediations. This post is a step-by-step guide to conducting that audit in a manufacturing plant - what to look for, what tools to use, what the common findings are, and how to prioritize remediation without disrupting production.

 

68% of manufacturing OT security incidents in 2024 involved lateral movement from IT to OT networks

In the majority of confirmed cases, the lateral movement pathway exploited a connection that was not documented in the organization's network architecture - either an undocumented vendor access path, an uncontrolled engineering workstation connection, or a firewall rule that had been added for operational convenience and never reviewed. The undocumented connection is the most common root cause of IT-to-OT lateral movement in manufacturing incidents.

Source: Claroty Global State of CPS Security Report, 2024

 

1. What a Network Segmentation Audit Covers

A network segmentation audit in a manufacturing environment has three objectives: discover the actual asset inventory and network topology, map all communication pathways between OT and IT systems, and identify gaps between the current state and the required security architecture. It is a point-in-time assessment that produces a documented baseline and a gap report - not a continuous monitoring capability.

The scope of the audit must cover the full manufacturing OT environment, not just the systems that are already documented in the network architecture. In most manufacturing plants, the most significant findings come from systems that are not in the architecture documentation at all.

 

Audit Scope Area

What It Includes

Production control network

PLCs, DCS controllers, RTUs, HMIs, SCADA servers, historian servers, engineering workstations connected to OT networks

IT/OT boundary infrastructure

Firewalls, routers, switches, and Industrial DMZ components at the boundary between corporate IT and OT networks

Remote access infrastructure

VPN concentrators, jump servers, remote desktop gateways, and vendor portal connections into OT systems

Industry 4.0 connectivity

IIoT device networks, edge computing nodes, cloud connectivity gateways, OEM remote monitoring connections

Engineering and maintenance systems

PLC programming workstations, DCS engineering stations, maintenance laptops, USB and removable media policies

Wireless infrastructure

Industrial wireless networks, IIoT wireless segments, any wireless access points within or adjacent to production areas

Third-party and contractor connections

Integrator VPN connections, OEM monitoring portals, maintenance contractor remote access, supply chain connectivity


 

Scope Boundary

A network segmentation audit is not a vulnerability assessment. Its objective is to map the actual network topology and identify unauthorized or undocumented connectivity - not to enumerate software vulnerabilities on individual systems. Vulnerability assessment of OT assets is a separate exercise with different tools and different operational risk considerations. Combining the two in a single engagement without careful planning risks disrupting production systems with active scanning traffic.

 

2. Preparation: What to Gather Before the Audit Begins

2.1 Documentation Collection

Begin by collecting all existing network documentation. The gap between this documentation and what the audit discovers is itself a finding. Collect:

 

  • Network topology diagrams: All available network architecture diagrams for the OT environment, including any Purdue Model layer diagrams, zone and conduit documentation, and Industrial DMZ architecture documentation.
  • Firewall rule sets: Export current firewall rules from all firewalls at the IT/OT boundary and within the OT environment. These will be compared against what traffic is actually observed during the audit.
  • Asset inventory: Any existing OT asset inventory, CMDB entries, or equipment lists covering PLCs, HMIs, SCADA servers, and other OT assets.
  • Remote access documentation: A list of all documented remote access connections into the OT environment - VPN accounts, vendor portal credentials, jump server access accounts.
  • Change management records: Approved network change records from the past 12-24 months. Undocumented changes - connectivity additions that do not appear in the change record - are a common finding source.

2.2 Stakeholder Alignment

A network segmentation audit in a manufacturing plant requires coordination with operations before any active work begins. The audit team must understand which systems are production-critical and cannot be disrupted, what maintenance windows are available if any active assessment work is required, and who the operational contacts are for each production area. The audit methodology must be communicated to operations leadership before it begins - the last thing a manufacturing security assessment should do is trigger a production incident because operations was not informed that network discovery activity was underway.

2.3 Tool Selection

Tool selection for an OT network segmentation audit must account for the sensitivity of production systems to active network scanning. The standard IT network discovery approach - running an active scanner like Nmap across the network - is not appropriate for OT environments where active scan traffic can cause unpredictable responses in PLCs and other real-time control devices.

 

  • Passive network monitoring (preferred): Passive OT discovery tools capture and analyze network traffic without sending any additional packets to OT devices. Tools in this category - including solutions from Dragos, Claroty, Nozomi, and similar OT security vendors - can be deployed at network tap or SPAN port positions and identify all communicating devices from observed traffic without generating any additional network load.
  • Active scanning with OT-safe configuration (where required): If passive monitoring alone cannot provide complete topology information, active scanning tools configured for OT-safe operation - slow scan rates, limited protocol coverage, exclusion of known-sensitive devices - can be used in coordination with operations during defined maintenance windows.
  • Firewall and switch configuration review: Configuration exports from firewalls and managed switches provide authoritative topology information that does not require any network traffic generation.

