ICS Security for Discrete vs. Process Manufacturing: Key Differences Explained
Manufacturing covers a wider range of operational environments than any other industrial sector. An automotive assembly plant and a petrochemical refinery are both manufacturing operations - but the industrial control systems that run them, the security risks those systems face, and the controls that are appropriate to protect them are fundamentally different. Applying the same ICS security approach across both environments produces a program that fits neither adequately.
The core distinction is between discrete manufacturing - where production involves assembling or machining countable units - and process manufacturing - where production involves continuous or batch transformation of raw materials using chemical, physical, or biological processes. This distinction shapes everything from the control systems in use, to the consequence of a cyber incident, to the operational constraints on security implementation.
This post explains the ICS security implications of that distinction for manufacturing security leads who are responsible for environments that do not fit neatly into generic OT security guidance. It covers the technical differences between discrete and process manufacturing control systems, how those differences affect the threat landscape and risk profile, and what the security architecture must account for in each environment.
|
Manufacturing was the most targeted industrial sector for cyberattacks in 2024 for the third consecutive year with discrete manufacturing - particularly automotive, electronics, and aerospace - accounting for the largest share of incidents by volume. Process manufacturing - chemicals, food and beverage, pharmaceuticals - accounted for the highest average operational impact per incident, driven by the consequence of process disruption in continuous production environments. Source: IBM X-Force Threat Intelligence Index 2025 |
1. Understanding the Two Manufacturing Environments
1.1 Discrete Manufacturing
Discrete manufacturing produces distinct, countable units - vehicles, electronic components, aerospace parts, consumer goods. Production is organized around machining, assembly, and quality control operations that can be stopped, restarted, and partially completed without the catastrophic consequences that apply to continuous processes. A production line that stops unexpectedly loses the units in progress and the throughput for the downtime period. It does not create an uncontrolled chemical reaction or a pressure excursion.
The control systems in discrete manufacturing environments reflect this operational structure. Programmable Logic Controllers (PLCs) run machine-level automation - robotic welding cells, CNC machining centers, conveyor systems, pick-and-place assemblies. Supervisory control is typically provided by Manufacturing Execution Systems (MES) and SCADA platforms that coordinate multiple PLCs across a production line or facility. Human-Machine Interfaces (HMIs) provide operator visibility and manual override capability at the machine or line level.
1.2 Process Manufacturing
Process manufacturing transforms raw materials into products through continuous or batch processes - refining crude oil, producing pharmaceuticals, manufacturing chemicals, processing food and beverages. The production process involves reactions, separations, and transformations that cannot simply be paused: a reactor at operating temperature and pressure must be controlled continuously, or the process enters an unsafe state.
The control systems in process manufacturing reflect the requirement for continuous, real-time process control. Distributed Control Systems (DCS) - rather than PLC networks - are the standard control architecture for continuous process environments. A DCS is designed for the redundancy, determinism, and alarm management requirements of continuous process control. Safety Instrumented Systems (SIS) provide independent, automated emergency shutdown capability for high-consequence processes where a DCS failure or malfunction could result in physical harm.
|
Characteristic |
Discrete Manufacturing |
Process Manufacturing |
|---|---|---|
|
Production type |
Countable units - vehicles, parts, assemblies |
Continuous or batch transformation - chemicals, fuels, food, pharma |
|
Primary control system |
PLC networks with MES/SCADA supervisory layer |
DCS for continuous control; SIS for safety-critical shutdowns |
|
Process interruption consequence |
Lost production units and throughput; restartable |
Potential for unsafe process conditions; safety and environmental risk |
|
Production cadence |
Shift-based or continuous with defined changeover windows |
True continuous (24/7 with no planned interruption) or campaign-based batch |
|
Patching and maintenance windows |
Planned downtime between shifts or production runs |
Turnarounds every 2-5 years; minimal planned maintenance windows in between |
|
Typical legacy equipment lifespan |
10-20 years for PLCs and controllers |
20-30+ years for DCS and SIS hardware in continuous process environments |
|
Safety consequence of OT incident |
Production loss; quality defects; equipment damage |
Process safety incident; environmental release; personnel harm potential |
2. How the Control System Architecture Shapes the Security Approach
2.1 PLC Networks in Discrete Manufacturing: Security Implications
Discrete manufacturing environments typically operate large networks of PLCs - a modern automotive assembly plant may have hundreds or thousands of individual PLCs controlling robots, conveyors, presses, and testing stations. Each PLC is a potential attack target and a potential lateral movement pathway within the OT network.
