Manufacturing Cybersecurity: Protecting OT and IT in Modern Factories

Posted: December 31, 1969 to Cybersecurity.

Manufacturing Cybersecurity: Protecting OT and IT in Modern Factories

Manufacturing has become the most targeted industry for cyberattacks. Not healthcare, not financial services, not government. Manufacturing. IBM's X-Force Threat Intelligence Index has ranked manufacturing as the number one attacked industry for several consecutive years, and the trend is accelerating. The reason is straightforward: manufacturers sit at the intersection of valuable intellectual property, critical supply chains, and operational technology systems where downtime translates directly into lost revenue, missed shipments, and broken contracts.

Yet many manufacturers still treat cybersecurity as an IT department concern that has little to do with the production floor. This disconnection between information technology and operational technology creates the exact gaps that attackers exploit. Securing a modern manufacturing environment requires understanding both worlds and building a security architecture that bridges them without disrupting the production processes that keep the business running.

The IT/OT Convergence Problem

For decades, manufacturing IT and OT operated as completely separate domains. The corporate network handled email, ERP systems, file storage, and internet access. The production network ran SCADA systems, PLCs, HMIs, and the sensors and actuators that controlled physical processes. These networks were physically isolated from each other and from the internet. Security through air gaps.

That separation has eroded dramatically. Business demands for real-time production data, remote monitoring, predictive maintenance, and supply chain integration have driven connections between IT and OT networks. Cloud-based manufacturing execution systems need data from production floor sensors. Remote engineers need to monitor and adjust PLC configurations from their laptops. Quality systems need to correlate production data with enterprise resource planning data.

Each of these connections is operationally valuable. Each one also creates a potential path for an attacker who compromises the corporate network to reach production systems, or vice versa. The Colonial Pipeline attack in 2021, where ransomware on the IT side forced a shutdown of OT operations even though the OT systems were not directly compromised, demonstrated how interconnected these environments have become and how an incident on one side can paralyze the other.

The Purdue Model: A Framework for Segmentation

The Purdue Enterprise Reference Architecture, commonly called the Purdue Model, provides a framework for organizing and segmenting industrial network architecture into hierarchical levels:

Level 0 - Physical Process: The actual physical equipment: sensors, actuators, motors, valves. These devices interact directly with the manufacturing process.

Level 1 - Basic Control: PLCs, RTUs, and dedicated controllers that directly control Level 0 devices. These operate on deterministic protocols with strict timing requirements.

Level 2 - Area Supervisory: HMI systems, engineering workstations, and SCADA servers that monitor and control Level 1 devices within a specific production area.

Level 3 - Site Operations: Manufacturing execution systems, historians, batch management systems, and site-wide operational management. This is where production scheduling, quality management, and operational reporting happen.

Level 3.5 - Demilitarized Zone (DMZ): A critical security boundary between OT and IT networks. All data flows between the production environment and the enterprise network must pass through this zone. Jump servers, data diodes, and application proxies live here.

Levels 4 and 5 - Enterprise: Standard IT infrastructure including ERP systems, email, file servers, internet access, and cloud connectivity.

The key principle is that no communication should bypass levels. A system at Level 4 should never communicate directly with a PLC at Level 1. All cross-level traffic must traverse the intermediate levels and the DMZ, where it can be inspected, filtered, and controlled. Implementing this model requires significant investment in network architecture, but it provides the most effective defense against attacks that attempt to cross the IT/OT boundary.

Common Threats Targeting Manufacturing

Understanding the threat landscape helps prioritize defenses. These are the attack types that manufacturing organizations encounter most frequently:

Ransomware Targeting Production

Ransomware operators have learned that manufacturing companies are more likely to pay ransoms than organizations in other industries because every hour of production downtime has a quantifiable cost. When a ransomware attack encrypts production management systems, recipe databases, or quality control records, the manufacturer faces a choice between paying the ransom and enduring days or weeks of manual operations while systems are rebuilt. Attackers know this math and set their demands accordingly.

The Norsk Hydro attack in 2019 cost the aluminum manufacturer over $70 million. The JBS Foods attack in 2021 shut down meat processing facilities across the United States and Australia. The Toyota supply chain attack in 2022 halted production across 14 Japanese factories. These are not theoretical risks. They are documented events at well-resourced companies with dedicated security teams.

Intellectual Property Theft

Manufacturing companies possess valuable intellectual property: product designs, manufacturing processes, formulations, tooling specifications, and quality procedures. Nation-state actors and industrial competitors actively target this information. APT groups, particularly those linked to state-sponsored programs, have been documented infiltrating manufacturing networks to steal proprietary data that would cost billions to develop independently.

Supply Chain Compromise

Manufacturers are embedded in complex supply chains where a compromise at one link can cascade across the entire chain. A compromised vendor's remote access portal, a tainted software update for a CNC machine, or a manipulated component specification can introduce vulnerabilities that are extremely difficult to detect. The SolarWinds attack demonstrated how supply chain compromise can affect thousands of organizations through a single trusted vendor.

