All case studies

Infrastructure · Security

·

2024–2025

Network rebuild with OT / IT segmentation across two plants

Redesigned two-site network with full VLAN segmentation, plant systems isolated from office traffic, faster access, fewer outages.

2

Sites rebuilt

12+

VLANs designed

voice, office, prod, OT, guest, mgmt, surveillance, IoT, etc.

near-zero

Outages (since)

materially reduced

Lateral-move exposure

Both sites were running flat networks — everything on one broadcast domain, production systems reachable from any workstation, no clean separation between manufacturing and office. It was a stability problem first (broadcast storms, slow file access) and a security problem second (lateral movement risk).

I redesigned the network on Ubiquiti/UniFi, implemented proper VLAN segmentation, separated OT from IT, and established a standard switching/wiring topology that replicated cleanly across both sites.

Stack

  • UniFi / Ubiquiti switching + UDM gateways
  • Inter-VLAN ACLs on the gateway
  • Separate management plane for IT staff
  • Surveillance VLAN with no outbound except to NVR
  • Guest network with rate limits + client isolation

Why segmentation matters in a plant

Manufacturing networks are different from office networks. SCADA traffic is latency-sensitive and should not share a broadcast domain with a copier. Plant HMIs should not be reachable from a laptop in accounting. And the surveillance cameras should absolutely not be sitting next to the finance file server.

None of this is exotic — it's basic hygiene. But in mid-market shops it's also usually skipped, because "it works." Until it doesn't.

Design

  • VLAN per function, not per floor — voice, office, production, OT, IoT, surveillance, guest, management.
  • Gateway ACLs enforce which VLANs can talk to which. Default deny.
  • OT has its own uplink and its own controller where possible — blast radius contained.
  • Management VLAN is reachable only from a bastion / IT subnet, and with MFA.
  • Wiring and labeling standardized — every cable on both sites can be read from a schematic.

What I'd do differently

Next iteration moves toward a Zero Trust posture: identity-aware access at the gateway, not just VLAN-aware. The VLAN design is the foundation; ZT is the extension.