The manufacturing company from near Warsaw came to us not after an incident, but after a letter from a large partner. The client announced a supplier security audit and asked it to fill in an extensive questionnaire. In the process it turned out that the manufacturer, as a link important to its buyers, itself falls within the group of entities subject to the obligations arising from NIS2. It had to move from intuition to specifics.
The starting situation
The whole company worked on one flat network. In the same segment sat the accounting computers, the sales team’s laptops, printers, cameras, as well as the controllers and engineering workstations driving the machines on the hall. There was no risk analysis and no asset inventory, so nobody could say clearly which devices were critical and what communicated with what. Monitoring was practically non existent: the IT team learned about a failure from an operator who raised a hand because a machine had stopped.
Why it was urgent
A flat network means that one infected device can see all the others. Ransomware that entered through an attachment in accounting could reach the production control systems unimpeded. In a plant where downtime is counted in thousands of losses per hour, this is not a theoretical risk. On top of that came pressure from two sides at once: supply chain audits run by partners and the requirement to formally meet the NIS2 directive. Putting the topic off risked losing contracts.
How we ran the project
We started with a risk analysis and NIS2 requirements rollout, because without an asset map segmentation would be guesswork. We listed the devices, grouped them by function and defined trust zones.
The next step was network segmentation. We broke the flat structure into six VLAN segments: production, engineering workstations, office, guests, peripheral devices and the management network. Traffic between zones passes through a firewall with explicit rules. The machine network was cut off from the internet and from the office, and engineers’ access to the controllers happens only through a controlled path. As a result, the blast radius of a possible infection narrows to a single segment.
We carried out the segmentation in stages, outside peak production hours, so as not to halt the hall. We tested each rule on real traffic before cutting off what was unnecessary.
On the network organised this way we launched monitoring. We covered all critical assets, collected logs in one place and set alerts on events that had previously stayed invisible: unusual logins, network scanning or a machine attempting to communicate outward.
What changed
Today an infection or failure in the office part no longer reaches the production line, because the firewall stops it at the segment boundary. The IT team gets an alert and sees the event within a dozen or so minutes, instead of waiting until someone on the hall notices the problem. The plant has the full set of documents it previously lacked: a risk analysis, an asset register, a security policy and an incident response procedure with a clear division of roles.
The manufacturer passed the partner’s audit with no red flags, and the status of an entity covered by NIS2 stopped being an abstraction. Instead of reacting under the pressure of questionnaires, the company now has an organised foundation that is easy to maintain and develop. Regular infrastructure monitoring keeps this state from slipping back.