TL;DR: Manufacturing ransomware has driven $17 billion in downtime across 858 incidents since 2018, while mature microsegmentation is associated with 71.4% faster breach containment and network segmentation is one of 12 controls insurers evaluate, according to Infosecurity Magazine, the European Journal of Computer Science and Information Technology, and Marsh McLennan. The governance question is no longer whether to segment, but whether production can stay online when IT is compromised.
At a glance
What this is: The article argues that IT/OT network segmentation lets manufacturers contain ransomware in corporate IT without forcing a production shutdown.
Why it matters: That matters because identity-bound network boundaries, privileged remote access, and device authorization decisions now determine whether a ransomware event becomes an outage, a safety issue, or a recoverable IT incident.
By the numbers:
- $17 billion in downtime costs across 858 manufacturing ransomware incidents since 2018
- 71.4% faster mean time to contain breaches with mature microsegmentation
- Network segmentation is one of 12 key controls insurers evaluate during underwriting
👉 Read Elisity's analysis of IT/OT network segmentation for manufacturing ransomware containment
Context
Manufacturing ransomware exposes a governance problem, not just a malware problem: if corporate IT and production OT can talk freely, leaders often have no safe way to contain an incident without halting operations. The primary keyword here is IT/OT network segmentation, and the article’s core claim is that enforced boundaries let organisations isolate compromise while protecting production continuity.
That intersects with identity governance because the most practical segmentation models are not just network rules, they are access rules for devices, workstations, vendors, and maintenance sessions. When engineering workstations, SCADA systems, and third-party remote access are all identity-aware, segmentation becomes a control plane for trust rather than a static VLAN exercise.
Key questions
Q: What breaks when IT and OT networks are not segmented?
A: When IT and OT are not segmented, ransomware can move from business systems into production systems, and defenders often cannot prove where compromise stops. That uncertainty turns a containment problem into an outage decision. In manufacturing, the result can be a full shutdown, lost material, delayed shipments, and higher recovery cost than the initial intrusion.
Q: Why does IT/OT segmentation matter during ransomware events?
A: IT/OT segmentation matters because it creates an enforceable boundary that limits lateral movement and preserves a clean production zone even when corporate IT is compromised. Without that boundary, teams may have no option except to stop production while they investigate. With it, responders can isolate the IT side and keep essential operations running.
Q: How do security teams know whether segmentation is actually working?
A: Security teams should verify segmentation with live traffic evidence, not just diagrams or firewall intentions. If devices, vendors, or controllers are communicating outside approved paths, the control is not working as designed. Effective programs can show that cross-zone access is narrow, justified, and continuously enforced.
Q: Who should be accountable for IT/OT segmentation decisions?
A: Accountability should sit with both security and operations leadership because segmentation affects cyber risk and production continuity at the same time. The right owners are the people who understand the business process, the controllers, and the incident response trade-offs. If those groups are not aligned before an event, containment decisions will be made under pressure.
Technical breakdown
Why flat IT/OT networks turn ransomware into a shutdown decision
In a flat environment, corporate systems, SCADA servers, PLCs, and supporting services can all reach each other through broad firewall rules or legacy routing. Once ransomware lands on a user endpoint, operators often cannot prove that production systems are clean, so the safest response becomes total isolation. That is an availability problem created by architecture, not by the malware alone. Segmentation changes the blast radius by forcing traffic through explicit enforcement points and by reducing lateral movement paths between business IT and production control systems.
Practical implication: map every IT-to-OT communication path and remove any route that is not required for a named production function.
How identity-based microsegmentation enforces device-level trust
Identity-based microsegmentation ties access to what a device or session is allowed to do, rather than where it sits on the network. A PLC can be permitted to talk only to its historian and a specific engineering workstation, while third-party access can be confined to one serviced asset. This is the difference between perimeter segmentation and continuous enforcement. It aligns with zero trust ideas because trust is evaluated at each boundary crossing, not assumed after initial connectivity is granted.
Practical implication: bind segmentation policy to device identity and service role so authorized traffic remains narrow even when IP addresses change.
Why production-critical systems need different containment rules
Not every connected system can tolerate the same response during an incident. Corporate email, ERP, and file-sharing can often be quarantined aggressively, but production lines, environmental systems, and lab equipment may require selective containment to avoid physical or material loss. The article’s practical insight is that segmentation is also business continuity engineering. When policy distinguishes between zones of different criticality, security teams can stop cross-boundary spread without turning every incident into a plant-wide outage.
Practical implication: define containment tiers for production assets in advance so incident responders know which links to sever and which to preserve.
Threat narrative
Attacker objective: The attacker objective is to force operational disruption and increase leverage by making the victim choose between ransom payment and production outage.
- Entry begins when ransomware lands in corporate IT, often through email, remote access, or another user-facing system that sits outside the production zone.
- Escalation occurs when the malware can move laterally because IT and OT are insufficiently separated, leaving operators unable to verify that the production environment is still clean.
- Impact follows as leaders choose between uncontrolled spread and a full shutdown, which disrupts manufacturing output, destroys time-sensitive production, or both.
