Infrastructure By Industry Industrial
Vertical · Industrial · Manufacturing · Logistics · Energy

The plant floor is not the same as the office.

Industrial networks survive heat, vibration, dust, and a protocol mix most IT teams never see. Ruggedized switching, Purdue Model segmentation between OT and IT, and cellular where fiber can't go. Netcom builds it to the IEC 62443 reference — not whatever the IT team happened to have in the closet.

Talk to an Engineer See Reference Architecture
Level 0–5
Purdue Model reference with explicit enforcement at the DMZ boundary
-40/+75°C
temperature-rated fanless switching for unconditioned plant environments
IEC 62443
zones & conduits mapped to your operational safety requirements
Industrial · Mid-Market Reference
Industrial reference architecture: full Purdue Enterprise Reference Architecture stack from Level 0 (physical process) through Level 5 (enterprise), with Level 3.5 IT/OT DMZ on FortiGate 600F HA enforcing deny-by-default between OT VRF and CORP VRF
Industrial-specific pain

Most plants are one flat L2 disaster away from production stopping.

The most common industrial networking failure mode: OT equipment and corporate IT on the same broadcast domain. A misconfigured workstation sends a broadcast storm and a paper mill's control loop goes unresponsive for six minutes. Or a ransomware infection on an accounting laptop reaches the plant-floor HMI because there's no segmentation between Levels 3 and 4.

The Purdue Enterprise Reference Architecture solves this on paper. In practice, most plants never finished the retrofit — the DMZ exists as a diagram but the firewall rule base passes everything, the engineering workstation dual-homes to both sides, and the control-system VLAN spans the whole facility.

Netcom does Purdue the boring way. Real zones. Real conduits. Real firewalls at the IT/OT boundary with deny-by-default rules. Ruggedized Catalyst IE or FortiSwitch Rugged at Levels 1 and 2 so the hardware doesn't die in the summer heat. Cradlepoint or Peplink cellular backhaul for remote buildings where fiber trenching costs more than the entire electrical budget. And documentation that your control engineer, your auditor, and your insurance carrier all accept.

Compliance & Frameworks

The frameworks your OT engineers and insurers already cite.

IEC 62443 zones & conduits
NIST CSF 2.0 Industrial profile
Purdue Enterprise Reference Architecture
NERC CIP (for energy / utility)
TSA Pipeline Security Directives
CMMC 2.0 (for defense suppliers)
Reference Architecture

Zones and conduits — as the spec actually reads.

Sized for a mid-sized industrial facility. Scales down for single-site shops and up for multi-plant enterprises with a shared IT/OT DMZ.

Purdue Model Levels 0-5 with IEC 62443 zones & conduits: Catalyst IE-9320 at Levels 1-2 (ruggedized, fanless, -40 to +75°C), FortiGate 600F at Level 3.5 DMZ with Modbus/DNP3/EtherNet-IP protocol-aware inspection, and Cradlepoint E3000 cellular backhaul for remote outbuildings
Industrial · single-plant or multi-building campus · 100–3,000 OT endpoints

Catalyst IE-9320 on the floor · FortiGate 600F at the IT/OT DMZ

Plant floor (Levels 0–2) runs on Catalyst IE-9320 or FortiSwitch Rugged in DIN-rail installations, fanless, rated for -40 to +75°C. Control systems (Level 2) and supervisory systems (Level 3) are separated by VLANs with strict ACLs. The Level 3.5 DMZ sits on a FortiGate 600F HA pair that terminates all IT-to-OT traffic, inspects Modbus/DNP3/EtherNet/IP for protocol compliance, and denies everything not explicitly allowed. Remote buildings backhaul via Cradlepoint E3000 5G with SpeedFusion bonding where criticality warrants.