ICS/SCADA Specific Attacks

Attacks directly targeting industrial control systems are less common than ransomware but potentially more dangerous. Triton malware, discovered in 2017 targeting safety instrumented systems at a petrochemical facility, was designed to disable the safety systems that prevent catastrophic equipment failure. While such attacks require significant expertise and resources, they represent the most severe end of the manufacturing threat spectrum.

Building a Manufacturing Security Program

An effective manufacturing cybersecurity program must address both IT and OT environments while respecting the operational constraints that make industrial environments fundamentally different from enterprise networks.

Asset Discovery and Inventory

You cannot protect what you cannot see. Manufacturing environments often contain equipment that has been in service for decades, connected by integrators who left years ago, running protocols that IT staff have never encountered. A comprehensive asset inventory covering every device on both the IT and OT networks, including firmware versions, communication protocols, network connections, and known vulnerabilities, is the essential first step.

Passive network monitoring tools designed for industrial environments can discover OT assets without disrupting operations. Active scanning, which is standard practice in IT environments, can cause malfunctions in sensitive OT devices and should be used with extreme caution on production networks.

Network Segmentation Based on the Purdue Model

Implement the hierarchical segmentation described earlier. At minimum, establish a DMZ between your IT and OT networks with strict firewall rules governing what traffic can cross that boundary. Within the OT environment, segment by production zone so that a compromise in one area cannot spread to the entire production floor.

Access Control and Authentication

Limit who and what can access OT systems. Implement role-based access control, enforce multi-factor authentication for remote access to production systems, and eliminate shared credentials on HMI workstations and engineering stations. Remote access for vendors and integrators should use dedicated, monitored jump servers in the DMZ, not direct VPN connections into the production network.

Vulnerability Management

OT vulnerability management differs fundamentally from IT patching. Production systems often cannot be taken offline for updates, patches may not be available for legacy equipment, and applying updates without vendor approval can void warranties or create safety risks. Develop a vulnerability management program that assesses risk based on both the severity of the vulnerability and the operational impact of remediation. Where patching is not feasible, implement compensating controls such as network segmentation, monitoring, and application whitelisting.

Monitoring and Detection

Deploy monitoring capabilities that provide visibility into both IT and OT network traffic. Industrial-grade intrusion detection systems can identify anomalous command-and-control traffic, unauthorized modifications to PLC programs, and reconnaissance activity targeting industrial protocols. Correlate OT security events with IT security events in a unified SIEM to detect attacks that cross the IT/OT boundary.

CMMC Requirements for Defense Manufacturers

Manufacturers in the defense industrial base face an additional layer of cybersecurity requirements through CMMC compliance. Any manufacturer that handles Controlled Unclassified Information as part of a DoD contract must achieve CMMC Level 2 certification, which requires implementation of all 110 NIST 800-171 security controls.

For manufacturers, the CUI boundary determination is particularly complex. If CUI such as technical drawings, specifications, or test data flows from enterprise systems into production systems, those production systems may fall within the CMMC assessment scope. This means industrial control systems, manufacturing execution systems, and the networks connecting them may all need to satisfy NIST 800-171 requirements.

This is where the Purdue Model segmentation becomes especially valuable. By architecturally separating systems that handle CUI from those that do not, manufacturers can limit their CMMC scope and reduce both the cost and complexity of compliance. A well-designed DMZ that sanitizes data before it enters the production environment can keep most OT assets out of the assessment boundary.

Incident Response for Manufacturing Environments

Manufacturing incident response must account for scenarios that enterprise IT incident response plans typically do not address. Isolating a compromised system on a corporate network might mean some employees cannot access email for a few hours. Isolating a compromised system on a production network might mean shutting down a production line that generates $50,000 per hour in revenue.

Manufacturing incident response plans should include:

• Production impact assessments: Pre-determined decision trees for balancing security response with production continuity based on the severity and scope of the incident.
• Manual operation procedures: Documented procedures for running production processes manually if control systems must be taken offline.
• OT-specific forensics: Capabilities for capturing PLC programs, HMI configurations, and industrial protocol traffic for forensic analysis.
• Safety system verification: Procedures for verifying the integrity of safety instrumented systems before resuming automated operations after an incident.
• Vendor coordination: Pre-established contacts with OT equipment vendors who can assist with system recovery and integrity verification.

Our Approach to Manufacturing Cybersecurity

At Petronella Technology Group, we work with manufacturers across the Raleigh-Durham area and the eastern seaboard who are navigating the dual challenge of protecting production operations while meeting compliance requirements. Our founder, Craig Petronella, has discussed these challenges extensively on the Encrypted Ambition podcast, where over 90 episodes have covered topics ranging from OT security architecture to CMMC preparation strategies for small and mid-size defense contractors.

We understand that manufacturing cybersecurity is not just a technology problem. It is an operational challenge that requires security solutions designed to coexist with production requirements rather than compete with them. Our managed IT services include continuous monitoring of both IT and OT environments, and our ComplianceArmor platform helps defense manufacturers generate the documentation required for CMMC certification without diverting engineering resources from production.

If your manufacturing organization needs to assess its cybersecurity posture, prepare for CMMC, or implement OT security controls that protect production without disrupting it, contact our team for a consultation. We have been doing this work for over 23 years, and we built our company from the ground up around the principle that security is not something you add later. It is something you build in from the start.