 

3. Phase 1 - Asset Discovery and Network Topology Mapping

3.1 Deploy Passive Monitoring at Key Network Positions

Deploy passive monitoring sensors at the network positions that will capture the most representative traffic in the manufacturing environment. The minimum positions are:

 

  • IT/OT boundary firewall SPAN port: Captures all traffic crossing the boundary between corporate IT and the OT network. This is the primary position for identifying undocumented IT/OT connections.
  • Core OT network switch SPAN port: Captures traffic between major OT network segments - between SCADA servers, historian servers, engineering workstations, and PLC subnets.
  • Industrial DMZ SPAN port (if present): Captures traffic through the DMZ to confirm that only documented flows are using the DMZ infrastructure.
  • IIoT network gateway: Captures traffic between IIoT devices and their upstream systems - confirming what the IIoT devices are communicating with and whether they have any direct OT connectivity.

Run passive monitoring for a minimum of two weeks before drawing conclusions about normal traffic patterns. Manufacturing production schedules include weekly and shift-based patterns that may not be visible in a shorter monitoring window. Maintenance activities, batch production cycles, and scheduled vendor remote access events all generate traffic patterns that should be captured before the baseline is considered representative.

3.2 Build the Asset Inventory from Observed Traffic

Passive monitoring tools identify all communicating devices from the traffic they observe - constructing an asset inventory from network behavior rather than from documentation. The output is a device list that includes every IP address and MAC address observed communicating on the monitored network segments, with protocol and communication partner information for each device.

Compare this discovered inventory against the existing documented asset inventory. The delta between the two - devices that appear in network traffic but are not in the asset documentation - are the undocumented assets. In most manufacturing environments, this delta includes:

 

  • Undocumented engineering laptops: Contractor and vendor laptops that have been connected to the OT network for maintenance and not removed from the network configuration.
  • IIoT devices added outside the formal change process: Sensors and edge devices deployed by operations or maintenance teams without security team involvement.
  • Legacy devices no longer in active use: Controllers, HMIs, and workstations from decommissioned production lines that remain connected to the network.
  • Vendor remote monitoring devices: OEM-installed monitoring hardware that was connected to the production network as part of equipment installation and not documented in the network architecture.

3.3 Map Communication Pathways Between All Discovered Assets

For each asset in the discovered inventory, document all observed communication partners - which other devices it communicates with, using which protocols, and at what frequency. This communication map is the actual network topology of the manufacturing environment.

Structure the communication map by zone: group discovered assets by their functional role and network location, then map communications within zones and between zones. The between-zone communications are the conduits - and any conduit that was not documented in the security architecture is a finding.

 

4. Phase 2 - Boundary Assessment and Gap Identification

4.1 Assess the IT/OT Boundary

The IT/OT boundary is the primary focus of the segmentation audit. Every communication pathway that crosses this boundary must be documented, justified, and controlled. The assessment of this boundary involves three steps.

Step 1: Map all observed IT/OT boundary traffic against documented firewall rules

Compare the traffic observed at the IT/OT boundary against the documented firewall rule set. Any traffic that crosses the boundary without a corresponding documented firewall rule indicates either an undocumented firewall rule, a firewall misconfiguration, or a network path that bypasses the boundary firewall entirely. Each of these is a critical finding.

Step 2: Review firewall rules for compliance with the documented security architecture

Review all firewall rules at the IT/OT boundary - including rules that are not generating observed traffic - against the documented security architecture requirements. Rules that permit traffic that should not be permitted per the architecture are findings regardless of whether that traffic has been observed. In manufacturing environments, the most common unauthorized rule categories are:

 

  • Rules permitting IT-side endpoints to initiate connections to OT systems: The security architecture typically requires that OT systems initiate data pulls to IT-side consumers (historians pulling from SCADA, for example) rather than IT-side systems pushing connections into OT. Rules that invert this direction are a segmentation gap.
  • Rules with overly broad scope: Rules that permit any source on the IT network to reach any destination on the OT network for a specific protocol are common legacy configurations that should be replaced with rules scoped to specific source and destination addresses.
  • Rules for decommissioned services: Rules associated with systems, services, or vendors that are no longer active but whose firewall rules were never removed.

Step 3: Identify network paths that bypass the boundary firewall

The boundary firewall controls traffic that the network routing directs through it. If there are network paths between IT and OT systems that do not route through the boundary firewall - dual-homed workstations, backdoor wireless connections, shared management networks - those paths represent segmentation gaps that the firewall cannot address. Identifying these paths requires reviewing switch configurations, wireless access point placements, and management network architecture in addition to the firewall rule review.

