A major paper mill faced growing concerns about the security of its flat, minimally segmented Operational Technology (OT) network. Though stability issues were minor, the mill prioritized strengthening cybersecurity to protect critical infrastructure.

The Challenge

The mill’s existing OT environment consisted of a flat network architecture* with no VLAN segmentation, leaving the system vulnerable to potential cyber threats. The lack of network segmentation risked lateral movement by attackers and complicated efforts to enforce strict access control. The site needed a robust network overhaul designed with industrial cybersecurity best practices to improve both security and operational reliability.

GPA's Solution

GPA collaborated closely with the site to design and execute a complete OT network upgrade compliant with the NIST SP 800** industrial networking standards. These guidelines emphasize segmentation, access control, continuous monitoring, and risk management to reduce vulnerabilities and safeguard operational environments from cyber threats.

The key elements of the solution included:

• Installation of a pair of firewalls configured in high availability (HA) failover mode to separate the OT network from the corporate IT network, ensuring continuous security even during device failure.

• Design and implementation of a fully VLAN-based logical network segmentation strategy, with each segment assigned a distinct IP address space to isolate and protect specific OT functions.

• Development of precise firewall rules to restrict communication between VLANs, allowing only essential traffic required for critical business operations while minimizing attack surface.

• A detailed re-addressing effort to update IP schemes across the majority of OT devices and systems to align with the new segmented network infrastructure.

• Reconfiguration of OT network switching to support the new logical VLAN infrastructure. Removal of unmanaged switching and replacement with managed switching for segmentation and extended network visibility.

• Comprehensive testing of firewall deployment and inter-segment communication before going live during the mill’s planned annual outage to minimize operational disruption.

• Creation of thorough network documentation and updated drawings reflecting the new segmentation, IP schema, firewall configurations, and network topology to support ongoing management and future upgrades.

Deployment and Results

The deployment involved installing the firewall devices, configuring VLANs and routing, and executing the IP address overhaul per the segmentation design. This process strengthened network security by creating robust boundaries between OT systems and corporate IT, limiting unauthorized access and increasing threat containment capabilities.

Key benefits realized included:

• A strong, NIST-backed security architecture reducing vulnerability to cyber-attacks.

• Improved network stability with clearly defined manageable segmentation.

• Enhanced control over inter-device communication through firewall governance.

• Seamless migration coordinated with the mill’s maintenance schedule, avoiding downtime.

• A future-proofed OT network infrastructure ready to support ongoing security and operational needs.

Conclusion

This comprehensive OT network systems upgrade project exemplifies how adopting industry cybersecurity frameworks such as NIST SP 800 and implementing logical segmentation can transform a flat, minimally secure network into a resilient, segmented, and highly secure operational environment. GPA’s expertise ensured a smooth transition that met the mill’s security and reliability goals with minimal disruption.

*flat networks can be described as an outdated network design where all devices on the network reside on the same subnet, lacking any internal segmentation or security controls like firewalls or VLANs

**the NIST SP 800 standards provide a comprehensive framework to help organizations protect their critical systems by defining how to securely design, monitor, and manage network infrastructure