Factory Floor Security
Securing factory floor systems without stopping production
6
Facilities fully monitored
Zero
Production disruptions during deployment
11 weeks
From first sensor to full visibility
A manufacturing group with six facilities across Ontario and Quebec had no formal operational technology security program. An acquisition had brought in a facility whose IT systems were found to have been compromised during the due diligence process — the compromise had spread from IT systems to the facility's production network, and the group's security team had spent three weeks remediating it. The incident had revealed that the group had no visibility into its OT networks, no baseline of what normal looked like, and no means of detecting or containing a similar incident at its other five facilities.
The outcome
We built a monitoring and segmentation program that started with observation only — no changes to production systems — and added controls progressively as the operations teams gained confidence in the approach.
OT security is fundamentally different from IT security
The first conversation we had with the group's security team was about the constraints that made OT security different from IT security. In an IT environment, the worst-case outcome of a security control that fails is a service disruption — applications go offline, users can't work, and the help desk receives calls. In an OT environment, the worst-case outcome of a security control that fails in the wrong way can be a production line stopping, a machine receiving a command it wasn't designed to handle, or a safety system being isolated from the equipment it monitors. These are not acceptable outcomes. The security program had to be designed around the operational risk of the security controls themselves, not just around the threat from external actors. This shaped every decision we made: passive before active, observation before enforcement, operations teams as approvers of every change, and an explicit commitment that any control we deployed could be removed within 30 minutes if it caused an unplanned operational effect.
The monitoring-first approach across six facilities
We deployed passive network monitoring at all six facilities over an eleven-week period. Passive monitoring sensors connect to network switch mirror ports — they see a copy of all network traffic but inject nothing onto the network and are not in the path of any communication. A sensor failure leaves the network completely unaffected. At each facility, we connected sensors to the main production network and to each identified network segment: the PLC networks serving each production line, the historian network that collected data from the PLCs, and the demilitarized zone where any connections between the production network and the enterprise IT network existed. Within 48 hours of sensor deployment at each facility, we had a complete picture of what devices existed on the network — more complete than the asset inventories the facilities maintained manually, which were consistently 15–25% incomplete. Within two weeks, we had baseline traffic patterns for each facility: which devices communicated with which, on which protocols, at which frequencies, and which external addresses any devices connected to.
What the monitoring revealed before any controls were deployed
The baseline monitoring period surfaced findings at every facility that the group's security team had not expected. At Facility 2, a production line PLC was sending SMTP traffic to an external mail server — a communication pattern that had no legitimate operational purpose and was consistent with an infected device attempting to exfiltrate data or reach a command-and-control server. Investigation revealed that the PLC's engineering workstation had been compromised by malware that had been dormant for an estimated fourteen months. At Facility 4, a device identified as a building management controller was communicating directly with the production historian — a connection that bypassed the intended network segmentation and represented a path through which a compromise of the building management system could reach production data. At Facility 6, three PLCs were running outdated firmware with known vulnerabilities that had been patched by the vendor in updates that had never been applied. None of these findings had been known before the monitoring program began. All were addressed before any network controls were deployed.
Network segmentation in controlled phases
After eight weeks of monitoring and baseline establishment, we began the network segmentation program. The segmentation approach divided each facility's OT network into zones based on operational criticality and communication requirements: safety instrumented systems in their own isolated zone, production control systems in production zones organized by line, and engineering access systems in a separate zone with controlled bridging to the production zones. Each zone boundary was implemented using industrial firewalls configured to pass only the communication relationships that the baseline monitoring had confirmed as legitimate. We deployed the zone boundaries one facility at a time, with operations leadership at each facility present for the initial activation of each boundary. The first 48 hours after each boundary activation were treated as a validation period: monitoring confirmed that legitimate production communications were flowing normally, and the firewall logs were reviewed for any blocked traffic that might indicate a communication relationship that had been missed in the baseline analysis. Two facilities required configuration adjustments during their validation periods — both cases where a communication relationship existed that the baseline monitoring had categorized as low-frequency and which the firewall rules had incorrectly blocked. Both were resolved within the validation window without production impact.
The sustained security posture
Twelve months after the monitoring program began and eight months after the last facility completed its segmentation deployment, the group's OT security program is fully operational. The monitoring system generates alerts on any communication pattern that deviates from the baseline — new devices appearing on production networks, communications on unexpected ports, connections to external addresses that weren't in the baseline. The security operations team reviews OT alerts during business hours, with an on-call engineer available for critical-severity alerts outside business hours. In the eight months since the segmentation was completed, the program has detected and responded to nineteen security events: twelve cases of unauthorized devices connected to production networks (all confirmed as legitimate equipment that had been connected without following the change management process), four cases of anomalous communication patterns that were attributed to misconfigured equipment, two cases of contractor laptops connecting to production network segments they weren't authorized to access, and one case of a PLC attempting to communicate with an external IP address that was blocked by the segmentation controls and is under ongoing investigation.
Facing a similar infrastructure challenge?
We're happy to have a technical conversation about your specific environment — no commitment required.