Network Segmentation for a Growing Manufacturer – From Consumer Hardware to Fortinet Security Fabric

A high-tech manufacturer came to us during a period of rapid expansion. They were adding new production lines, bringing in new machines, and scaling operations — but their network and security infrastructure had not kept pace. What started as a conversation about “some IT improvements” turned into a full network redesign built around proper segmentation.

This is the story of how we took a manufacturing environment running on consumer-grade hardware with no segmentation, and rebuilt it on Fortinet Security Fabric with properly isolated network zones, managed switching, and centralised security visibility.

The challenge: Industry 4.0 meets consumer IT

Modern manufacturing sits at an uncomfortable intersection. Factory floor equipment increasingly runs on networked systems — computerised production lines, programmable logic controllers, SCADA interfaces, quality control stations. This is the promise of Industry 4.0: connected, data-driven manufacturing.

The cybersecurity reality is less comfortable. Many of these systems run embedded operating systems or older Windows versions that cannot be patched. You cannot install endpoint protection on a CNC machine. You cannot upgrade the OS on a production controller that the equipment vendor certified for a specific version five years ago. And you cannot simply disconnect these systems from the network because they need connectivity to function.

The manufacturer we worked with was experiencing all of these tensions. Their environment had grown organically as the business expanded, and the IT infrastructure reflected that organic growth — functional but fragile, with no deliberate security architecture.

What the audit found

We conducted a thorough assessment of the existing environment. The findings were significant, but not unusual for a manufacturing SME that had grown faster than its IT:

No acceptable use training. Staff had no formal guidance on IT security practices — password management, phishing awareness, or acceptable use of company systems.

No lifecycle planning for factory floor technology changes. Equipment additions were handled reactively. There was no process for evaluating the network and security implications of new machines before they were connected.

Ad-hoc change management. Network changes, new devices, and configuration updates happened informally. No documentation, no approval process, no rollback plan.

Consumer-grade networking hardware. The factory floor was running on consumer hubs and switches — hardware designed for a home or small office, not for an industrial environment. These caused intermittent stability issues and offered no management, monitoring, or security capabilities.

Consumer-grade firewall with no advanced features. The perimeter firewall was a consumer device with no web filtering, no intrusion prevention system (IPS), no gateway antimalware, and no VPN capability beyond basic remote access.

No email security despite using Microsoft 365. The organisation was on Microsoft 365 but had not configured any of the built-in email security features — no anti-phishing policies, no Safe Links or Safe Attachments, no DMARC/DKIM/SPF.

No dedicated IT staff. IT was handled part-time by someone whose primary role was in operations. There was no capacity for proactive security management, monitoring, or incident response.

The solution: Fortinet Security Fabric with network segmentation

The core of the solution was network segmentation — dividing the flat, everything-on-one-network topology into isolated zones where different types of traffic are separated and controlled. The goal was straightforward: production equipment on the factory floor should not be on the same network segment as office workstations, and neither should share a segment with servers or management systems.

We selected the Fortinet Security Fabric as the platform. The Fabric is not a single product — it is an integrated ecosystem of network and security devices that share a common management plane. For a manufacturing environment without dedicated IT staff, the single-pane-of-glass management was as important as the security features.

Fortinet components deployed

FortiGate firewall — the core of the deployment. The FortiGate replaced the consumer firewall and provides next-generation firewall capabilities: application-aware traffic inspection, intrusion prevention (IPS), gateway antimalware, web filtering, SSL VPN for remote access, and inter-zone traffic control. Every packet moving between network segments passes through the FortiGate and is inspected against security policies.

FortiSwitches — managed switches deployed on the factory floor and in the server room. These replaced the consumer hubs and switches, providing proper VLAN support (critical for segmentation), Power over Ethernet for devices that need it, and centralised management through the FortiGate. The FortiSwitches connect back to the FortiGate via fibre, giving the backbone the bandwidth headroom that a growing manufacturing operation needs.

FortiClient EMS (Endpoint Management Server) — centralised endpoint protection for workstations and laptops that support it. FortiClient provides antimalware, web filtering, and VPN connectivity, all managed from a central console. This covered the office endpoints that could run an agent — the factory floor equipment that could not was protected by network segmentation instead.

