.svg)
Share this
by Katrina Taylor on Apr 10, 2026 10:15:37 AM
The phone rings at 2:47 AM. Ransomware has detonated across your corporate email servers and is moving fast through the administrative network. You're running three active lines that include plasma for life-saving medication, each one representing roughly $1.2 million in biological material that can't be paused or restarted. Your security team wants to shut everything down. Your production lead says that killing the OT network will destroy all three batches and push shipments back six weeks.
You shouldn't have to choose between cybersecurity and production continuity. And with the right IT/OT network segmentation in place, you don't.
- $17 billion in downtime costs across 858 manufacturing ransomware incidents since 2018 (Infosecurity Magazine)
- $1.9 million average daily cost of manufacturing downtime (Infosecurity Magazine)
- 71.4% faster mean time to contain breaches with mature microsegmentation (European Journal of Computer Science and Information Technology, 2025)
- Network segmentation is one of 12 key controls insurers evaluate during underwriting (Marsh McLennan)
When ransomware hits IT, why does manufacturing shut down everything?
I have this conversation every week with manufacturing leaders. The pattern is always the same: ransomware hits corporate IT, nobody knows exactly what's compromised, and leadership makes the only call that feels safe. Shut it all down.
The problem is that the shutdown almost always costs more than the attack itself.
Colonial Pipeline is the textbook case. In May 2021, DarkSide ransomware compromised their IT billing systems. The pipeline's OT network was never breached. But leadership couldn't verify that the OT environment was clean because there was no enforced boundary between the two networks. So they shut down 5,500 miles of pipeline for six days and paid a $4.4 million ransom. Merck's experience with NotPetya tells a similar story at an even larger scale: $1.4 billion in total impact because a flat network let malware move from IT to manufacturing without resistance.
The reason this keeps happening is architectural. Most manufacturing networks grew organically over decades. Corporate email, ERP, SCADA servers, and PLCs often share the same flat network or connect through aging firewall rules nobody fully understands. When everything can talk to everything, a total shutdown isn't an overreaction. It's the only responsible option.
Since 2018, ransomware has cost the manufacturing sector an estimated $17 billion in downtime across 858 documented incidents. At $1.9 million per day, a single event costs a mid-size manufacturer somewhere between $15 million and $22 million before you factor in ransom payments, remediation, or customer penalties.
Selective containment: the alternative to the kill switch
I sat with a CISO and CIO last quarter who told me their biggest fear was that ransomware would hit, and their own team's response would be to pull the plug on everything, including production lines worth millions per hour. This has been the only option and recommended approach they could take. They wanted a better option.
IT/OT network segmentation gives manufacturers exactly that: a third option between "do nothing" and "shut everything down." When hard boundaries exist between corporate IT and production OT, ransomware that detonates on a laptop in accounting has no network path to reach the SCADA system managing your production line. Your security team contains the IT compromise while production keeps running.
The most effective approach is identity-based segmentation, where policies follow devices based on what they are and what they're authorized to do, not which VLAN they sit on. A PLC should only communicate with its designated historian server and engineering workstation regardless of physical location. This aligns with CISA's zero trust guidance: contain at the IT/OT boundary, terminate suspicious cross-boundary sessions, and leave production control networks untouched during an IT incident.
Research published in the European Journal of Computer Science and Information Technology found that organizations with mature microsegmentation achieve a 71.4% improvement in mean time to contain breaches. In dollar terms, that's the difference between a two-day IT containment and a two-week total shutdown.
Not all systems carry the same risk
The conversation I hear most often starts with a CISO or CIO telling plant managers they need to institute security controls on the production floor. The plant managers push back: "You can't touch our systems without risking production." And historically, they've been right. Traditional security tools required agents on endpoints, network redesigns, or production downtime to implement. That's been impossible to justify until now.
If your corporate office goes offline for 48 hours, it's disruptive but recoverable. Delayed emails, ERP downtime, some late invoices. If your plasma production line for life-saving medication goes offline for 48 hours, you've destroyed millions in biological material that took weeks to collect. Patients waiting on those therapies face delays. Your production schedule slips by a month or more.
Segmentation policies should reflect this criticality hierarchy. Your most valuable production processes deserve the strongest isolation. Corporate IT can tolerate containment actions that would be catastrophic if applied to active production systems. This isn't just a security decision. It's a financial triage decision that should involve your CFO as much as your CISO.
IT/OT network segmentation policies for manufacturing
The following table shows what practical IT/OT network segmentation policies look like for a manufacturing environment. These are the kinds of rules that create enforced boundaries between corporate IT and production OT. For additional examples, see these segmentation control examples.