The flat network problem in discrete manufacturing
PLC networks in discrete manufacturing facilities are frequently flat - all PLCs in a production area communicate on a shared network segment with minimal segmentation between production lines, engineering workstations, and in many cases the corporate IT network. This architecture evolved from operational convenience: PLCs need to communicate with each other for coordinated production sequences, and engineers need access to any PLC in the facility for programming and diagnostics.
A flat PLC network means that a compromise of any single point on the network - an engineering workstation, a HMI terminal, or an IT endpoint with OT network access - provides a potential adversary with reachability to every PLC in the facility. In a facility with hundreds of PLCs across multiple production lines, the lateral movement potential from a single compromised endpoint is substantial.
Remote access to PLC programming environments
PLCs are programmed and maintained using vendor-specific engineering software - Siemens TIA Portal, Rockwell Studio 5000, Schneider EcoStruxure, and similar platforms. This software requires direct network access to the PLCs it manages. In most discrete manufacturing environments, engineering workstations with this software are connected to both the OT network and the IT network, creating dual-homed endpoints that bridge the two environments. Remote access for machine vendors and system integrators to these engineering environments is the most consistently exploited attack pathway in discrete manufacturing OT incidents.
2.2 DCS and SIS in Process Manufacturing: Security Implications
Process manufacturing control architecture is organized around different priorities than discrete manufacturing. DCS systems are designed for redundancy and reliability in continuous operation - they use proprietary hardware, specialized real-time operating systems, and communication protocols that are optimized for deterministic control rather than for IT network compatibility. This architecture creates both security advantages and security challenges.
The patching problem in continuous process environments
DCS systems in continuous process manufacturing may operate for years without a planned maintenance window long enough to apply security patches. A petrochemical facility running a 24/7 continuous process may have a major planned turnaround every four to five years - and that turnaround is the only window in which DCS patching can be performed without production impact. Security patches released by the DCS vendor in the intervening years accumulate as unmitigated vulnerabilities until the next turnaround.
This is not a failure of security management - it is an operational reality of continuous process manufacturing. The security response must account for it through compensating controls: network monitoring that detects exploitation attempts, network segmentation that limits the reachability of unpatched DCS components, and vendor security assessments that prioritize which unpatched vulnerabilities represent the highest risk in the specific process environment.
Safety Instrumented System security as a process safety obligation
Process manufacturing environments with high-consequence processes - chemical reactors, high-pressure separation systems, explosive or toxic material handling - operate Safety Instrumented Systems as an independent layer of protection against process failures. The security of the SIS is not primarily an IT security concern. It is a process safety concern: a compromised SIS that fails to trigger an emergency shutdown when required, or that triggers a spurious shutdown at a critical moment, creates the conditions for a physical process incident.
The Triton/TRISIS malware, deployed against a Middle Eastern petrochemical SIS in 2017, targeted the Triconex safety controller specifically to disable its protective function. The attack was designed not to cause an immediate incident, but to create conditions where a subsequent process attack would not be stopped by the SIS. Process manufacturers operating SIS-protected facilities must treat SIS security as a process safety obligation with the same priority as any other process safety system.
|
Key Distinction In discrete manufacturing, the consequence of an OT security incident is primarily operational and financial: production stops, orders are delayed, revenue is lost. In process manufacturing, the consequence can extend to safety and environmental harm. This difference in consequence does not mean process manufacturing needs more security investment in absolute terms - it means the security architecture must specifically protect the systems whose failure could create physical harm, and that the SIS must be treated as the highest-priority protection target in any process manufacturing OT security program. |
3. Threat Landscape Differences Between Discrete and Process Manufacturing
3.1 Threats Most Active in Discrete Manufacturing
Ransomware targeting production line availability
Discrete manufacturing is the primary target sector for ransomware operators targeting industrial organizations. The combination of operational continuity pressure - just-in-time supply chains, customer delivery commitments, production schedule obligations - and the relative accessibility of flat PLC networks through IT/OT boundary weaknesses makes discrete manufacturing facilities attractive ransomware targets. The goal in most discrete manufacturing ransomware incidents is not manipulation of the production process but denial of SCADA and MES visibility, forcing a production halt.
