CASE
STUDY
ZERO UNPLANNED DOWNTIME:
MIGRATING A LEGACY FLAT NETWORK TO A SECURE OT ARCHITECTURE
How a large food and beverage manufacturer eliminated the ransomware and unauthorized access risk created by a flat, mixed IT/OT network, migrated critical automation assets into a secure segmented environment, and achieved ISA/IEC 62443 alignment without disrupting a single production shift.
| Challenge | Solution | Result |
|---|---|---|
| Critical OT assets including PLCs, HMIs, and SCADA exposed on flat, IT-managed network zones | Engineering-led network design with VLANs, firewall policies, and ISA/IEC 62443-aligned segmentation | All migrations completed with zero unplanned production downtime |
| High and increasing risk of ransomware propagation and lateral movement to control systems | Phased migration plan with backups, rollback procedures, and production team coordination | OT cyberattack surface significantly reduced by removing control assets from corporate IT exposure |
| Potential for cyber incidents to impact food-safety processes and production continuity | Controlled field cutover with post-migration validation of all SCADA, batching, and safety interlocks | ISA/IEC 62443 and food-safety audit alignment (BRC, SQF) achieved |
Project Background
A large food and beverage manufacturer operated a diverse automation environment including PLCs, HMIs, variable speed drives, OEM production skids, refrigeration control systems, and packaging automation across multiple production areas. The entire OT environment shared a flat, undifferentiated network with corporate IT systems, a legacy architecture that had grown incrementally without security design. As the threat landscape evolved and ransomware incidents in food manufacturing became more frequent, leadership recognized that the existing network configuration posed unacceptable risk to production continuity, food-safety process integrity, and the organization's cyber insurance position. The requirement was clear: migrate OT assets into a secure, segmented network without disrupting production.
Control Systems Exposed on a Flat Network, with No Tolerance for Production Disruption
The manufacturing environment's OT assets resided in IT-managed network zones with no meaningful segmentation between corporate systems and production control infrastructure. PLCs managing batching, conveying, and refrigeration systems sat on the same network as enterprise applications, email systems, and file servers. A ransomware infection reaching the corporate network had a direct propagation path to every production control system in the facility.
The risks were not theoretical. Lateral movement across the flat network could reach PLC and HMI systems directly. Unauthorized access to control systems was possible without traversing any security boundary. A successful ransomware deployment affecting the OT environment would not only halt production but could also compromise the automated controls that maintained food-safety process parameters, creating a regulatory and liability exposure beyond the immediate operational impact.
The engineering challenge was compounding the security challenge: the production environment operated continuously, with strict availability requirements and complex interdependencies between SCADA systems, historians, batching controllers, refrigeration automation, and packaging lines. Any migration approach that could not guarantee production continuity would not be acceptable to the operations team, regardless of the security benefit. The project required engineering precision alongside cybersecurity expertise.
Engineering-Led Planning and Controlled Field Cutovers with Production Team Coordination
Arista Cyber led a two-phase engagement, separating the engineering and planning work from field implementation to ensure that every cutover was fully designed, validated, and rehearsed before any production system was touched.
In the Engineering and Planning phase, the existing network was thoroughly documented: network diagrams, IP schemas, device configurations, communication dependencies, and vendor documentation were all reviewed and reconciled. OT assets requiring migration were identified and mapped to their communication dependencies, including connections to SCADA systems, historians, batching applications, and remote monitoring platforms. A target segmented OT network architecture was designed, incorporating VLANs, routing configuration, firewall policies, and a DMZ structure aligned to ISA/IEC 62443 zone and conduit principles. Migration plans were developed for each asset group, including configuration backups, rollback procedures, and change windows coordinated with production scheduling.
In the Field Implementation phase, switch and firewall configurations were prepared and validated in a controlled environment before deployment. Cutovers were executed in a sequence that respected production interdependencies: IP changes, gateway updates, and firewall rule activations were coordinated to minimize the window between disconnecting assets from the old network and confirming connectivity on the new segmented architecture. Communication testing covered all dependent systems, including SCADA, historians, batching controllers, packaging automation, and refrigeration systems. Post-migration validation confirmed alarm and interlock functionality, and as-built documentation was updated to reflect the final network configuration.
Ransomware Risk Removed, Production Continuity Maintained, Audit Alignment Achieved
Every migration was completed with zero unplanned production downtime. The controlled cutover approach, combined with pre-validated configurations and rollback procedures, ensured that each asset group transitioned to the new segmented network without impacting the production lines that depended on it.
The cyberattack surface was significantly reduced. By removing OT assets from corporate IT network exposure and establishing clear security boundaries between production control systems and enterprise infrastructure, the organization eliminated the direct ransomware propagation path that had represented its most significant operational cyber risk. PLC, HMI, refrigeration control, and packaging automation systems now sit behind firewall-enforced segmentation, with access controlled by policy rather than by the absence of boundaries.
The new architecture achieved alignment with ISA/IEC 62443 zone and conduit design principles, and the improved network documentation and segmentation structure supported the organization's food-safety audit obligations under BRC and SQF standards. The engagement also positioned the organization for the next phase of its OT security programme, including OT network monitoring, intrusion detection, and lifecycle cybersecurity governance that the previous flat network architecture could not have supported.
Who Should Engage Arista Cyber?
IT and OT Leaders in industrial & critical infrastructure operations who want assurance, resilience, and measurable security outcomes.
What's The Next Step?
- Schedule a Cyber Risk Assessment
- Conduct an Executive Workshop
- Start OT Security Roadmap Planning
Operating a legacy flat IT/OT network? Contact Arista Cyber to assess your exposure and plan a secure migration that keeps production running.