Beacon Security
ManufacturingSecurity Improvement

From Assessment to Execution for a Manufacturing Facility

November 20, 2024

Background

A discrete manufacturing facility operating four production lines with approximately 180 OT assets including PLCs from three vendors, HMIs, VFDs, managed switches, industrial firewalls, a historian, and an MES server had completed an OT cybersecurity assessment eight months earlier. The assessment identified 42 findings and scored the facility at Level 1 on a 4-level maturity scale. The 140-page report was thorough in its diagnosis but contained no implementation roadmap.

Eight months later, not one finding had been fixed. The operations team did not know where to start. Five departments (IT, operations, engineering, maintenance, and management) each believed the work required cross-departmental coordination that nobody was authorized to lead. The result was eight months of inaction.

The Plant Director asked a straightforward question: what could be done with the firewalls, switches, and equipment already on the floor? Beacon Security was engaged to answer that question and execute.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

42 Findings with No Execution Path The findings were listed by severity without dependency mapping. Several medium findings were prerequisites for addressing critical ones. The team had tried to tackle the critical items first and stalled immediately because foundational work had not been done.

Four Firewalls Running Default Configurations The facility had four industrial firewalls deployed at key network boundaries during a plant expansion two years earlier. Every one of them was running in effective allow-all mode. The default "permit any any" rule at the bottom of each policy meant nothing above it was enforced. The firewalls were installed but not doing their job.

23 Managed Switches Never Hardened VLANs had been set up by physical location (Building A, Building B) rather than by security function. Fifteen switch ports were active with nothing connected. Port security was off. Default SNMP community strings were still in use. Any device plugged into an open port would get full network access.

No Baseline of Normal Traffic Nobody could describe what normal network behavior looked like. Without that understanding, changing any firewall rule risked breaking production. At roughly $180,000 per hour of line stoppage, the operations team was unwilling to accept that risk.

Departmental Deadlock IT could not change firewall rules without understanding production impact. Operations could not define what to restrict without IT implementing the changes. Engineering would not sign off on network changes without validating control system behavior. This cycle had run for eight months with zero output.

Our Approach

Beacon Security executed a 14-week engagement designed to deliver quick visible wins first, building the confidence and momentum needed for larger architectural changes.

Phase 1: Traffic Baseline and Roadmap (Weeks 1-3)

Passive monitoring taps were installed at all four firewall boundaries and three key switch aggregation points. Traffic was captured over a full two-week production cycle covering all product variants, shift patterns, and batch changeovers.

The baseline captured what no network diagram had shown:

  • 312 unique device-to-device communication flows identified
  • 94 of those flows crossed firewall boundaries (and were all being passed through by the allow-all rules)
  • 23 flows flagged as unnecessary or anomalous
  • 4 undocumented cross-zone connections discovered that were not in any architecture diagram

We then built a dependency graph of the 42 assessment findings and organized execution into four waves with specific milestones and owners. For the first time, the team had a concrete action plan.

Phase 2: Firewall and Switch Hardening (Weeks 4-6)

Each firewall was rebuilt from scratch based on the traffic baseline:

  • Every one of the 94 cross-boundary flows was reviewed with operations, engineering, and integrators to confirm whether it was needed
  • New rule sets built on explicit allow-list methodology. Only confirmed traffic is permitted. Everything else is denied.
  • Combined rule count across all four firewalls went from 847 to 304. A 64% reduction with zero loss of required communications.
  • The default "permit any any" was removed from every firewall and replaced with a deny-all rule with logging

All four firewalls were updated one at a time during live production, not during maintenance windows. A rollback plan was prepared for each cutover. No production impact occurred on any of the four.

All 23 managed switches received a hardening baseline:

  • 15 unused ports disabled
  • Port security enabled with MAC address limiting on all active ports
  • Default SNMP community strings replaced
  • Telnet disabled, SSH enabled for management
  • Logging turned on with syslog forwarding to the historian's unused capacity

Phase 3: Architecture Redesign (Weeks 7-9)

The network was restructured into an IEC 62443 zone and conduit model using the existing infrastructure:

Production Zone: PLCs, drives, I/O modules, and line-dedicated HMIs. No inbound connections except from the Supervisory Zone through defined conduits.

Supervisory Zone: Operator workstations, historian, and MES. Read access to production data with controlled write paths.

Engineering Zone: Engineering workstations with per-session authenticated access to the Production Zone. All sessions logged.

Enterprise DMZ: The only connection between the plant network and corporate IT. Historian replication and ERP data exchanges routed exclusively through the DMZ.

12 controlled conduits were defined with protocol-specific allow-lists and logging on every conduit.

Phase 4: Workforce and Process Development (Weeks 10-12)

Four Incident Response Playbooks built for the most likely scenarios: ransomware reaching production, unauthorized device on the network, suspicious vendor activity, and anomalous traffic patterns.

During a tabletop exercise for the ransomware scenario, the team's initial reaction was to shut down the entire production network. That response would have cost approximately $540,000 for a three-hour stoppage. The playbook's targeted zone isolation approach reduced the projected impact to under $60,000.

Change Management Process established for all OT network and configuration changes, with a risk assessment, approval matrix, testing requirements, and rollback procedures.

Department Responsibilities formally assigned across all five departments, with each team briefed on their specific role. This broke the eight-month deadlock that had prevented any action.

Phase 5: Validation and Handover (Weeks 13-14)

  • Traffic analysis confirmed all 312 legitimate flows operating correctly through hardened configurations
  • All 304 firewall rules verified against documented justifications
  • Tabletop exercise completed with all five departments
  • Change management process tested with a live controlled configuration change
  • Full documentation package handed over

Outcome

The facility moved from 42 unaddressed findings to a hardened, segmented, and operationally managed production environment in 14 weeks. The original assessment firm conducted an independent reassessment six months later and scored the facility at Level 3, up from Level 1.

Deliverables Provided:

  • Finding dependency map and sequenced execution roadmap
  • Hardened configurations for 4 industrial firewalls and 23 managed switches
  • IEC 62443 zone and conduit architecture with 4 zones and 12 conduits
  • Four incident response playbooks validated through tabletop exercises
  • Change management procedure with approval matrix
  • Department-level responsibility assignments

Results:

  • 31 of 42 findings fully remediated, 7 partially addressed, 4 deferred with documented risk acceptance
  • Firewall rules reduced from 847 to 304 (64% reduction) with full documentation
  • 4 undocumented cross-zone paths eliminated
  • 15 open switch ports secured
  • Maturity advanced from Level 1 to Level 3 within six months
  • Zero production disruptions across the entire engagement
  • Total spend on new security products: zero

The methodology was adopted as the standard approach for the company's five remaining manufacturing sites.

Beacon Security takes OT security from assessment findings to operational controls. Contact us to discuss your security improvement requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

IT security tools were not built for Modbus, OPC, or safety-rated controllers. Get a dedicated OT cybersecurity team that understands industrial protocols, control system architecture, and the operational constraints of your environment.

Book an Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption