Securing a Manufacturing Facility with Cisco OT Microsegmentation
Customer Overview
Our customer is a manufacturing organization operating a production facility with three manufacturing lines supporting mission-critical industrial operations. As production systems became increasingly connected to enterprise IT networks, the organization recognized the need to strengthen cybersecurity without disrupting manufacturing processes.
To protect critical industrial assets and reduce cyber risk, the customer partnered with our team to design and implement a Zero Trust microsegmentation solution for its Operational Technology (OT) environment.
Business Challenge
The manufacturing facility relied on a traditional flat OT network where industrial devices communicated with minimal segmentation. While this simplified connectivity, it significantly increased the organization’s exposure to cyber threats.
Growing concerns around ransomware targeting manufacturing environments highlighted the need to prevent unauthorized lateral movement between production systems while protecting critical industrial assets such as programmable logic controllers (PLCs), Human Machine Interfaces (HMIs), and SCADA systems.
The customer also required secure remote access for operational support while improving visibility into connected industrial assets and enhancing its overall cybersecurity posture.
Key objectives included:
- Segment production networks without disrupting manufacturing operations.
- Protect PLCs and other critical OT assets from unauthorized communication.
- Gain comprehensive visibility into industrial devices and protocols.
- Detect vulnerabilities within the OT environment.
- Implement identity-based access policies for industrial devices.
- Improve compliance with industrial cybersecurity best practices.
The Solution
As the customer’s Managed Services Provider (MSP), we designed and implemented a comprehensive Cisco Industrial Security solution centered on Zero Trust principles.
The deployment combined Cisco Industrial Ethernet infrastructure, Cisco Identity Services Engine (ISE), Cisco Cyber Vision, and Cisco Secure Firewall to create an intelligent, policy-driven security architecture for the manufacturing environment.
Rather than relying on traditional VLAN-based segmentation, the solution used Cisco TrustSec Security Group Tags (SGTs) to classify industrial assets and enforce role-based communication policies across the OT network.
This approach provided scalable microsegmentation while minimizing operational complexity and preserving production uptime.
Industrial Asset Visibility
Before segmentation policies could be implemented, complete visibility into the OT environment was established using Cisco Cyber Vision.
Cyber Vision continuously monitored industrial communications to automatically discover connected assets, identify industrial protocols, and detect known vulnerabilities throughout the production environment.
This provided an accurate inventory of operational assets, including:
- Programmable Logic Controllers (PLCs)
- Human Machine Interfaces (HMIs)
- SCADA systems
By understanding how industrial devices communicated, the project team was able to develop security policies based on actual production traffic rather than assumptions, reducing implementation risk.
Identity-Based OT Microsegmentation
Cisco Identity Services Engine (ISE) served as the policy engine for the solution.
Through pxGrid integration with Cisco Cyber Vision, industrial assets discovered within the OT environment were automatically classified and assigned Security Group Tags (SGTs). Dynamic policy assignment ensured devices were placed into the appropriate security groups based on their operational role.
Rather than managing complex IP address-based access control lists, security policies were built around device identity and function.
Security Group Tags were distributed throughout the industrial network and enforced using Security Group Access Control Lists (SGACLs) on the distribution switches, with additional policy enforcement provided by Cisco Secure Firewall 1200 Series appliances deployed at OT security boundaries.
This identity-driven architecture significantly simplified policy management while improving scalability as new industrial devices were introduced.
Secure OT Architecture
Cisco IE3400 Industrial Ethernet switches and Cisco Catalyst IE IC3000 Industrial Compute gateways formed the foundation of the industrial network infrastructure.
Cisco Secure Firewall 1200 Series appliances provided security enforcement between OT and enterprise networks, enabling secure remote access while protecting critical manufacturing assets from unauthorized traffic.
Together, the solution established secure communication paths between production systems while preventing unnecessary east-west traffic across the manufacturing environment.
Production cells were logically isolated without requiring major changes to the existing industrial network, making the deployment well suited for the customer’s brownfield environment.
Business Outcomes
The completed deployment significantly strengthened the organization’s cybersecurity posture while maintaining uninterrupted manufacturing operations.
Production Cell Microsegmentation
Identity-based policies segmented the manufacturing environment into secure production zones, limiting communication to only authorized devices and applications.
Enhanced OT Visibility
Cisco Cyber Vision provided continuous visibility into connected industrial assets, communication patterns, and industrial protocols, enabling operations and security teams to better understand and manage the OT environment.
Improved Protection of Critical Assets
PLCs, HMIs, and SCADA systems were protected through least-privilege communication policies, reducing the risk of unauthorized lateral movement during a cybersecurity incident.
Improved Security Posture
The combination of asset discovery, vulnerability detection, identity-based access control, and policy enforcement delivered a modern Zero Trust architecture tailored for industrial operations.
Compliance Readiness
The microsegmentation strategy improved the organization’s alignment with industrial cybersecurity best practices by strengthening network segmentation, improving asset visibility, and implementing centralized policy management.
Technologies Deployed
- Cisco Identity Services Engine (ISE)
- Cisco Cyber Vision
- Cisco Industrial Ethernet IE3400 Switches
- Cisco Catalyst IE IC3000 Industrial Compute
- Cisco Secure Firewall 1200 Series
- Cisco TrustSec Security Group Tags (SGTs)
- Security Group Access Control Lists (SGACLs)
- pxGrid Integration
- Dynamic Policy Assignment
- Industrial Asset Discovery
- Industrial Protocol Inspection
- OT Vulnerability Detection
- Identity-Based Microsegmentation
Conclusion
By implementing Cisco’s Zero Trust architecture for Operational Technology, the customer transformed a flat industrial network into a secure, identity-driven environment capable of protecting critical manufacturing systems without disrupting production. The combination of Cisco Cyber Vision, Cisco Identity Services Engine, Cisco Industrial Ethernet infrastructure, and Cisco Secure Firewall enabled comprehensive visibility, intelligent policy enforcement, and scalable microsegmentation across the facility. The result was a more resilient manufacturing network with stronger protection against ransomware, improved operational visibility, and a cybersecurity foundation designed to support future growth.