4.2 Assess Remote Access Pathways

Remote access is consistently the highest-risk boundary area in manufacturing OT environments. The assessment must identify every remote access pathway into the OT environment - not just the ones documented in the official remote access inventory.

 

  • VPN account audit: Pull all active VPN accounts with OT network access. Compare against the documented list of authorized remote access users and vendors. Terminate any account that cannot be attributed to an active, authorized user or vendor relationship.
  • Persistent connection identification: Identify all site-to-site VPN connections that are permanently active. Each persistent connection is a standing attack pathway - assess whether each requires persistent connectivity or whether just-in-time access would serve the operational need.
  • Jump server and remote desktop gateway review: Assess the access controls on any jump servers or remote desktop gateways that provide access to OT systems - what accounts can access them, from what source networks, and whether MFA is enforced.
  • OEM monitoring connection inventory: Identify all vendor monitoring connections - including connections established by OEM equipment vendors as part of equipment installation that may not be in the official remote access inventory.

4.3 Assess Industrial DMZ Architecture (if present)

If the manufacturing environment has an Industrial DMZ between the IT and OT networks, assess whether the DMZ is functioning as designed. A correctly implemented Industrial DMZ brokers all IT/OT data flows through controlled pathways - no direct connections between IT endpoints and OT systems bypass the DMZ. Common DMZ findings in manufacturing environments include:

 

  • Direct connections that bypass the DMZ: Firewall rules or network paths that allow IT-side systems to reach OT systems without going through the DMZ infrastructure.
  • Historian servers placed on the wrong side of the DMZ: Historian servers that sit on the OT network side of the DMZ rather than in the DMZ itself, giving IT-side systems a direct path into the OT network through the historian connection.
  • Undocumented services running in the DMZ: Applications or services operating in the DMZ that were not part of the approved DMZ design and that create additional attack surface within the controlled zone.

 

5. Phase 3 - Gap Analysis and Remediation Prioritization

5.1 Categorizing Findings by Severity

Not all segmentation gaps have the same risk profile. Findings from the audit should be categorized by the combination of exploitability and consequence to allow remediation resources to be directed at the highest-risk gaps first.

 

Severity

Finding Type

Example

Remediation Priority

Critical

Direct IT-to-OT connectivity with no authentication or monitoring

Engineering workstation with simultaneous IT and OT network connections and no access control; active vendor VPN with no MFA providing access to PLC network

Immediate - within 30 days

High

Documented boundary with undocumented bypass pathways

Firewall rule permitting broad IT network access to OT subnet; persistent vendor VPN for inactive vendor relationship; undocumented OEM monitoring connection

Short-term - within 90 days

Medium

Boundary controls in place but with configuration gaps

Firewall rules with overly broad scope; DMZ with direct connections bypassing intended flow; jump server without MFA

Medium-term - within 180 days

Low

Documentation and process gaps without immediate technical risk

Undocumented assets in inventory; firewall rules for decommissioned services generating no traffic; change management records incomplete

Planned remediation - within 12 months

 

5.2 Remediation Sequencing for Manufacturing Environments

Remediation of segmentation gaps in a live manufacturing environment must be sequenced to avoid production disruption. The correct sequence is not always the one that addresses the highest-severity finding first - it is the one that achieves the greatest risk reduction while respecting operational constraints.

Remediations that require no production impact

Several categories of remediation can be implemented immediately without any production risk:

 

  • Terminating unused remote access accounts and persistent VPN connections: Revoking access for inactive vendors and terminating persistent connections that serve no current operational purpose creates no production impact and closes standing attack pathways.
  • Tightening firewall rule scope: Replacing broad firewall rules with specific source-destination-protocol rules can be done on existing firewall infrastructure without network changes, and does not affect production traffic if the rules are correctly scoped before deployment.
  • Deploying MFA on existing remote access infrastructure: Adding MFA to an existing VPN or jump server does not change the network topology and does not affect production systems - it affects only the authentication experience for remote users.

Remediations that require a maintenance window

Network topology changes - adding DMZ infrastructure, moving historian servers, reconfiguring switch VLANs - affect production system connectivity and must be scheduled during planned maintenance windows with operations coordination and rollback procedures prepared in advance.

Remediations that require a phased implementation

Some remediations - particularly replacement of persistent vendor VPN connections with a centralized secure access gateway - require vendor coordination, user onboarding, and parallel running periods before the old access method can be decommissioned. These are project-scale remediations that should be planned over a defined timeline rather than implemented as emergency changes.

 

Common Mistake

The most common mistake in manufacturing OT segmentation remediation is implementing firewall rules based on the documented architecture without first verifying that the rules will not block production traffic that depends on the undocumented connections being closed. Before any firewall change at the IT/OT boundary, verify against the passive monitoring traffic baseline that no currently active production traffic will be disrupted by the rule change. Implement changes in monitoring mode first - logging traffic that would be blocked - before enforcing the block.

