Guides
Recipe· 5 min· Beginner

Find and fix a segmentation gap

The reference design opens flagging a workstation on the wrong network. This is the loop Synapse is built for: follow a finding to its cause, fix it, and watch the check clear. Five minutes, start to finish.

Segmentation is the heart of IEC 62443: assets live in zones, traffic between zones passes through controlled conduits, and nothing flat connects what should be kept apart. A flat network, where a device sits in one zone but shares another zone’s broadcast domain, quietly defeats all of that. It’s one of the most common findings on real sites, and the wind-farm reference ships with one planted on purpose so you can practise closing it.

01Start from the finding

On the right, the Check tab is already showing what the design got wrong. Find the one titled Subnet/VLAN spans multiple zones. It’s marked high severity, and the explanation tells you why: a subnet is shared across a zone boundary, so the segmentation between those zones isn’t real.

Click the finding. Synapse highlights the offending asset on the canvas and draws its problem flows in red, so you’re never hunting for what a finding refers to.

02Follow it to the cause

The asset it lands on is the Local Eng. Workstation. It sits inside the Site SCADA zone, where it belongs physically, but its network card was left on the DMZ segment: address 172.16.110.50 on VLAN 110, the OT DMZ. So even though the diagram puts it in SCADA, on the wire it’s sharing a broadcast domain with the DMZ. That’s the flat network.

03Fix it: the fast way

The fix is to put the workstation onto its own zone’s network. Synapse can do that for you. On the finding, click the Realign to zone subnet button (the wand icon). It re-homes the workstation’s card onto the Site SCADA segment, 172.16.120.0/24 on VLAN 120, keeping its host number, so it becomes 172.16.120.50 with the right gateway.

The same one-click fix is available in the Segmentation view, listed next to the finding, if you’d rather work from there.

04Fix it: by hand

It’s worth doing this once manually, so you can see there’s no magic. Click the Local Eng. Workstation on the canvas to select it, and the right panel opens on its properties. Open the Network tab to see its addressing.

Change the card from the DMZ network to the Site SCADA network: subnet 172.16.120.0/24, VLAN 120. The moment you do, the check re-runs and the finding clears. Same result as the button, just by your own hand.

05Confirm it’s closed

Look back at the Check tab. The flat-network finding is gone, the red flows on the canvas have returned to normal, and the coverage for network segmentation (IEC 62443-3-3 SR 5.1) has moved up. Nothing else was disturbed: the fix changed one card, re-checked the whole design, and only what should have changed did.

Why this is the gap that matters

Flat networks are the failure that looks fine on a diagram. Everything appears zoned, the boxes are in the right places, and yet a compromised device in one zone can reach another with no conduit, no firewall, and no record. It’s the kind of thing a walkdown misses and an incident finds. Catching it at design time, before a single cable is pulled, is the whole argument for checking the addressing and not just the picture.

Recap

  • Findings point at things: click one and Synapse shows you the exact asset and flows on the canvas.
  • Fix two ways: one-click realign, or edit the card yourself in the Network tab — same outcome.
  • The check is live: every fix re-runs the whole design, so a closed finding stays closed and coverage updates instantly.

Next, see how Synapse handles a problem it deliberately won’t auto-fix, in The vendor-VPN stress test.

Close the gap yourself

Load the wind-farm template and follow along. The finding is waiting for you, and the fix is one click.

Open the studio