FortiAnalyzer — centralised logging and analytics. Every FortiGate policy hit, every IPS event, every web filter action is logged and available for analysis. This gives the organisation visibility it never had before — they can see what is happening on their network, identify anomalies, and investigate incidents.

The segmentation design

The network was divided into distinct zones, each with its own subnet and VLAN:

• Production zone — factory floor equipment, production controllers, and OT systems. Traffic from this zone is restricted to the specific services these systems need (database access, quality reporting) and nothing else. These devices cannot reach the internet directly, cannot access email, and cannot browse the web.
• Office zone — workstations, laptops, and office peripherals. Standard business traffic with web filtering and endpoint protection.
• Server zone — Active Directory domain controllers, file servers, and business applications. Access controlled by firewall policy — only authorised traffic from authorised zones.
• Management zone — network infrastructure management interfaces, FortiAnalyzer, and administrative access. Isolated from user traffic.
• Guest/visitor zone — internet-only access for visitors, with no visibility into internal networks.

Working with hard-coded addressing

One of the practical challenges in manufacturing environments is that many systems have hard-coded IP addresses. Production controllers, SCADA interfaces, and embedded systems often cannot use DHCP — their IP addresses are configured statically during installation and referenced by other systems.

We worked around this by designing the new subnet ranges to accommodate the existing static addresses where possible, and coordinating with the equipment vendors for systems that needed re-addressing. The transition was planned in stages to avoid production downtime: new subnets and DHCP scopes were configured, printers and WiFi access points were re-addressed, and office endpoints migrated to the new network segments before the factory floor systems were cut over.

Replacing ad-hoc remote access

The existing environment used remote access software to allow equipment vendors to connect for maintenance and troubleshooting. This is common in manufacturing but creates significant security risk — third-party software with persistent access to production systems, often with shared credentials.

We replaced this with SSL VPN through the FortiGate. Each vendor gets their own VPN credentials with access restricted to only the specific systems they need to reach. Access is logged, time-limited, and can be revoked instantly. The vendors get the remote access they need; the manufacturer gets visibility and control over who is accessing their production network.

The result

The project delivered measurable improvements across both security and operational performance.

Network capacity doubled. The fibre backbone and managed switching infrastructure provided significantly more capacity than the consumer hardware it replaced. Network stability issues that had been a recurring frustration disappeared.

Security architecture where there was none. The environment went from a flat network with no segmentation, no IPS, no web filtering, and no visibility to a properly zoned architecture with policy-controlled traffic flows, centralised monitoring, and managed endpoints.

Performance improvement alongside security. This is worth highlighting because it contradicts the common assumption that security degrades performance. The managed switching and proper network design actually improved throughput and reliability. Security was additive, not restrictive.

Foundation for continued expansion. The segmented architecture scales cleanly. New production lines get their own switch ports in the production VLAN. New office staff get managed endpoints in the office zone. The security policies are already in place — adding capacity does not require redesigning the security model.

Confidence for the business. The manufacturer’s leadership gained confidence that their network could support continued growth without accumulating technical debt. They had visibility into what was happening on their network for the first time, and a clear framework for how new equipment and systems would be integrated.

Lessons from manufacturing network projects

Having worked on several manufacturing network projects, a few patterns stand out.

Network segmentation is the single most impactful control for OT environments. When you cannot patch, cannot install agents, and cannot upgrade operating systems, isolating those systems at the network level is the most effective protection available. It does not eliminate risk, but it dramatically reduces the blast radius of any compromise.

Consumer hardware in business environments is a false economy. The consumer switches and firewall in this environment were cheap to buy but expensive in lost productivity (stability issues), in security exposure (no visibility or control), and in the engineering time required to work around their limitations.

Single management plane matters. For organisations without dedicated IT staff, the ability to manage firewall, switching, endpoint protection, and logging from one interface is not a luxury — it is a practical necessity. The alternative is multiple consoles, multiple vendors, and multiple support contracts, which is unsustainable without a team to manage it.

Plan the transition carefully. Manufacturing environments cannot tolerate downtime during production hours. Every cutover was planned for maintenance windows, tested on non-critical systems first, and had a rollback plan. The phased approach added time to the project but protected production continuity.