A flat OT network is a manufacturing liability, not a rarity. Many facilities we work with have zero network segmentation—all PLCs, drives, sensors, and engineering workstations sit on the same broadcast domain. Migration to a Purdue-aligned architecture requires meticulous planning because the costs of downtime far exceed the cost of the segmentation infrastructure itself.
The key principle: prove segmentation in simulation before activating it in production. Build the new network in parallel, test all communication paths without disrupting the live system, then cut over in a controlled sequence by production zone or process area.
Phase 1: Blueprint and Discovery (Weeks 1-3)
Document every device, protocol, and traffic dependency in your existing network. Capture network traffic using passive taps or SPAN ports to build a ground-truth dependency map. Identify choke points: historian servers, engineering workstations, gateways to MES or corporate systems. These become zone edge devices.
Assign devices to Purdue levels: field instruments to Level 0/1, PLCs and RTUs to Level 1/2, HMIs and engineering stations to Level 2/3, corporate gateways to Level 3/4. Many facilities have devices that logically belong at multiple levels—this is a flag for architectural refinement later.
Phase 2: Parallel Network Build (Weeks 4-7)
Deploy the new network infrastructure—switches, firewalls, VLANs, cabling—without disconnecting the existing network. Populate it with new IP addressing, routing, and access control lists that mirror your target architecture. Configure historian endpoints, logging aggregators, and time synchronization servers in the DMZ.
This is when you learn whether your firewall rules actually work. Replay production traffic through your new rules. You will discover undocumented communications, unnecessary direct connections, and assumptions that only live systems can reveal.
Phase 3: Communication Validation (Weeks 8-10)
- Protocol Capture: Simultaneously run Wireshark and Zeek on both network segments. Compare traffic signatures to identify anomalies before production devices see them.
- Failover Testing: Test zone redundancy. If a critical switch or firewall fails, does communication re-establish automatically? Does it maintain timing for hard real-time protocols?
- Maintenance Mode Operations: Do engineers need direct access to field devices for troubleshooting? Route these sessions through the new DMZ to prove it works before enabling it broadly.
- Third-Party Integration: If external vendors connect for remote support or data collection, test their access through the new segmentation before migrating to it permanently.
Phase 4: Staged Production Cutover (Weeks 11-13)
Begin migration with the lowest-risk zone—typically batch processes or non-critical production areas. Move a single production line or cell from the flat network to the segmented network. Let it run for at least two production shifts before moving the next zone. This staged approach lets you catch configuration errors before they compound across the entire facility.
If issues arise, you have a clear rollback path: individual zones can revert to the flat network temporarily while you debug the segmentation. Once all zones are migrated and stable for two weeks, decommission the flat network in controlled fashion.
This playbook works because it respects production reality: downtime costs more than security infrastructure, and rushing segmentation creates both the security vulnerabilities and the operational fragility you were trying to prevent. If you'd like to discuss this for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.