 

6. Deliverables: What the Audit Should Produce

6.1 The Segmentation Audit Report

The audit report documents the complete findings of the assessment and provides the input for the remediation program. It should include:

 

  • Discovered asset inventory: A complete list of all assets identified during the audit, with network addresses, protocols observed, and communication partners documented.
  • Actual network topology diagram: A network diagram reflecting the actual discovered topology - not the documented architecture - including all identified connections between IT and OT systems.
  • Gap analysis: A comparison between the discovered topology and the required security architecture, with each gap categorized by severity and described in terms of its exploitability and consequence.
  • Remediation plan: A prioritized remediation list with specific technical actions, estimated effort, operational impact, and recommended timeline for each finding.

6.2 The Segmentation Baseline

The audit produces a network topology baseline - a documented, verified picture of what the manufacturing OT network actually looks like at a point in time. This baseline serves as the reference for ongoing network monitoring: deviations from the baseline - new devices appearing, new communication pathways observed, new connections crossing the IT/OT boundary - are the indicators that the network monitoring platform should alert on.

The baseline also establishes the starting point for the remediation program. Progress against the remediation plan can be measured by comparing subsequent network topology observations against the audit baseline and tracking how many of the identified gaps have been closed.

6.3 The Ongoing Audit Cadence

A network segmentation audit is not a one-time exercise. Manufacturing environments change continuously - new equipment is installed, new vendor connections are added, production configurations change. The segmentation baseline degrades over time as the network evolves. An annual re-audit of the full scope, combined with continuous network monitoring that flags new IT/OT connections in real time, maintains the accuracy of the segmentation baseline and ensures that new gaps are identified before they are exploited.

 

Bottom Line

A network segmentation audit in a manufacturing plant is not primarily a technical exercise. It is an organizational discipline exercise. The findings of every manufacturing OT segmentation audit conducted in the past three years have included undocumented connections, inactive accounts, and bypassed controls - not because the security team failed to design an adequate architecture, but because the network changed over time without consistent governance. The audit produces the accurate baseline that governance requires. The ongoing monitoring and change management process that follows the audit is what keeps the segmentation architecture aligned with the actual network topology.

 

Frequently Asked Questions

How long does a network segmentation audit take in a manufacturing plant?

The timeline depends primarily on the size and complexity of the OT environment, the quality of existing documentation, and the access arrangements for passive monitoring deployment. For a single manufacturing facility with a moderately complex OT network, a segmentation audit typically takes four to six weeks from passive monitoring deployment through gap report delivery. Larger facilities, multi-site audits, or environments with minimal existing documentation take longer. The passive monitoring phase - running for two to four weeks to capture representative traffic patterns - is typically the minimum timeline constraint. The assessment and report phases add two to three weeks on top of the monitoring phase.

Can we conduct a network segmentation audit using only internal resources, or do we need external expertise?

Internal teams with OT security expertise and access to appropriate passive monitoring tools can conduct segmentation audits effectively. The primary requirement is that the team conducting the audit has genuine OT network expertise - not IT security expertise applied to OT. The protocols, device behaviors, and traffic patterns in OT networks are different from IT networks in ways that matter for accurate topology interpretation. A team that interprets normal Modbus polling traffic as an anomaly, or that misses the significance of a dual-homed engineering workstation, will produce an audit report that mischaracterizes the actual risk. External OT security expertise is valuable when internal teams do not have this background, or when an independent assessment is required for compliance or governance purposes.

What is the difference between a network segmentation audit and a penetration test?

A network segmentation audit maps the actual network topology and identifies connectivity gaps - it is a passive assessment of what exists and what should not exist. A penetration test attempts to exploit vulnerabilities and segmentation gaps to demonstrate what an adversary could achieve - it is an active assessment that deliberately attempts unauthorized access. Both serve different purposes and are appropriate at different stages of an OT security program. A segmentation audit should precede a penetration test: you cannot effectively pentest a network topology you have not accurately mapped, and penetration testing an OT environment without a current topology baseline risks causing production disruptions by testing connections whose operational dependencies are unknown.

What do we do if we discover active unauthorized access during the audit?

If passive monitoring during the audit reveals traffic patterns consistent with active unauthorized access - command and control beacons from OT systems, anomalous authentication patterns, unexpected external connections - the audit transitions immediately to incident response. The findings should be escalated to the security leadership and operations teams immediately, and the incident response plan should be activated. The passive monitoring data captured during the audit provides forensic evidence of the intrusion timeline and scope. Do not remediate discovered access pathways before preserving forensic evidence - closing the access pathway without preserving evidence of how it was used destroys the forensic record that is needed to understand the full scope of any compromise.