Most Indian manufacturers we work with discover the cost of a flat network the hard way. This whitepaper shows the segmentation patterns that survive a real incident, anchored to the Purdue model and adapted for the realities of legacy PLCs, vendor support contracts, and patch-cycle constraints common in Indian plants.

1. Why flat networks keep losing

When a corporate-IT phishing victim's laptop sits two ARP hops from a plant historian, a single credentialed adversary can pivot from email to MES in minutes. The 2024–2025 wave of LockBit and Akira campaigns we've responded to in Maharashtra and Gujarat all shared this same shape — flat L2, no DMZ, plant credentials reused on corporate workstations.

73%

of manufacturer DFIR cases lacked OT/IT segmentation

11h

median dwell time before MES exposure

₹2.8Cr

median containment + recovery cost

2. The Purdue model, adapted for Indian plants

The classical Purdue Enterprise Reference Architecture stays the right scaffolding. But a 2008-vintage shop-floor with PLCs that can't tolerate active scanning needs adaptation, not dogma.

Level	Function	Indian-plant reality
L0–L2	Field devices, PLCs, HMIs	Legacy SCADA on Windows XP / 7 — passive monitoring only
L3	Site control + MES	Often Windows Server 2012 — patch on quarterly maintenance windows
L3.5	Industrial DMZ	Rarely present; create as the FIRST hardening step
L4	Site business network	ERP, plant scheduling, vendor remote-support
L5	Enterprise network	Corporate IT, email, internet

3. Three implementation patterns that work in Indian plants

Pattern A — Hardware DMZ with one-way replication: corporate IT pulls plant telemetry into a DMZ, never the other way. Best for new plants.
Pattern B — VLAN + ACL segmentation with jump-host: cheap retrofit for existing flat networks; needs disciplined ACL hygiene.
Pattern C — SDP / ZTNA overlay: software-defined perimeter for vendor remote-support; pairs well with pattern A or B.

4. The five mistakes auditors flag most

Vendor remote-support tunnels that bypass the DMZ — usually IT-only knows about half of them.
Shared service accounts between corporate Active Directory and plant Active Directory.
Backup network reachable from corporate IT — defeats the entire segmentation premise on incident.
PLC management ports open across L3 — most operators leave Modbus and OPC-UA on default ACLs.
Patch-cycle exceptions that never expire — every quarterly skip becomes a permanent gap.

Backup network is part of the segmentation perimeter.

If your corporate domain admin can reach backup storage, your backups are not safe in a ransomware scenario. The 11-hour-containment manufacturer case study from 2025 hinged on backups being writable from compromised tier-1 admin accounts.

5. Six-step rollout sequence

Step 1 · Inventory
Build an asset register covering every PLC, HMI, historian and engineering workstation. Passive discovery only.
Step 2 · Communication map
Document required east-west and north-south flows before designing controls.
Step 3 · DMZ instantiation
Stand up the L3.5 industrial DMZ as a hardware firewall, not a VLAN-only construct.
Step 4 · Identity separation
Plant AD / corporate AD become independent forests with one-way trust at most.
Step 5 · Vendor access controls
Replace VPN-into-corporate with SDP/ZTNA terminating in the DMZ. Per-vendor logging.
Step 6 · Tabletop + IR drill
Run a ransomware tabletop where corporate IT is presumed compromised. Confirm OT survives.

Engage Macksofy

Need this in production, not on paper?

Macksofy offers full-service engagements that map directly to this resource. Common starting points:

Or talk to a senior consultant — fixed-price proposal in 48 hours.