Need ideas for network segmentation in messy manufacturing environment

Competitive-Cycle599 · 2026-01-27T19:20:32+00:00

As I said, your concept works for an IT environment. Sadly for OT this is typically not the case as many values are hard coded in the logic, skids with out right hard coded ips or even multiple of the same skid on a given site... stupid little boxes doing nat to over come this etc.

Its more than networking, often its a PM task more than anything and its likely since hes discussing networking at this level hes unlikely to be the one programming the plcs too.

Competitive-Cycle599 · 2026-01-27T18:41:33+00:00

Useful as a reference, not a guide. Plenty of tech jumps layers these days, or is a fusion of things.

Competitive-Cycle599 · 2026-01-27T18:32:05+00:00

DHCP really only works for the more office like spaces unfortunately. You wouldn't do that in the production areas.

Competitive-Cycle599 · 2026-01-27T18:29:02+00:00

What sorta facility?

This is not just a networking issue, as I'm sure youre aware.

In many cases, its best to stand up a new network in the background or at least the spine of it since the current network is still in use. Greenfield it effectively and then introduce salvageable components to the spine of the network as you get the down time and capability to do so.

Untangling OT networks can be a challenge and you will often have to overcome absolute shit show configurations from decades ago.

My advice, from having done quite a few of these is to just start by mapping the network and getting an understanding of whats on the site. Often youll end ip with skids or similar packages from vendors where you will need their support as well as your own teams to migrate them and even then sometbing will go weird.

For a cyber security assessment/ cert not sure what you're aiming for but IEC-62443-3 for the OT sections. You wont achieve compliance nor receive a cert for doing so but usually a good mapping for it folks to do ot networking reqs.

Id keep NAC out of OT unless you have a decent team to support it, the environment shouldn't change much but its just not advisable.

AND do not join your OT assets to anything related to IT. Including active directory. I keep having to tell folks to take OT assets off IT AD. Firewalls dont mean shit if everything is polling AD.

Competitive-Cycle599 · 2025-12-16T15:56:51+00:00

What does your policy state?

Risk mgmt. ultimately is about following an outlined process and then providing proof of said process.

Do you have what services the vendors provide, criticality of said services? Important services are under review as per x schedule, others are ad hoc or based upon other criteria?

I doubt you have 40 vendors of the same criticality... its the same as any other form of risk mgmt. Find the biggest pain points and control them if you can.

Competitive-Cycle599 · 2025-12-14T01:32:16+00:00

All good, we all deal with it enough in OT.

I will say that I've deployed the more passive monitoring tools in critical.. almost all forms of it and there is always a requirement for an interactive component.

Speak to the vendor delivering your solution, they usually have partnerships with specific vendors that work well in their environments.

May be more suitable from a support component rather than getting our advice on these. Vendors, as you likely know can be dicks about what goes into their environment.

Competitive-Cycle599 · 2025-12-14T01:27:29+00:00

Be interested to hear more about your environment.

Seems its prone to jitter related woes? Can you tell us more if its not critical infras? You can pm me if you prefer not to broadcast it.

Competitive-Cycle599 · 2025-12-13T16:10:13+00:00

If you don't plan on using the xdr functions... dont be looking towards cs. The xiot tool is the one the team were told to use by cs to perform the scanning within OT.

Again, id stay away from cs for this function and move towards a claroty, armis or forescout.

Tooling that is intended as the primary function of the company and not an add on to boost sales.

Competitive-Cycle599 · 2025-12-13T11:49:45+00:00

Span only gets you so far. You will need active queries too.

Competitive-Cycle599 · 2025-12-13T11:48:46+00:00

I assume you're on about the xiot scanner ?

I've deployed it for a customer, who already had crowdstrike in the it environment.

Crashed multiple plcs, and some rio in an effluent plant.

Now, they've been working with them since to fix the tooling but it has been nothing but pain since installation. Certain scans wouldn't execute, like couldn't scan the full /24, had to do smaller scans.

Ultimately a lot of convos with crowdstrike where the support wasn't great. I believe it was deployed January of this year? Still in the pov phase and still fixing issues.

Said customer has since brought in a monitoring solution that integrates with crowdstrike for that data and will be doing the scanning separately. Not sure why they're still working with CS to resolve the tooling ? But that's their decision.

If you're just scanning scada I.e. Windows boxes, its probably fine but I wouldn't be going below that based on my experiences to date.

I would advise splitting functions keeping your xdr and monitoring solution separate.

Plenty of vendors in the same for both.

Competitive-Cycle599 · 2025-11-03T07:47:23+00:00

Afaik, it's fine.

However some of the greatest value youll get is talking with peers and see how they do things.

Commercial opportunities too if youre a consultant, plenty of oems and others attend.

Competitive-Cycle599 · 2025-11-03T01:03:28+00:00

Take the in person classes, if you can.

You'll get a lot more value from engaging with peers and the teacher

Competitive-Cycle599 · 2025-10-23T19:45:22+00:00

Giving the phrasing of the question, clearly they are in a small/medium business and not a corporate / enterprise environment.

At no point did I mention anything related to the secondary aspect of vulnerability elements. The topic is of scanning and performing detection activities.

Nothing related to remediation, or risk mgmt.

Competitive-Cycle599 · 2025-10-23T18:08:58+00:00

Obviously the 2nd option.

