Network infrastructure for manufacturing: where OT meets IT

Understanding the OT/IT convergence challenge

OT – operational technology – is the hardware and software that detects or causes changes in physical processes. In a manufacturing context that means PLCs (Programmable Logic Controllers) managing machinery sequences, SCADA (Supervisory Control and Data Acquisition) systems monitoring and controlling plant-wide operations, HMIs (Human-Machine Interfaces) on the shop floor, industrial robots, AGVs (Automated Guided Vehicles) moving materials between stations, and CNC machines executing precise cutting or forming operations.

For decades, OT and IT lived in parallel worlds with no connection between them. The OT network was air-gapped – physically isolated – by design. Then came the pressure to connect production data to ERP systems, to enable remote monitoring, to feed real-time output data into supply chain systems. The air gap closed, and the security model that depended on it became untenable.

The result is that most modern manufacturing facilities are now running hybrid OT/IT networks – often without a coherent design for how those two worlds should interact. That's where problems arise.

What OT network requirements look like

The fundamental difference between IT and OT networks comes down to priorities. IT networks follow the CIA triad: confidentiality first, then integrity, then availability. You can take a server offline for patching, tolerate a few seconds of latency on a file transfer and recover from a breach without physical consequences.

OT networks invert those priorities: availability comes first, then integrity, then confidentiality. A SCADA system going offline doesn't just lose data – it can stop a production line, damage equipment or create a safety hazard. A PLC that controls a conveyor belt doesn't get patched mid-shift. Latency that would be imperceptible on an office network can cause a robot arm to miss its timing window.

This priority inversion has design consequences at every layer. Equipment lifecycles in OT environments run to 10–20 years rather than the 3–5 year refresh cycles typical in IT. Systems run legacy operating systems that can't be updated without re-certification. Redundancy and uptime requirements are more demanding than most corporate IT infrastructure.

Network segmentation: the foundation of OT/IT design

The established reference architecture for OT/IT network design is the Purdue Model, codified in ISA-99 and now underpinning the IEC 62443 international standard for industrial cybersecurity. It defines five levels from field devices at the bottom to enterprise IT at the top, with clear boundaries between them.

Level 0 is the physical process – sensors, actuators, motors. Level 1 is the basic control layer: PLCs and local controllers. Level 2 is supervisory control: SCADA, HMIs and DCS (Distributed Control Systems). Level 3 is the site operations layer: production scheduling, historian servers, batch management. Level 4 and above is the enterprise IT network – ERP, email, corporate systems.

The critical principle is that OT systems should never be directly accessible from the IT network or the internet. Where the two need to communicate – and they do, for production data, MES integration and remote access – that communication passes through a DMZ (demilitarised zone) containing carefully controlled intermediary systems. Data flows in defined directions; connections are not open-ended.

In practice, implementing this correctly requires purpose-built industrial network switches, proper VLAN design and firewall rules that understand OT protocol behaviour. The segmentation has to be maintained physically as well as logically – shared network hardware between OT and IT zones undermines the entire model.

Industrial protocols: Modbus, PROFINET, EtherNet/IP

OT networks don't run standard IT protocols. The industrial protocols that dominate manufacturing environments were designed for reliability and determinism, not security – and they were designed for isolated networks where the assumption of a trusted environment was safe.

Modbus TCP is the oldest and simplest. It's widely used for legacy equipment and for straightforward sensor-to-controller communication. It has essentially no authentication – any device that can reach a Modbus-speaking PLC can send it commands. That's fine on an isolated OT network; it's a significant vulnerability if that network is improperly connected to anything else.

PROFINET is the protocol of choice in Siemens-dominated environments and is common across European manufacturing. It's more capable than Modbus, supports real-time communication for motion control, and integrates tightly with Siemens TIA Portal and S7 controller families. EtherNet/IP is the equivalent in Rockwell/Allen-Bradley environments, which dominate US-origin plant and are common in UK facilities with American parent companies.

The practical consequence for network design is that these protocols assume trusted networks. Security has to be enforced at the network boundary – through segmentation and firewalling – rather than at the protocol layer. You can't rely on the PLC to authenticate the source of commands it receives.

