Two Audiences, One Problem
The CISO already knows OT network segmentation is necessary. The technical case is settled — see our walkthrough of flat network vs segmented network trade-offs for the architecture-level argument. Compliance frameworks mandate segmentation, and every major OT breach in the last five years exploited lateral movement across unsegmented networks.
The CFO knows none of this. The CFO wants three things: what does it cost, what does it prevent, and what is the return. This post gives you the numbers and the framework to answer those questions.
Quantifying the Risk
The Cost of Manufacturing Downtime
Unplanned downtime in manufacturing costs an average of $260,000 per hour, according to Siemens data. For automotive and semiconductor manufacturing, that number exceeds $500,000/hour. A ransomware attack that halts production for even 8 hours costs $2M+ before you account for recovery, investigation, or ransom payments.
Ransomware in Manufacturing: The Numbers
- Average ransomware payment in manufacturing: $1.5M+ (Sophos State of Ransomware 2025)
- Average total recovery cost (including downtime, remediation, lost business): $4.7M
- Percentage of manufacturers who paid the ransom: 58%
- Percentage who recovered all data after paying: 32%
Recovery Time: Segmented vs. Flat Networks
This is the number that matters most for the business case:
| Metric | Flat Network | Segmented Network |
|---|---|---|
| Time to contain incident | 72+ hours | 2-4 hours |
| Systems affected | Entire OT network | Single zone |
| Production recovery time | 14-21 days | 2-3 days |
| Data loss scope | All connected systems | Isolated segment |
| Forensic complexity | High (no boundaries) | Low (clear zone logs) |
On an unsegmented network, ransomware spreads from the initial entry point to every reachable device in minutes. There are no boundaries to contain it. Recovery means rebuilding the entire network.
On a segmented network, the blast radius is limited to the compromised zone. Other zones continue operating. Recovery is scoped to one segment, not the entire facility.
The difference between 21 days and 3 days of downtime at $260K/hour is $112M in avoided losses. Even at a more conservative estimate — say a mid-size manufacturer with $50K/hour downtime costs — the difference is $21.6M.
The Compliance Driver
Segmentation is not optional under current regulatory frameworks. It is a stated requirement:
-
CMMC 2.0 — Practice SC.L2-3.13.1 requires boundary protection. Practice SC.L2-3.13.6 requires network segmentation. Without segmentation, you cannot achieve Level 2 certification, which means you cannot bid on DoD contracts involving CUI.
-
NIS2 Directive — Article 21 requires "network segmentation" as a risk management measure. Non-compliance penalties reach 2% of global annual turnover or EUR 10M, whichever is higher.
-
IEC 62443 — The entire zone-and-conduit model (Part 3-2) is built on segmentation. Security levels are assigned per zone. Without zones, there are no security levels.
For defense suppliers, the math is simple: no segmentation = no CMMC = no contracts. For EU manufacturers, no segmentation = NIS2 non-compliance = fines up to 2% of revenue.
Operational Benefits Beyond Security
Segmentation pays dividends that have nothing to do with cybersecurity:
-
Reduced broadcast storms. Single-broadcast-domain OT networks with hundreds of devices generate significant broadcast traffic. Segmentation at Layer 3 contains broadcast domains, reducing unnecessary traffic by 40-60%.
-
Better network performance. Smaller collision and broadcast domains mean lower latency for time-sensitive OT protocols. SCADA polling becomes more reliable. HMI response times improve.
-
Easier troubleshooting. When a network issue occurs in a segmented environment, you know which zone is affected. On a network where everything can talk to everything, you're searching the entire topology.
-
Controlled change management. Firmware updates, configuration changes, and new device provisioning can be isolated to a single zone without risk of impacting the rest of the network.
-
Cleaner audit trails. Zone-level logging gives auditors exactly what they need — who accessed what zone, when, and what traffic crossed zone boundaries.
