Dragos explains why companies with industrial control systems—like small- to mid-sized manufacturers—should keep their IT networks, DMZ, and OT systems separate. Doing this helps reduce the chance that a threat in one area can spread to the rest.

First, they say it's vital to get buy‑in from leadership. Before you disconnect networks, executives must understand the risks and benefits—ideally through tabletop exercises. This ensures that if something goes wrong, decision-makers can act quickly and confidently.

Next, back up all critical data before making changes. If something breaks during the separation process, clean backups make recovery much easier .

Then, plan exactly how you'll isolate systems. This might mean physically unplugging cable runs, disabling wireless network interfaces, or using network-based segmentation tools.

Before making any permanent changes, test the approach. Simulate scenarios to catch issues—but be careful not to disrupt production operations .

Once you've disconnected the networks, keep a close eye on everything for signs of trouble—it's not a one-and-done task.

Finally, document every step you take. Include what you did, why it mattered, what worked (or didn’t), and what lessons you learned. This record is helpful for future audits and improvements.

The post acknowledges this all requires effort—but it's worth it. Ransomware and other cyber threats targeting manufacturing are on the rise. Having a strong disconnect plan can drastically reduce both downtime and financial or reputational damage if something goes wrong.

‍

Source: https://www.dragos.com/blog/ot-cybersecurity-best-practices-for-smbs-how-to-disconnect-your-it-dmz-and-ot-from-each-other-what-to-consider/