When I was working for a manufacturing company and working in-office, I quickly noticed that the company had a completely flat network literally everywhere. Where every device from the store front point-of-sale systems to production machinery to office computers – existed on the same network segment.
When I raised concerns about this with leadership, I was told that an “experienced” vendor consultant had assured them 3 months prior to my arrival that there were no security risks with this configuration. This was despite the fact that retail point-of-sale systems handling customer payment data were on the same network as CNC machines and manufacturing equipment worth hundreds of thousands of dollars.
I had already recently setup a comprehensive monitoring system using Zabbix with anomaly detection capabilities. This gave us insight into network traffic patterns and help identify suspicious activity like port scanning or reconnaissance attempts. While we had no threats, I was still able to use this data to help show how exactly things were connected and could be exploited and how implementing VLANs could greatly decrease our threat surface.
Then I began the work of logically separating the network into multiple VLANs – guest networks isolated from production systems, retail point-of-sale systems separated from corporate networks, and manufacturing equipment protected from general office traffic.
I had laid the groundwork for future stability – the monitoring infrastructure was in place, the initial VLAN structure was defined, and leadership now understood why network segmentation mattered for security.