NHI Mgmt Group analysis
IT/OT segmentation has become an availability control, not just a security control. The article shows that the real risk is not only malware spread, but forced operational shutdown when leaders cannot prove what is and is not affected. That shifts the governance conversation from perimeter defense to containment design. For manufacturers, the deciding question is whether the network can preserve production while isolating compromise.
Identity-aware segmentation is where manufacturing security and identity governance overlap most directly. The article’s strongest insight is that access for engineering workstations, remote vendors, and production controllers has to be bounded by identity and task, not just IP location. That makes privileged remote access and device trust part of segmentation policy. Practitioners should treat boundary design as an identity problem with physical consequences.
Selective containment is the concept this article sharpens most clearly. Production networks cannot be governed with the same incident assumptions as corporate IT, because a blanket kill switch can destroy biological material, delay shipments, or create safety risk. The governance model has to recognise different criticality tiers and different response thresholds. The practical conclusion is that containment rules must be pre-agreed with operations before an incident starts.
Insurers are increasingly underwriting architecture, not policy statements. The article’s reference to segmentation in underwriting shows that network boundary maturity is now a financial control as well as a technical one. That forces boards to review whether segmentation exists only on paper or is actually enforceable. The practitioner takeaway is to treat segmentation evidence as part of cyber risk reporting and renewal preparation.
Manufacturing ransomware exposes a shared failure mode: the absence of an enforceable trust boundary between enterprise IT and production OT. That boundary gap is the named governance concept this article makes visible. When the boundary is unclear, incident response becomes guesswork and containment becomes a plant-wide decision. Teams should audit where they are still relying on informal separation instead of enforceable policy.
What this signals
Manufacturers should expect segmentation to be treated less like an architecture preference and more like an evidence-backed control during renewal, audit, and incident reviews. The practical signal is simple: if you cannot show enforceable boundaries, you cannot show resilient containment.
Containment debt: this is the accumulated gap between where production systems are connected today and where they need to be isolated to survive ransomware without shutdown. Organisations that leave this debt unpaid are effectively betting that attackers will never reach the wrong side of the boundary.
The next maturity step is to operationalise segmentation as part of incident response, not just network design. That means maintaining current traffic maps, approved cross-zone pathways, and escalation rules that preserve production while isolating compromised IT.
For practitioners
- Define and test the IT-to-OT boundary Document every permitted path between business IT and production OT, then remove any cross-zone communication that is not required for an explicit production process. Use the boundary to contain compromise, not to mirror the flat network in policy form.
- Assign identity to engineering access Require verified identity for engineering workstations and vendor maintenance sessions, and limit each one to the specific controllers or servers it needs. This stops remote access from becoming a lateral movement path across production zones.
- Prebuild containment tiers for critical assets Create different isolation rules for email, ERP, SCADA, lab systems, and life-critical production lines so responders know what to preserve during an incident. The goal is selective containment that protects output without giving ransomware free movement.
- Validate segmentation with live traffic maps Review actual east-west traffic, vendor connections, and device-to-device flows before an incident forces the issue. Real network maps often reveal forgotten trust paths that policy documents missed.
Key takeaways
- IT/OT segmentation changes ransomware response from a shutdown decision into a containment decision.
- The article’s strongest evidence is that flat network design creates the uncertainty that forces production stoppages.
- The practical control is an enforceable trust boundary with identity-aware access for every cross-zone connection.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Segmentation limits who and what can reach production assets. |
| NIST SP 800-53 Rev 5 | SC-7 | Boundary protection is central to the IT/OT separation model in this article. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | Network infrastructure control supports segmented manufacturing environments. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | Ransomware spread and production disruption are the key threat stages here. |
| NIST Zero Trust (SP 800-207) | The article aligns with zero trust boundary enforcement and continuous verification. |
Map segmentation gaps to lateral movement and impact tactics, then remove unnecessary paths.
Key terms
- IT/OT Network Segmentation: The separation of corporate information technology networks from operational technology networks so compromise in one environment does not automatically spread to the other. In manufacturing, it protects controllers, SCADA systems, and production lines by limiting which devices can communicate across the boundary.
- Identity-Based Microsegmentation: A segmentation approach that grants network access based on device identity, role, and authorization rather than simple network location. It is useful where IP addresses change or where policy must follow the workload, engineering workstation, or vendor session across the environment.
- Selective Containment: An incident response approach that isolates only the affected portion of an environment while preserving safe business or production operations elsewhere. It is especially relevant in manufacturing, where an all-or-nothing shutdown can create more harm than the intrusion itself.
- Operational Technology: The hardware and software that monitor or control physical processes, such as PLCs, SCADA platforms, sensors, and production-line controllers. OT differs from business IT because availability, safety, and process integrity often matter as much as confidentiality.
What's in the full article
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- Policy examples for IT-to-OT boundary enforcement across corporate networks and production controllers
- How identity-based microsegmentation is implemented on existing switching infrastructure without production agents
- Insurance and underwriting considerations, including how segmentation evidence affects risk discussions
- Practical examples for isolating SCADA, lab, plasma line, vendor, and environmental systems
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management in the context of modern access control. It helps practitioners connect identity decisions to the broader security programmes that protect production, cloud, and enterprise environments.
Published by the NHIMG editorial team on 2026-04-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org