Chapter 10

Nick Chopper Segments the Yellow Brick Plant Floor

Nick Chopper, OT Engineer at Yellow Brick Manufacturing, has finally been given budget and executive backing to fix the plant's industrial cybersecurity posture. The site runs six aluminum extrusion lines, four of them anchored by 1998-era Allen-Bradley ControlLogix PLCs driving 800°C presses. Today, those lines sit on the same flat network as the corporate file servers, payroll, and a forgotten internet-exposed remote-access PC that a vendor used during the pandemic and never disconnected.

The CISO has been clear: production cannot stop, no PLC can be replaced this year, and safety regulators must sign off on any change that touches a control loop. Within those constraints, Nick must produce a defensible IT/OT segmentation plan, harden the legacy industrial PCs that cannot be patched, and bring the wireless infrastructure used by warehouse handhelds and building HVAC under proper control. He also needs a compensating-control playbook for the third-party vendors who insist on retaining remote-support access under their service contracts.

Complete Nick's plan by selecting the correct option for each blank.

Nick begins by mapping the existing environment without touching anything that could disturb production. Because actively probing a 1998 PLC has a real chance of crashing it, his asset-inventory tool uses rather than active scanning, listening at SPAN ports for thirty days before any change is made.

The core of the plan is a layered architecture aligned to the , with an industrial DMZ inserted between the corporate IT network and the OT environment. All north-south traffic between IT and OT must traverse this DMZ — no direct connections are permitted. Inside the OT zone, each assembly line becomes its own segment per the zone-and-conduit logic of the international standard .

The top priority of the design is not confidentiality but , because a mis-issued control command on the extrusion press has produced operator injuries in the plant's history and could do so again. This inverted priority order is what differentiates OT security architecture from IT.

For the Windows XP industrial PCs that cannot be upgraded without recertifying the entire line, Nick deploys so that only the small fixed set of approved engineering applications can execute. He also strips writeable USB capability except by formal exception — recognizing that USB has been the canonical vector for compromising air-gapped OT systems ever since in 2010.

Vendor remote support cannot be eliminated under existing service contracts, so Nick replaces the forgotten internet-facing PC with a properly engineered that enforces multi-factor authentication, time-boxes each session to the scheduled change window, and records full keystroke and screen video of every vendor connection for later audit.

For the warehouse handhelds and the building HVAC controllers that connect over wireless, Nick rolls out a segmented WLAN. The corporate-employee SSID uses for mutual certificate-based authentication with forward secrecy, while the building-systems SSID is mapped to its own with egress-only firewall rules to the vendor cloud and client isolation enforced at the wireless controller.

Finally, for the eight specific PLCs that the vendor will never patch again because the product line was retired in 2009, Nick documents the architectural protections as formal — network isolation, protocol-aware OT firewalls, passive monitoring, jump-host-only administrative access — and pairs each one with a tracked entry on the multi-year so that the executive committee has continuous visibility into how long this technical debt is expected to remain.