📊 CYCLE · Case Study

How does a 90-person production operator pass M&A cyber diligence on OT/IT segmentation in 75 days?

How a 90-person Canadian production operator deployed minimum-viable OT/IT segmentation in 75 days, documented the architecture, and passed M&A diligence on cyber without remediation pricing pressure.

Read Online Download PDF

For: Operators (60-150 people)

Case Study · Operators · OT/IT Segmentation Pass

Seventy-five days
of minimum-viable segmentation.

How a 90-person Canadian production operator deployed minimum-viable OT/IT segmentation in 75 days, documented the architecture, and passed M&A diligence on cyber without remediation pricing pressure.

Composite case study - This is a composite case study drawn from multiple actual Vencer Group engagements with Canadian oil and gas operators of similar profile. Names, specific identifying details, and exact metrics have been altered or generalized to protect client confidentiality. The patterns described, the work delivered, and the outcomes documented are representative of what Vencer has built across 19 years and 30+ M&A transactions in the Canadian energy mid-market.

FOR: Operators · 60–150 people · M&A diligence-bound

Quick answer

A 90-person Canadian production operator needed to pass M&A cyber diligence on OT/IT segmentation - and didn't have 18 months to deploy a full Purdue-model implementation. Vencer ran the 75-day minimum-viable segmentation: network segmentation, documented architecture, the controls the diligence team actually checks. The deal cleared without remediation pricing pressure.

Operator type
Operators
Scale
90 people
Operational reality
Pre-LOI divestiture
Engagement
Co-Managed + IT-and-the-Cycle
01
The Situation

Strong cyber. One catastrophic gap.

90 people. Multi-well shallow gas plus heavy oil. Strategic buyer interest from a consolidator. Most of the cyber posture was in good shape - named-product EDR, immutable backups, identity infrastructure. The single largest exposure was OT/IT segmentation.

The CFO and CEO had walked through the pre-LOI readiness work with Vencer six months earlier. Most of the cyber posture was in good shape - named-product EDR, immutable backups, identity infrastructure, twelve-controls scoring at 39 out of 60. The single largest exposure was OT/IT segmentation.

Architecture documentation: nonexistent. The OT network was running on shared VLANs with corporate. Field tablets were domain-joined to the corporate identity provider with no jump host architecture. Remote vendor access to SCADA went over the corporate VPN, route-able directly into the historian and the SCADA workstations.

From a buyer’s diligence perspective, this would price as a $200-300K remediation cost coming off the offer. Cumulatively with other operational findings, it could be a full multiple turn. The fix was a 75-day project. The pricing exposure was many multiples of the fix cost.

02
The Challenge

Four diligence-critical gaps. Sixty days to LOI.

The IT-and-the-Cycle Assessment walked the production environment over two days, mapped the actual network topology, and documented every IT-to-OT crossing. The findings:

  • Shared VLAN structure. Three of the four production sites had OT and corporate traffic on the same VLAN. Pings from corporate workstations reached SCADA HMI directly. A corporate ransomware event would have route-able access to production systems.
  • Identity infrastructure not separated. Field tablets and HMI workstations were joined to Microsoft Entra alongside corporate accounts. A compromise of a corporate user account with appropriate group membership would have auto-granted OT system access.
  • Remote vendor access uncontrolled. Three OT vendors (SCADA, historian, automation) had ongoing remote access via corporate VPN. No jump host. No session recording. No time-limited credentials. Standing VPN credentials, used periodically, never rotated.
  • Monitoring blind spots. Corporate EDR (SentinelOne) was deployed across IT endpoints but had no visibility into OT-side hosts. No OT-specific monitoring tool deployed. If an OT-side incident occurred, detection would depend on operational alarms, not cyber telemetry.

None of these gaps were unusual at mid-market scale. Most 50-150 person Canadian energy operators have substantially the same gaps in 2026. The difference for this operator was the impending transaction - gaps that would normally be deferred became items that needed remediation before going to market.

The framing for the CEO
$95K over 75 days vs. $200-300K in diligence pricing pressure.

Focused work executed before LOI materially de-risks a diligence finding that would otherwise produce $200-300K of remediation pricing plus a 0.25-0.5 multiple turn risk premium. The economics were unambiguous. The discipline was sticking to a 75-day window.

03
The Work

Four phases. Each one a distinct technical implementation.

