OT/IT segmentation for MES: doing factory networks the right way
PLCs never exposed to the Internet. MES bridge in DMZ, IT only reads. Audit every PLC command write. ISO 9001 is not a checkbox — get the architecture right.
Why this post
Across the last 5 MES projects, 3 plants initially exposed PLCs to the office LAN. One ransomware incident = whole line goes dark. This post covers how to segment correctly.
3-zone architecture
- Internet → Firewall L1 → IT zone (offices, ERP, BI)
- IT zone → Firewall L2 (DMZ) → MES bridge (reads PLC, exposes REST/MQTT to IT)
- MES bridge → Firewall L3 (strict) → OT zone (PLC, HMI, sensors) — NO route to Internet
Read-only by default
PLC tags exposed to the MES bridge are READ only. Every WRITE command must: 1. Go through an authenticated REST API 2. Require role-based permission 3. Log to an immutable audit trail (append-only) 4. 4-eyes confirm for production-critical operations (e.g. recipe change)
OPC UA > Modbus for new deployments
- OPC UA has cert-based auth + transport encryption
- Modbus TCP is plaintext — fine for legacy, but wrap in VPN/SSH tunnel
ISO 9001 + FDA traceability
Not just a PDF policy. Architecture must support:
- Append-only audit log (Postgres trigger preventing UPDATE/DELETE)
- Watermarked dashboards (Grafana panel auto-stamping user + timestamp)
- Per-batch traceability from raw material → ship date
Lessons from a real incident
Last year a plant got ransomware in the IT zone. PLCs in the OT zone were not affected because the L3 firewall blocked it — production continued at 100% while IT recovered.
Cost of L3 firewall + 2 days of setup ≈ $3,000. Cost of 1 day of stopped production ≈ $30,000+.