The problem with flat OT networks
Many industrial OT networks were designed for reliability and performance, not security. On older mine sites in particular, the network that connects PLCs, SCADA servers, historian databases, and engineering workstations is often the same network — or directly connected to the same network — as the corporate IT infrastructure.
This matters because the threat landscape for industrial sites has changed significantly. Ransomware and other malware that enters through corporate IT can traverse a flat network into OT systems. The consequences of a compromised control system on a mining operation are significantly worse than a compromised office PC.
The remediation approach
The network redesign followed a zone-and-conduit model based on IEC 62443 principles:
- Production zone: PLCs, SCADA clients, and engineering workstations — no direct access from IT network
- DMZ: Historian server, data replication services, and any systems that need to exchange data between zones — controlled access from both sides via firewall policy
- IT zone: Corporate network with no direct connectivity to production zone systems
The firewall policy was developed in collaboration with the mine’s IT team, documenting exactly which traffic flows were required and for what operational purpose. This documentation became part of the audit evidence package.
Remote access for external vendors was implemented via a jump host in the DMZ — vendors authenticate to the jump host, sessions are logged and time-limited, and no direct connectivity to production zone systems is required.
Delivered without downtime
All network changes were implemented live — no production downtime was required. The segmentation was introduced progressively: VLAN configurations first, firewall rules added and verified, then the physical network connections adjusted one zone at a time. At each stage the production control systems remained connected and operational.