Securing a Manufacturing Network

The Company

A regulated manufacturing company in Ireland with approximately 50 users across production, engineering, and administration. The organisation operates under industry-specific quality and compliance certifications, and its customers increasingly require evidence of security controls and infrastructure maturity as part of their audit processes.

The Trigger

A cybersecurity audit identified the network as a critical exposure. The company’s leadership had known the infrastructure was not optimal, but when you’re running a business, expediency often trumps correct. The audit made the risk concrete: a flat, unsegmented network where a compromise on any device could reach every system in the building, including the specialist manufacturing equipment that kept the business running.

What We Found

The network survey revealed an environment that had grown entirely by accretion, with no architecture behind it.

A single flat IP space. Every device in the building (corporate laptops, manufacturing systems, CCTV cameras, IP phones, printers, wifi access points) sat on the same network segment. There was no separation between the office and the factory floor, between guest wifi and production systems, between CCTV and email.

Consumer-grade hardware throughout. The firewall was a consumer router. Switches were unmanaged. In the stores area, we found daisy-chained 4-port hubs — one plugged into the next into the next — because someone had needed a network connection and there was no infrastructure to provide one properly.

Unknown third-party infrastructure. The survey uncovered switches and access points that no one in the organisation knew were there. CCTV systems, IP phone infrastructure, and factory signalling wifi had been installed by various contractors over the years, each bringing their own hardware and plugging it into the flat network. None of it was documented. None of it was managed. All of it had access to everything.

Legacy manufacturing systems. The most sensitive challenge was the specialist manufacturing equipment. These systems were driven by embedded or older compute platforms — some running Windows 7 or equivalent — that were perfectly functional for their purpose but could not be upgraded, patched, or locked down in the way a modern endpoint can. They sat on the same network as corporate email, file shares, and internet-connected workstations.

What We Did

The “herd immunity” approach to legacy systems

We could not upgrade the manufacturing systems. We could not install modern endpoint protection on them in the way we would a Windows 11 workstation. But we could isolate them.

Borrowing a principle from disease control, we treated the legacy manufacturing systems as the population that could not be vaccinated — and focused on protecting everything around them. We deployed our SOC agent where feasible, removed any unnecessary productivity software that had found its way onto them over the years, and then built the network architecture around the principle that these systems would occupy their own isolated segment, with every other device segregated away from them.

If a corporate laptop was compromised by phishing, the attacker would find no route to the manufacturing systems. If a manufacturing system was somehow compromised, it could not reach the office network. The isolation was the control.

Weekend cutover: rip and replace

The core infrastructure replacement (consumer firewall and switches out, next-generation firewall and managed switching in) was accomplished over a single weekend. The manufacturing segment retained its existing IP structure (the only segment with fixed IPs), maintaining all connections to production equipment without disruption. By Monday morning, the company had a single-pane-of-glass view of the entire network fabric for the first time.

Network segmentation

With the new infrastructure in place, we designed and deployed dedicated segments:

• Manufacturing: isolated segment for production systems and specialist equipment, maintained on its original IP scheme
• Server: on-premises servers separated from user traffic
• Office: corporate endpoints, managed and monitored
• Wifi: enterprise wireless with separate SSIDs for corporate and guest access
• Guest: internet-only, no access to any internal segment
• CCTV: isolated, no access to corporate or manufacturing networks
• IP Phones: voice traffic separated from data

Each segment is bridged by the next-generation firewall with appropriate access control lists and intrusion detection and prevention rules. Networks such as Guest, CCTV, and Phones have zero access to the rest of the infrastructure. Traffic between segments is controlled, logged, and monitored.

Migration

With the core in place, corporate endpoints, wifi access points, printers, and other devices were identified and migrated to their correct segments. The unknown third-party switches were documented, assessed, and either replaced, properly integrated, or isolated. The daisy-chained hubs in stores were replaced with properly deployed managed switch ports.

The Results

Full network segregation. Manufacturing systems are isolated from corporate IT. A compromise in one zone cannot reach another. The flat network that had existed since the company’s founding is gone.

Single-pane-of-glass visibility. For the first time, the company can see every device on every segment, monitor traffic patterns, and identify anomalies. The unknown switches and access points are now documented and managed, or removed.

24/7 monitoring. XDR services via SOC provide network-level threat detection, anomaly alerting, and triage around the clock. The SOC agent is deployed on every system that can support it, including, where feasible, the legacy manufacturing platforms.

Audit-ready documentation. Network topology diagrams, segment definitions, firewall rule sets, and access control policies are documented and available for customer audits. The audit requirement that triggered the engagement can now be met with evidence.

Operational stability. The reliability improvements have been significant. The consumer hardware that had been failing intermittently is gone. The daisy-chained hubs are gone. The network simply works in a way it hadn’t before.

A change in thinking. Perhaps the most significant outcome is behavioural. Senior management have embedded the basics of network security in their thinking when evaluating any new system or technology. Rather than deploying first and dealing with the network consequences later, Tarbh Tech is engaged early to ensure new systems map correctly to the segmented network environment. The conversation has shifted from “can we plug this in?” to “where does this belong?”

Ongoing Management

This is an active, managed engagement, not a project with a handover. Tarbh Tech manages the network infrastructure on an ongoing basis:

• Firewall rule management: new rules, modifications, and periodic reviews
• Switch configuration and port management
• Firmware and software updates across the network fabric
• Wifi optimisation and coverage adjustments
• XDR/SOC monitoring with alerting and triage
• Quarterly network health reviews
• Support for new system deployments and network changes

When the company needs a network change (a new production line, a new office area, a new CCTV zone) Tarbh Tech designs the integration, deploys it to the correct segment, and updates the documentation. The network grows with the business, not despite it.