Purdue levelRoleVendor & ModelNotes
Level 1–2 (control)Industrial accessCisco Catalyst IE-9320-26S2CDIN-rail · fanless · Modbus/EtherNet-IP deep inspection
Level 1–2 altIndustrial access (Fortinet-estate)FortiSwitch Rugged 424F-POEManaged via FortiGate · FortiLink
Level 2–3OT distributionCatalyst 9300-48P + StackPowerPoE for HMIs + cameras · L3 routing inside OT
Level 3.5 (DMZ)IT/OT firewall (HA)Fortinet FortiGate 600F · active-passiveDeny-by-default · protocol-aware inspection · SSL-offload
Level 4–5 (IT)Corporate coreCatalyst 9500 StackWise VirtualStandard IT architecture · VRF-separated from OT VRF
Remote building / pump stationCellular backhaulCradlepoint E3000 · SpeedFusion optionDual-carrier SIM · SCADA tunneled · GPS telemetry
Harsh-environment Wi-FiOutdoor APCisco Catalyst IW9167E / Aruba AP-387IP67 · industrial temperature · point-to-point option
MonitoringOT-aware SIEMClaroty CTD · Nozomi Networks (via partner)Asset discovery · anomaly detection · protocol decode
ManagementCentral orchestrationCisco DNA Center · FortiManagerSegregated OT and IT management planes
Case Stories

Composite examples from industrial engagements.

Illustrative customers drawn from real deployment patterns. Names are fictional; scope, vendors, and outcomes reflect actual Netcom work.

Metal Fabrication · single plant

Cascade Metalworks · OT/IT segmentation retrofit

Flat L2 plant: corporate ERP, CNC controllers, and HMIs all on one broadcast domain. Cyber insurance renewal required Purdue-aligned segmentation. Netcom designed Level 3.5 DMZ with FortiGate 600F HA and re-VLANed the floor onto Catalyst IE-9320. The cultural obstacle: the plant's senior controls engineer had dual-homed his laptop to both OT and IT for a decade. Removing the dual-home extended the schedule by three weeks, required deploying a dedicated RDP jump host, and involved two meetings with the plant manager before the engineer accepted the workflow change. Technical work finished on time; the political work was the long pole.

IEC 62443
zones & conduits
documented, audit-clean
Agricultural Cooperative · 8 facilities

Prairie Grain Cooperative · multi-facility standardization

Cooperative with 8 grain elevators across three states, networking built organically over 20 years. No consistent firmware, no central visibility, rural sites on consumer DSL. Netcom standardized on FortiGate 80F + FortiSwitch + Cradlepoint S700 5G primary where fiber wasn't economical. What broke the first plan: two elevators had metal silos directly between the 5G router and every nearby cell tower, killing signal inside the office. Had to run exterior antennas up 40-foot poles with lightning arrestors; added $6K per site and 4 weeks of coordination with the local electrician. Eight sites live on uniform standard with quarterly firmware cadence.

8
facilities on uniform
standard + single pane
Aggregate Mining · 5 quarries

Lone Pine Aggregates · SCADA backhaul + microwave

Quarry operations needed SCADA telemetry from scales, belt conveyors, and pump stations across 5 remote sites with no carrier service on-premise. Netcom engineered dual-path: licensed microwave from each quarry to the nearest tower, Cradlepoint E3000 with panoramic MIMO as cellular fallback, FortiGate termination at corporate. The surprise: one quarry's microwave path was line-of-sight on paper but failed under summer heat haze from the rock surface — atmospheric refraction we hadn't accounted for. Raised the microwave dish on that site by 12 feet on a new mast and the link stabilized. SCADA uptime cleared 99.9% after the retrofit.

99.9%
SCADA uplink uptime
across 5 remote sites

Pillars that matter most for industrial

Switching

Catalyst IE-9320 and FortiSwitch Rugged on the plant floor. DIN-rail, fanless, -40/+75°C rated.

Explore →

Security & Firewall

FortiGate 600F at the Level 3.5 DMZ. Modbus/DNP3/EtherNet-IP protocol-aware inspection.

Explore →

Cellular Networking

Cradlepoint E-Series backhaul where fiber trench cost exceeds the electrical budget.

Explore →

Ready to segment OT from IT for real?

Send us your plant layout, your control-system inventory, and your cyber-insurance renewal deadline. Within 10 business days you'll get a Purdue-aligned design, a ruggedized BOM, and a cutover plan sequenced around production windows.

Request an Architecture Review Back to Infrastructure