Nashville Manufacturer Eliminates Production Downtime with OT/IT Network Overhaul

The Challenge: A Flat Network Crippling Production

This Nashville-area precision manufacturer runs three CNC production lines, two robotic welding cells, and a climate-controlled quality lab - all dependent on network connectivity. With 120 employees and $40K+ in daily shipments, reliable infrastructure isn't a convenience; it's what keeps the operation running. When we first walked the facility, the problems were immediately visible.

Weekly Outages from Network Conflicts

The plant was losing an average of four hours of production every week to network-related outages. A single unmanaged switch daisy-chained to a consumer-grade router served the entire facility. IP conflicts between office workstations and CNC controllers caused cascading failures. When the network dropped, CNC machines mid-cycle would fault out, scrapping parts and requiring lengthy recalibration. The maintenance team had resorted to keeping a handwritten log of "bad ports" on the switch - ports that seemed to cause more problems than others.

No Segmentation Between Office and Production Floor

The most critical issue was the complete lack of network segmentation. Office IT traffic - email, web browsing, file downloads - shared the same flat network as production floor OT systems. CNC controllers, PLCs, and the robotic welding cells all sat on the same subnet as employee laptops. A single employee plugging in a personal device could saturate the network and halt production. There was no firewall between office and production, no traffic prioritization, and no visibility into what was happening on the network.

Customer Security Audit Requirement Looming

The manufacturer's largest customer - a defense subcontractor accounting for 35% of annual revenue - notified them that a cybersecurity audit would be required for contract renewal. The customer mandated network segmentation, endpoint protection, an incident response plan, and documented access controls. Without these, the contract would not be renewed. The manufacturer had no internal IT staff to address it.

The Transformation: Network Redesign with OT/IT Segmentation

We designed a four-phase engagement to address production reliability while building toward the security posture required to pass the customer audit. Every phase was planned around production schedules - no changes during active shifts, no disruption to shipment deadlines.

Phase 1 - Assessment and Network Mapping

Before touching a single cable, we spent two weeks documenting the existing environment. We mapped every device on the network - 47 office endpoints, 12 CNC controllers, 8 PLCs, 2 robotic welding systems, 14 IP cameras, and a handful of rogue personal devices that had no business on a manufacturing network. This assessment revealed the root causes: broadcast storms from the flat topology, IP address exhaustion from a poorly sized subnet, and zero network monitoring. We delivered a detailed findings report and remediation roadmap before moving forward.

Phase 2 - Ubiquiti Infrastructure Deployment

We replaced the entire network backbone with enterprise-grade Ubiquiti UniFi equipment. A UDM Pro SE serves as the gateway, firewall, and central management controller. Two USW-Pro-48-PoE switches handle the production floor, with a USW-Pro-24-PoE dedicated to the office. Six U6 Pro access points provide full wireless coverage across the 45,000-square-foot facility - including the warehouse and loading dock where Wi-Fi previously didn't reach. All equipment was installed during a planned weekend maintenance window with zero production impact. The new networking infrastructure delivered immediate improvements: gigabit connectivity to every endpoint, redundant uplinks, and centralized management.

Phase 3 - VLAN Segmentation

This was the core of the engagement. We designed and implemented four distinct VLANs with strict firewall rules between them:

• Production OT (VLAN 10): CNC controllers, PLCs, robotic welding cells, and quality lab instruments. Completely isolated from internet access. Only permitted to communicate with the on-premises CAM server and the SCADA monitoring system. No inbound connections from any other VLAN.
• Office IT (VLAN 20): Employee workstations, printers, and the ERP system. Standard internet access with content filtering. Permitted read-only access to production monitoring dashboards but no direct communication with OT devices.
• Guest (VLAN 30): Customer visitors and vendor technicians. Internet-only access with bandwidth throttling. Completely isolated from all internal resources. Captive portal with terms of use.
• Management (VLAN 99): Network infrastructure devices, security cameras, and monitoring systems. Accessible only from designated admin workstations with MFA. All management traffic encrypted.

Firewall rules enforce strict inter-VLAN policies. Production OT cannot reach the internet, office users cannot access production equipment, and guest devices are fully sandboxed. Every rule was documented for the upcoming security audit.

Phase 4 - Monitoring and Incident Response

With the network architecture in place, we deployed comprehensive monitoring and security tooling. Wazuh serves as the SIEM, collecting logs from every network device, endpoint, and server. Microsoft Defender for Endpoint was rolled out to all office workstations, with alerts feeding into Wazuh for centralized correlation. Network traffic monitoring through the UDM Pro provides real-time visibility into bandwidth utilization, device connectivity, and anomalous traffic patterns.

We wrote a formal incident response plan tailored to the manufacturing environment - covering scenarios from ransomware to a production network breach. The plan defines roles, escalation paths, containment procedures, and communication protocols. We conducted a tabletop exercise with plant leadership to walk through the plan before finalizing it. As part of our managed IT services engagement, our team monitors the network 24/7 with automated alerting and a guaranteed 15-minute response time for critical production issues.

The Results

The transformation delivered measurable improvements across every metric that matters to a manufacturing operation:

• Unplanned downtime: Zero hours per month since go-live, down from 16 hours per month
• Network uptime: 99.98% over the first six months of operation
• Production efficiency: 12% gain from eliminated stoppages and faster CAM-to-CNC data transfer
• Security audit: Passed the defense subcontractor's audit on the first attempt, securing 35% of annual revenue
• Mean time to resolve: Issues that took hours are now identified and resolved in minutes
• Rogue device detection: Automated alerts for any unauthorized device on any segment

The combination of eliminated downtime and efficiency gains pays for the entire investment within 14 months. The retained defense contract alone justified the cost on day one.

Technology Stack

Network Infrastructure: Ubiquiti UDM Pro SE, USW-Pro-48-PoE Switches, USW-Pro-24-PoE Switch, U6 Pro Access Points, VLAN Segmentation with Inter-VLAN Firewall Rules

Security & Monitoring: Wazuh SIEM, Microsoft Defender for Endpoint, 24/7 Network Monitoring, Automated Anomaly Detection, Incident Response Plan

Operations: Centralized UniFi Management Dashboard, Production OT Isolation, Guest Captive Portal, Encrypted Management Access with MFA

Timeline: 4-Month Engagement

Weeks 1-2 - Discovery: Full network assessment and device inventory. Traffic analysis and root cause documentation. Findings report and remediation roadmap delivered to stakeholders.

Weeks 3-5 - Infrastructure: Ubiquiti hardware procurement and staging. Weekend installation of all switching, routing, and wireless equipment. Zero-downtime cutover from legacy infrastructure.

Weeks 6-10 - Segmentation & Security: VLAN design and implementation. Firewall rule configuration and testing. Wazuh SIEM deployment. Microsoft Defender rollout. Endpoint hardening across all office workstations.

Weeks 11-14 - Monitoring & Audit Prep: 24/7 monitoring activation. Incident response plan development and tabletop exercise. Security documentation package assembled. Customer security audit completed - passed on first attempt.

Ongoing - Managed IT Services: Proactive network monitoring, quarterly security reviews, firmware management, and dedicated support with 15-minute critical response SLA.