Sample ROI Model
This model compares the cost of deploying OT network segmentation against the cost of a ransomware incident on an unsegmented network. The deployment cost is fixed; the incident cost varies widely depending on severity.
Deployment Cost
| Line Item | Cost |
|---|---|
| Access Gate appliance (2 units) | $30,000 |
| Annual license (2 units) | $24,000 |
| Deployment services | $10,000 |
| Internal labor (40 hours @ $100/hr) | $4,000 |
| Staff training | $3,000 |
| Total deployment cost | $71,000 |
Incident Cost: Three Scenarios
Not every ransomware incident looks the same. Some encrypt a single subnet and production resumes within days. Others shut down an entire facility for weeks. The ROI depends on which scenario you model — so we model three.
The downtime cost of $50K/hour used below reflects a mid-size manufacturer. Per industry research (Aberdeen/Siemens), the cross-industry average for unplanned manufacturing downtime is $260K/hour. We use the lower figure to keep this conservative.
| Cost Component | Conservative | Moderate | Severe |
|---|---|---|---|
| Scenario | 3 days partial downtime (50% capacity) | 7 days full downtime | 14 days full downtime |
| Production downtime | $960,000 | $5,600,000 | $11,200,000 |
| (3 days x 8 hrs effective loss x $40K/hr) | (7 days x 16 hrs x $50K/hr) | (14 days x 16 hrs x $50K/hr) | |
| Incident response & forensics | $150,000 | $350,000 | $500,000 |
| System rebuilds & recovery | $100,000 | $300,000 | $500,000 |
| Ransom payment (if paid) | — | $750,000 | $1,500,000 |
| Regulatory fines / contract loss | $50,000 | $250,000 | $500,000 |
| Customer & reputation impact | $100,000 | $500,000 | $1,000,000 |
| Total incident cost | $1,360,000 | $7,750,000 | $15,200,000 |
| ROI vs. $71K deployment | 19x | 109x | 214x |
The conservative case is the one to lead with. Even a contained, 3-day partial-downtime incident costs nearly $1.4M — a 19x return on a $71K deployment. The moderate and severe cases make the math more dramatic, but the business case holds without them.
A few caveats worth noting: these figures assume a single site. Multi-site incidents multiply the numbers. They also do not account for cyber insurance premium changes post-incident, which can add $50K-200K/year in increased premiums for 3-5 years.
What Segmentation Actually Prevents
Segmentation does not prevent the initial compromise. It limits what happens next. On a flat network, ransomware that compromises one engineering workstation can reach every PLC, HMI, and historian on the network within minutes. On a segmented network, the blast radius is contained to the compromised zone. The difference shows up in the recovery time column of the table above — not in whether an attack occurs, but in how much damage it does.
How to Present This to the CFO
Structure your business case around four points:
-
The risk is real and quantified. Manufacturing is the #1 targeted industry for ransomware — with a 49% year-over-year increase in ransomware groups targeting the sector. Average incident cost exceeds $4M (Sophos, 2025). You are not asking for security investment based on hypotheticals.
-
Compliance requires it. Name the specific framework (CMMC, NIS2, IEC 62443) and the specific control that mandates segmentation. Attach the consequences of non-compliance: lost contracts, fines, or both.
-
The ROI holds even in conservative scenarios. A $71K deployment against a contained 3-day incident still returns 19x. Against a severe incident, the return exceeds 200x. Present the range, not just the best case.
-
Operational benefits reduce other costs. Better network performance, easier troubleshooting, and cleaner audits reduce ongoing IT/OT operations costs independent of any security incident.
Do not frame this as "we need security." Frame it as "we need to protect $X million in annual production capacity, maintain $Y in contract eligibility, and avoid $Z in regulatory exposure." Attach numbers to every claim. CFOs respond to numbers, not threat briefings.
For the technical implementation, our comparison of overlay networking vs VLANs covers how to deploy segmentation without production downtime. The business case for OT segmentation is not about whether to invest — it is about how quickly you can deploy.