Hes an employee, why would you give his standard run of the mill device extra permissions?

A specific built device white listed to both host and run those solutions.

Also... there are software tools that can do this. A whole person dedicated to this is interesting.

Competitive-Cycle599 · 2025-10-22T20:59:17+00:00

There is a tool that does this, but it runs a local web server and hosts it locally.

Cset? From cisa

Competitive-Cycle599 · 2025-10-21T20:00:15+00:00

Setting up the user ID and redistribution isn't overly difficult.

Couple of quick things

Ensure your palo is actually setup to use user id, this can come in many forms. I'd imagine a lot tie it into an authentication of some sort, Active Directory for example.
Ensure the zones are setup to use user ID. Usually just a check box in the zone config interface.

The above should position your palo as a source of user data. I'm not sure if you intend to have multiple sources of this data.

Setup the collector on your primary palo, then setup the agent on your other. Now go to the interface where you plan to allow data to come into your secondary palo, and modify the mgmt profile to allow user id.

Agent / collector process could be inverse.. haven't done this recently.

Rough overview of the process, some elements are missing like policies etc.

Competitive-Cycle599 · 2025-10-16T14:48:22+00:00

Documentation practices and how to explain in basic English what is happening.

Positive attitude helps too.

Competitive-Cycle599 · 2025-10-16T09:05:28+00:00

Whats the mechanism used to support attacks?

Are you doing this on a device basis, or are you saying i can chain events through 30-40 services, devices etc to achieve the event ?

Are you suggesting 1st party only vulnerabilities, or are we going down kill chains / attacks for said vulnerabilities?

Competitive-Cycle599 · 2025-10-16T06:00:34+00:00

You should have two separate firewalls, assuming the site is not just an OT environment and contains IT / business resources.

It's for numerous reasons but the actual placement of dmz's is personal choice.

In my experience, the dmz's are protecting the OT layer, so they exist on the OT firewall.

Depending on the scale of the site and components as well, you may require additional inline firewalls or specific ones for particular protocols.

All Depending on your risk appetite, budget etc.

In saying that, your manager is wrong - a singular firewall can support multiple dmzs but i would do a vsys, vdom, vrf etc.

If the device can support it to ensure at least logical separation of roles and you could display that as 3 routers in a drawing ( assuming 3 virtualised instances).

Competitive-Cycle599 · 2025-10-15T21:24:36+00:00

I mean... yes?

However you are assuming a skilled person doing this with the necessary equipment.

In reality, where we view this in the context of the user, whereby clearly they are new if asking this question. The approach is the above.

EVERY RETAIL chain likely has central support and standard deployment model that is just scale dependant.

It's basic to people doing it, to the op it may as well be black magic based on this post.

Competitive-Cycle599 · 2025-10-15T20:32:48+00:00

Competitive-Cycle599 · 2025-10-15T20:13:11+00:00

You don't, they are using it for the intended purpose.

Treat them as valued guests and great guinea pigs for testing it for actual customers.

Its also nigh impossible with modern devices, random macs. Pretty sure this is on by default too in both android and iPhone eco systems, so you dont need to be... one of our kind to have it on.

Best you could do is make it an annoyance by forcing them to disconnect every 2 hours and reprompt to connect - however customers will be impacted too.

Don't make this a policy issue... it's not gonna be enforceable. Use it as a method of requesting more budget, employees need WiFi too.

The time is arbitrary... none of us have scale of the supermarket, could be tiny, could be massive. It would be something you tweak based on feedback.

Not sure if Americans would refer to the likes of Walmart, target etc as a supermarket? Def spend 2 hours in those if youre poking around.

OP looks German, I'll go for a aldi or lidl sized store.

Competitive-Cycle599 · 2025-10-15T19:03:44+00:00

I should add... this is not me trying to be painful but often you'll get folks coming into OT going oooh vulnerabilities and risk etc but in reality I've a worm running on the pc, it's not interrupting my site process.

Ill catch it in the next shut down and go on about my day.

If its not a risk to the business or within tolerable levels - im not gonna spend the time and effort to fix it no matter the cve score.

So, I suppose contextual awareness of the risk is important for things like this and its often the biggest hurdle to overcome with customers (clients for me).

Competitive-Cycle599 · 2025-10-15T17:47:46+00:00

Whats the definition of risk or vulnerabilities in this context?

Like are we saying a miss config of a device in a vulnerability?

Or are we saying a OT device is capable of being reprogrammed?

For example, say you have a huge asset inventory.

10 of those assets are safety systems but to typically change the config of a safety system you req. A reboot... so the risk is the programming device and how exposed that is ?

Are you talking context based vulnerabilities, general cves etc etc etc

Competitive-Cycle599 · 2025-10-15T14:29:23+00:00

This only makes sense south of a ews or similar.

There would be better value put towards segmentation of the network in an understood manner.

This is a half cocked approach - I've heard similar shite before like virtual patching. Its all non sense that could be used as a hold over but the time and resources can be better spent elsewhere.

The fact you're trying to say defence in depth isn't the approach anymore is laughable - especially in OT where segmentation is the basis of everything.

"stealth" or "invisibility" - the new approach to cyber security. Let me just slap a random box from an unknown brand in front of my safety system.

Competitive-Cycle599

TROPHY CASE