Wireless in manufacturing environments

Adding wireless to a manufacturing environment is considerably more involved than deploying Wi-Fi in an office. Steel structures attenuate signals. Variable RF interference from motors, inverters and welding equipment affects channel conditions unpredictably. AGVs and mobile robots need consistent coverage across large floor areas with very low latency – a roaming delay that's invisible on a laptop becomes a positioning error on an autonomous vehicle.

Wi-Fi 7 (802.11be) improves the picture significantly: multi-link operation allows simultaneous transmission across bands, which improves reliability in high-interference environments, and the lower-latency HARQ retransmission mechanism matters for time-sensitive applications. We cover this in more detail in our article on Wi-Fi 7 for manufacturing and logistics.

For very large facilities – distribution centres, vehicle plants, large-scale food production – a DAS (Distributed Antenna System) may be more appropriate than a conventional access point deployment. DAS distributes the radio signal from a centralised source through a network of small antennas, giving more consistent coverage without the dead spots and overlap zones that come with dense AP installations in complex RF environments.

OT wireless networks should sit on their own SSID and VLAN, segregated from any corporate Wi-Fi. The same segmentation principles that apply to wired OT networks apply here.

Firewall and security architecture for OT/IT networks

A standard corporate firewall isn't designed for OT environments. Industrial firewalls need to understand OT protocols – they need deep packet inspection for Modbus, PROFINET and EtherNet/IP to enforce rules at the command level, not just at the IP/port level. Without that, you can block the wrong traffic, allow the wrong commands, or miss anomalous behaviour entirely.

For the most sensitive OT systems – safety systems, critical process control – a unidirectional security gateway (often called a data diode) enforces one-way data flow at the hardware level. Data can leave the OT network (process historian data flowing to the enterprise layer, for instance) but nothing can flow back. You can't patch a hardware diode in software; the physical design makes bidirectional communication impossible.

Patch management is one of the most practically difficult areas of OT security. You can't apply patches to a PLC or SCADA system the way you can to an office laptop. Systems may require vendor re-certification after updates. Production schedules may mean there's only a narrow maintenance window each year. The response is a defence-in-depth approach: strict segmentation means a compromised IT system can't directly reach OT; network monitoring detects anomalous traffic patterns that might indicate compromise; and where patches can be applied, they're applied systematically during planned maintenance windows.

IEC 62443 is the international standard that governs industrial cybersecurity across this whole domain. It's increasingly referenced in OEM contracts, cited by insurers assessing manufacturing facilities, and used as a framework for security assessments. Designing to IEC 62443 principles from the start is considerably easier than retrofitting to them later.

Redundancy and availability requirements

On a production floor, a single switch failure shouldn't stop a line. The network architecture needs to reflect that. Ring topologies – where each switch connects to two others, forming a loop – provide path redundancy so that a break in any single link doesn't isolate a segment. Rapid Spanning Tree Protocol (RSTP) or its industrial equivalent (PROFINET MRP – Media Redundancy Protocol) handles failover, typically in under 200ms for RSTP and under 200ms for MRP in ring configurations.

For the most critical systems, dual-homed connections – where a device connects to two separate switches via separate paths – provide hardware-level redundancy. Power supplies to switches and other active network equipment should come from separate circuits. UPS protection on network infrastructure is standard practice.

The specific redundancy requirements depend on the production process. A continuous process plant (chemicals, food and drink, paper) has different availability requirements to a discrete manufacturing operation where a line can be stopped and restarted. These requirements should drive the design, not be bolted on afterwards.

Designing for the modern manufacturing floor

The facilities that get this right don't treat OT and IT as two separate network projects that happen to coexist. They design the whole thing as an integrated system from the start, with clear ownership of each zone, defined data flows between them and security architecture that reflects the actual risk profile of the operation.

That means involving the right people early. OT engineers understand the production systems; IT teams understand the enterprise infrastructure; network designers need to bridge both. The decisions made at design stage – protocol choices, VLAN structure, segmentation boundaries, redundancy topology – are very difficult and expensive to change once cable is in the ground and equipment is running.

It also means being realistic about what connectivity buys you. Connecting OT systems to the enterprise network to feed production data into an ERP is valuable. Doing it without the proper segmentation and monitoring infrastructure creates exposure that may not become apparent until something goes wrong – and in a manufacturing context, something going wrong has consequences well beyond a data breach.