| Scope | Policy name | Policy rule | What it protects | Threat scenario prevented |
|---|---|---|---|---|
| Global | IT-to-OT boundary enforcement | All corporate IT devices blocked from communicating with OT manufacturing controllers. Only authorized engineering workstations with verified identity can cross the boundary. | Entire manufacturing operation | Ransomware spreading from corporate email to production floor |
| Global | Manufacturing SCADA protection | SCADA systems and industrial controllers communicate only with designated historian servers and engineering workstations. Corporate IT network access blocked in both directions. | Production line continuity, quality control | Corporate ransomware compromising production oversight |
| Local | Lab analyzer isolation | Laboratory analyzers connect only to their designated LIMS server. All other network traffic denied. | Lab test integrity, processing accuracy | Ransomware encrypting analyzer firmware or corrupting results |
| Local | Plasma production line isolation | Plasma line controllers and monitoring systems communicate only with approved quality control servers. No corporate IT, internet, or guest network access. | Millions in biological material, patient treatment timelines | Ransomware destroying active production batches |
| Distributed | Remote access containment | Third-party vendor remote access confined to the specific OT device being serviced. No lateral movement to other OT or IT systems. | All connected systems during maintenance windows | Compromised vendor credentials becoming network-wide attack vector |
| Global | Emergency quarantine | When ransomware indicator confirmed on corporate IT, dynamically restrict all IT-to-OT communication to emergency-only channels while maintaining full OT-to-OT operational traffic. | OT operational continuity during active incident | Fear-based total shutdown of production |
| Local | Environmental monitoring isolation | Building management systems (HVAC, fire suppression, environmental sensors) segmented from both corporate IT and production OT networks. | Production environment integrity | Compromised BMS becoming bridge to production floor |
| Distributed | Supply chain partner segmentation | Supplier and logistics system connections restricted to specific data exchange endpoints. No access to production control networks. | Production independence from supply chain compromise | Toyota/Kojima-style cascade shutdown |
These policies work together as layers. The global IT-to-OT boundary is your primary defense. Local policies protect individual high-value systems even if that boundary were breached. Distributed policies handle vendor access and supply chain connections by confining them to the narrowest possible path.
The insurance conversation and what finally gets segmentation funded
What finally moves the conversation from "we should do this" to "we're doing this" is usually the insurance number. Cyber insurance underwriters have gotten dramatically more sophisticated since the Merck/NotPetya litigation. They now assess your actual security architecture, not just your policies and procedures. Marsh McLennan identifies network segmentation as one of 12 key controls insurers evaluate during underwriting. And according to a Dragos and Marsh McLennan joint analysis of a decade of insurance claims data, defensible architecture that includes segmentation delivers a 17% reduction in financial risk from cyber incidents.
The impact is material. Manufacturers with proven microsegmentation between IT and OT are seeing premium reductions of 15% to 25%. For a manufacturer paying $2.4 million annually, that's up to $600,000 back in the operating budget every year. Your CFO doesn't need to understand NIST frameworks to understand that number. Meanwhile, Aon's 2025 analysis found that 36.65% of industrial clients were flagged for insufficient OT segmentation during underwriting, meaning those organizations are paying more and facing coverage gaps.
But insurance is only half of what I see move the needle. The other half is cross-team trust. If you've spent time in manufacturing environments, you know the tension between IT security and OT operations isn't cultural. It's rational. OT teams have watched IT-driven security initiatives break production systems. They've seen agents crash PLCs. Their resistance comes from experience.
During a recent proof-of-value engagement, the OT team was driving the initiative after previous skepticism, and was actually pushing the IT site leaders to implement this solution quicker than ever thought possible. It took a few technical conversations and two site visits for everyone in the room to say "can we add more policies?" and "how do we make this go faster?". What changed? They saw segmentation policies enforced at the network layer, using existing switches, without agents on any production equipment. Nothing runs on their controllers. Nothing changes on their PLCs. Once they saw that their systems were protected without being touched, the resistance disappeared.
That joint policy design process, where IT, OT, and security teams sit together to define segmentation zones following the IEC 62443 framework, builds something technology alone can't provide: a shared understanding of what's critical, what's connected, and who's responsible when something goes wrong.
Making the case and making the call
In every proof-of-value engagement I've run with manufacturing clients, there's a moment when the conversation changes. It happens when we show a real-time map of what their devices are actually doing on the network. They see IT traffic reaching OT systems that were supposed to be isolated. And they realize the flat network they've been running on isn't going to protect them when ransomware arrives.
You have options today that didn't exist three years ago. Modern identity-based segmentation deploys on existing switching infrastructure, often without agents on production equipment, and typically in weeks rather than months.
The question isn't whether ransomware will target your manufacturing operation. It's whether your response will require shutting down production or simply containing the IT compromise while your lines keep running. That's the choice segmentation gives you.
Further reading
- Network segmentation control and policy examples
- The executive's guide to breach containment and incident response
- Microsegmentation budget planning and ROI guide
Katrina Taylor is Director of Sales, Southeast at Elisity, where she works with CIOs, CISOs, Security Architects, and Network leaders across healthcare, manufacturing, and enterprise organizations to close attack surface gaps and implement Zero Trust microsegmentation. With over 10 years of cybersecurity and technology sales experience spanning Imperva, Twilio, OneLogin, and Cisco, Katrina brings a practitioner's understanding of the security challenges facing today's complex IT, IoT, OT, and IoMT environments. Her career has been defined by a passion for problem-solving and collaboration, helping customers identify pain points and drive measurable security outcomes. Katrina got her start in technology sales through a Cisco VAR, where she completed the rigorous three-month Cisco Partner Sales Academy program, building a strong foundation in networking and security. She holds advanced certifications in security architecture, is an active member of Women in Sales, and serves on Georgia HIMSS committees, reflecting her deep commitment to advancing cybersecurity in healthcare. She is based in Atlanta, Georgia.
No Comments Yet
Let us know what you think