Days 1-25 · Phase 1: Network segmentation
Three sites required physical network reconfiguration to separate OT switches onto isolated VLANs. The fourth site (newer build) already had basic separation. Site visits coordinated with operational schedules to minimize disruption. Each site’s OT VLAN now had no route to corporate except through controlled gateways. Most expensive part of the project, both in cost and operational coordination.
Days 26-45 · Phase 2: Jump host architecture
Deployed a virtualized jump host environment in each region. Corporate IT staff and OT vendors now access OT systems exclusively through the jump host with session recording, multi-factor authentication, and time-limited credentials. Standing VPN credentials revoked. Vendor remote access workflows rebuilt around the jump host model.
Days 46-60 · Phase 3: Identity separation
Field tablet and HMI workstation accounts moved off Microsoft Entra into a separate identity provider scoped specifically to OT. Federation between the two identity systems is controlled and audited. A corporate identity compromise no longer auto-grants OT access.
Days 61-75 · Phase 4: Monitoring + documentation
Deployed Claroty for OT-specific monitoring (lightweight tier, scoped to the production environment). Generated full architecture documentation: Zone A (corporate IT), Zone B (operational systems), Zone C (OT/field), with explicit boundaries, controlled crossings, and operational procedures. This is what the buyer’s diligence team would actually examine.
04
The Outcome

"No follow-up questions on OT separation."

Deployment cost
$95K
Total project cost across the 75-day project. Compared to $200-300K typical diligence-pricing exposure on a comparable un-remediated operator.
Architecture coverage
4 sites, 3 zones
All four production sites with documented OT/IT segmentation. Zone A/B/C architecture documented and operational.
Diligence outcome
Pass
Buyer’s cyber diligence team flagged no segmentation findings. Estimated pricing differential vs. comparable un-remediated operator: approximately one multiple turn.

The diligence experience.

The buyer’s diligence team arrived four months after the segmentation work completed. The cyber portion of diligence ran three days. The architecture documentation was the first artifact requested. The diligence lead’s feedback (paraphrased): “This is more documented than most 200-person operations we see. We have no follow-up questions on OT separation.”

The cyber portion of the offer included no remediation pricing pressure related to OT/IT segmentation. The estimated pricing differential between this operator’s offer and a comparable un-remediated operator was approximately one multiple turn.

The honest reflections.

What we’d flag honestly: the project disrupted operations modestly at two of the four sites. Field crews needed retraining on the new jump host workflows. One OT vendor required significant relationship work to migrate them off direct VPN access (they were used to the old approach and resisted). None of these were dealbreakers but they took longer than the technical timeline suggested.

The decision-quality factor: the CEO and CFO had committed to executing the work whether or not the LOI materialized. The transaction context accelerated the timeline, but the OT/IT segmentation gap was an operational risk worth fixing regardless. The diligence outcome was a benefit, not the primary justification.

What this generalizes to
OT/IT segmentation has shifted from "good practice" to "required" in 2026-2027.

Across cyber insurance underwriting and M&A diligence, this is now a check-the-box item. The mid-market adaptation is bounded and executable. Operators who deploy minimum-viable segmentation before going to market capture material pricing improvement. Operators who don’t, pay for the gap one way or another - through diligence pricing, premium increases, or actual cyber incidents.

Next step

Does this story sound familiar?

The pattern in this case study has played out across dozens of Canadian oil and gas operators in the mid-market range. If you recognize parts of it in your own operation - or you suspect you might - the next step is a structured conversation with a Vencer engineer.

The IT-and-the-Cycle Assessment is a 3 to 5 day structured review of your specific operational situation. We pressure-test where your IT stands today, where it needs to be for what you intend to become, and what one bad day looks like at current state. You leave with a written report, a 90-day plan, and named owners. No hype. No vendor pitch. Just the truth about where you are and what to do next.

For a faster diagnostic, three free tools at vencergroup.com cover the same territory in less time: the Hidden IT Cost Calculator, the Cyber Risk Self-Score, and the IT Myth-Buster sheet.

Vencer operates from Calgary headquarters with delivery teams across four continents. For Canadian-headquartered operators with international exposure, the cross-border operational capability is built in, not bolted on.

In Business
19 years
Through two oil and gas cycle turns. Calgary-headquartered. Built for the Canadian energy mid-market.
M&A Transactions
30+ deals
IT integration delivered on 30+ acquisitions representing over $12B CAD in transaction value.
Managed Security
Zero breaches
Across 11 years of managed security operations. Four continents of delivery.
Office
700 4 Ave SW #1680
Calgary, AB T2P 3J4
Phone · Email
+1 (888) 271-6230
insights@vencergroup.com
Web
vencergroup.com
Their story. Not yours.

One operator's outcome. Your situation has different variables. These numbers are real; the applicability to your operation requires conversation. The 30-min review is where that starts.

→ Book the 30-min review
Download PDF

Next Step

Take it from here - three ways.

Self-Score · 2 min

Cyber Risk Self-Score

Where your posture stands against the 12 controls.

Take it →

eBook · PDF

The Twelve Controls

Cyber posture that survives renewal.

Read it →

30-Min Review

Talk to a sitting CIO about OT/IT cyber.

Schedule a call. No pitch, no proposal. Wherever and whenever it works for you.

Book the call →
More from the CYCLE pillar
View all CYCLE articles →