An IT manager checks server cabling in a Pune server room, a white pedestal fan pointed at the rack.

OT network segmentation before the next phishing email: one Aurangabad plant’s month

By Priya Sharma, Compliance Lead, Data Loss Prevention practice, Sirius Star Enterprise Technologies.

06:52 on a Tuesday. Ravi messaged before the morning shift handover. He runs IT and, by accident of who was available in 2017, also the plant network for an auto-components maker near Aurangabad. About 700 people across two sheds. His message was four words. “We got a click.”

An accounts clerk had opened an invoice that was not an invoice. The endpoint tool quarantined the laptop fast, so the office side was contained inside the hour. That was the good news. Then Ravi asked the question that kept him up. “Could that thing have reached the line?” He already knew the answer. The PLCs, the SCADA boxes, the MES server and the front-office laptops all sat on the same flat network. One subnet. No wall.

The network nobody had drawn

This is the normal state of a mid-market Indian manufacturing plant. The shop floor got connected one machine at a time. A new CNC cell needed an IP, so somebody handed it one from the office range. The SCADA HMI needed to talk to the MES server, so they let it. Year after year, the production network and the business network melted into one thing because keeping them apart took planning nobody had time for.

When we mapped it, the picture was plain. A welding line PLC could be pinged from the reception desk. The MES database that held part traceability and operator shift records answered to any laptop in the building. That is the jhamela Ravi inherited. Not sabotage. Just years of “make it work by Friday” with no one drawing the line between the office and the machines.

₹250 Cr is the statutory penalty cap under the DPDP Act 2023 (source: MeitY, DPDP Act 2023, section 33). The MES held operator names, shift logs and biometric attendance. Flat plus reachable from a phished laptop is the exact finding that starts that clock. A stopped line, for this plant, runs near 4 lakh rupees an hour.

Book a free OT network review
200+ Indian businesses. Written quote within 8 working hours.

Why OT network segmentation is a paperwork win first

Here is the part plant owners get wrong. They think OT network segmentation is about buying a firewall and feeling safer. It is, eventually. But the first thing it buys you is a drawing. A real one. Which device sits in which zone, what is allowed to cross, and who signed off.

So we did the unglamorous step before any hardware moved. We grouped the plant the way the IEC 62443 standard asks you to, into zones and conduits. The welding cell is a zone. The packing line is a zone. The MES and historian sit in a supervisory zone. A conduit is the only sanctioned path between two zones, and every conduit gets a rule you can defend to an auditor. The office stays its own world.

None of this needs a forklift. Hirschmann managed switches let you carve the existing wiring into VLANs and enforce the boundaries in place. We lead with them for plant floors because the hardware is built for the environment, rated for heat and vibration and grime, with ring redundancy so a single cut cable does not drop a line. The kit and the approach are on our Hirschmann industrial networking page, and the work runs from our team.

Inside two weeks Ravi had something he had never owned. A map of his own plant on paper, with the cross-zone rules written down. Not a hardened network yet. Just the diagram and the rule list. Sometimes the diagram is the whole win. Finally, something he could hand the auditor.

The amber cable I read wrong

I want to be honest about a mistake, because the mistake is the lesson. During the survey we found a maintenance laptop in the tool room with two network cables. One to the office switch, one to a panel on the packing line. I assumed it was a temporary rig somebody forgot to unplug after a job. The kind of thing you note and move past.

It was not temporary. That laptop had been a permanent bridge for three years. The maintenance vendor used it to pull machine logs without walking to each panel, and to do that they had quietly wired a path straight from the office network to the line. Every patch we were planning at the firewall, that one laptop went around. Arre. I had read a stray cable as housekeeping. It was the busiest door in the building.

We have seen this pattern in plant after plant. The breach is rarely the clever attack. It is the convenience somebody set up years ago and everybody stopped seeing.

Hirschmann, Moxa, or a plain IT switch

Ravi asked the fair question every buyer asks. Why this hardware. Why not the cheaper office-grade switch the reseller pushed, or the other industrial name. The honest answer depends on the floor, not on a brochure.

OptionFits whenThe catch
Hirschmann managedReal shop floor: heat, dust, vibration; you need ring redundancy and VLAN enforcement that survives a cut cableCosts more per port than office gear; you pay for the ruggedising and the redundancy
Moxa managedSimilar industrial brief, strong serial-to-Ethernet story for older machinesDifferent management model; pick on your existing stack and who can support it locally
Office-grade switchA clean climate-controlled control room, light load, tight budgetNot rated for the floor; one hot summer near a furnace and you are buying it twice

For this plant the choice was easy once we walked the sheds. Furnace heat near one cell, conductive dust near another. An office switch would have died by April. We put Hirschmann at the cell level, ran the rings, and dropped a firewall at the one conduit between the plant and the office so traffic crossing that line gets inspected, not waved through.

Get a quote for your plant floor
Rugged switches, ring redundancy, a boundary that holds. Written quote in 8 working hours.

What changed by month end

The cutover ran cell by cell during planned maintenance windows. No line lost a shift to it, which for a plant running near 4 lakh an hour of downtime was the whole non-negotiable. By the end of the month the welding cell, the packing line and the supervisory zone each sat behind their own boundary. The office could no longer ping a PLC. The maintenance vendor got a single controlled path with a log, not a laptop with two cables.

The part Ravi keeps mentioning is not the security. It is that he can finally answer a question. When the group CISO asks whether the plant is segmented, he opens one diagram and points. When DPDP audit season comes and somebody asks how operator data on the MES is walled off, the answer is a zone, a conduit and a rule, not a shrug. By mid-2026, with the DPDP rules taking shape, those audit questions have teeth, and a maybe is not an answer the board accepts.

His own words, lightly anonymised. “I thought we needed a bigger firewall. What we actually needed was a map and a wall in the right place.” That is most plants. The spend is smaller than the fear. The discipline is the hard part.

Key takeaways

  • Flat plant networks are the default, not the exception. The shop floor and the office share one subnet because it grew that way, not because anyone chose it.
  • Segment to zones and conduits per IEC 62443 before you shop. The drawing and the rule list are the first deliverable, and often the one the auditor actually wants.
  • Industrial-rated switches earn their price on a real floor. Heat, dust and vibration kill office gear, and ring redundancy keeps a cut cable from stopping a line.
  • Hunt the quiet bridges. The dual-homed maintenance laptop or the forgotten trial path beats any firewall you install around it.

FAQ

Will segmenting the network mean stopping production?
No, if it is staged. We cut over cell by cell inside planned maintenance windows. The plant near Aurangabad did not lose a shift to the work.

Is office-grade networking hardware really a problem on a shop floor?
On a clean control room, sometimes it survives. Near a furnace or in conductive dust it fails early. Industrial switches are rated for heat, vibration and grime, and that rating is what you are paying for.

How does OT segmentation connect to DPDP?
Plant systems like the MES often hold operator names, shift logs and biometric attendance. That is personal data under the DPDP Act. A flat network reachable from a phished office laptop is hard to defend in an audit. Segmentation gives you a boundary you can show.

Where do we start if we have never mapped the plant network?
With the map. A short survey to see what talks to what, then a zone and conduit drawing. You can read how we approach it on the Hirschmann industrial networking page, and we also run the office-side controls covered in our DPDP readiness assessment.

If you want the boundary checked at the firewall too, the same discipline shows up in our writeup on firewall rule cleanup and on the Check Point firewall page. For the cabling that carries all of it, see our note on Belden structured cabling.

Start with a free plant network review
No card, no contract. Tell us what you run and we will map the first zones with you. Reach us on WhatsApp at +91 91375 93228, 10 to 7 IST. Reference: CERT-In.

P.S. Sudeep here. We ran almost this exact job for a Pune forging unit last quarter. They asked the same question Ravi did, the one most plant heads are quietly asking right now: if one office laptop gets phished, can it reach my machines? If you do not know the answer, that is the answer. We will map it with you for free, and we will tell you the parts you do not need to buy.