IP theft targeting product designs and process parameters
Discrete manufacturers in high-value sectors - aerospace, defense, automotive, semiconductors - hold product design data, manufacturing process parameters, and quality control data that represent significant competitive and national security value. Nation-state threat actors with economic espionage objectives specifically target discrete manufacturers in these sectors to acquire this data. The attack vector is typically the engineering network - the systems that hold CAD/CAM files, PLC programs, and process documentation - rather than the production control systems themselves.
Supply chain attacks through machine vendor software
The concentration of engineering software vendors in discrete manufacturing - a large proportion of global automotive and electronics production relies on PLC and robotics platforms from a small number of suppliers - creates supply chain attack risk analogous to the SCADA software supply chain risk in oil and gas. A compromised update to a major PLC programming platform would affect the engineering environments of a large number of manufacturers simultaneously.
3.2 Threats Most Active in Process Manufacturing
Process manipulation targeting safety and environmental outcomes
The most consequential threat in process manufacturing is not ransomware - it is deliberate manipulation of process control parameters to create unsafe conditions. The Triton/TRISIS attack demonstrated that nation-state actors have developed malware specifically designed to target process safety systems in high-consequence manufacturing environments. The threat is not theoretical and is not limited to petrochemical applications: any process manufacturer with a SIS-protected facility is a potential target for this attack class.
Extended dwell time espionage in continuous process environments
Continuous process manufacturers - particularly in chemicals, specialty materials, and pharmaceuticals - hold proprietary process formulations, catalyst recipes, and production parameters that represent decades of research and development investment. Nation-state actors targeting this data operate with extended dwell times in process manufacturing OT environments, quietly exfiltrating process documentation and control system configurations without triggering production disruptions that would reveal their presence.
4. Security Architecture Requirements by Manufacturing Type
4.1 Security Controls Specific to Discrete Manufacturing
PLC network segmentation by production zone
The flat PLC network architecture common in discrete manufacturing is the primary security liability to address. Segmentation by production zone - isolating PLCs associated with one production line or area from those in adjacent areas - limits the lateral movement potential of a compromised endpoint. Zone boundaries should be enforced by firewalls with OT-aware rules, not just by VLAN configuration that a compromised device with appropriate access can potentially traverse.
Engineering workstation access governance
Engineering workstations with PLC programming software are the highest-risk dual-homed assets in discrete manufacturing environments. Controls required:
- Application whitelisting: Only approved engineering software and operating system processes can execute on OT-connected engineering workstations.
- Network segmentation enforcement: Engineering workstations should not have simultaneous active connectivity to both IT and OT networks. Network access control enforces that OT connectivity is exclusive when active.
- Session recording for remote vendor access: Every remote engineering session to PLC programming environments is recorded and retained for forensic purposes.
- Vendor access governance: Machine vendors and system integrators receive time-limited, asset-scoped access through a secure access gateway - not standing VPN connections.
MES and SCADA server protection
The MES and SCADA servers that provide supervisory control over discrete production lines are the highest-leverage targets for ransomware operators in this environment. These servers require offline backups with tested recovery procedures, network isolation from corporate IT, and OT-native monitoring that baselines normal communication patterns and alerts on deviations - particularly new connections from IT-side source addresses.
4.2 Security Controls Specific to Process Manufacturing
DCS zone isolation and compensating controls for unpatched systems
DCS systems that cannot be patched on a timely basis require compensating controls that reduce the exploitability of known vulnerabilities without requiring system downtime. The primary compensating control is network segmentation: a DCS zone that is isolated from all other network segments except through defined, monitored conduits cannot be directly exploited by an adversary who has not first compromised a system with authorized DCS access. Secondary compensating controls include application-layer filtering on conduit firewalls that blocks exploitation traffic for known DCS vulnerabilities, and OT network monitoring that detects exploitation attempts in real time.
SIS physical and logical isolation
Safety Instrumented Systems must be physically and logically separate from the process control network. The following architecture requirements apply to any SIS-protected facility:
- No bidirectional network connectivity between DCS and SIS: Data from the SIS to the DCS for monitoring purposes is permitted through a unidirectional gateway. Commands from the DCS to the SIS are not permitted through any network pathway.
- SIS engineering workstation isolation: The workstation used to configure and maintain the SIS is not connected to any other network when SIS configuration access is active. Engineering access to the SIS requires physical presence at a dedicated workstation, not remote access.
- File integrity monitoring on SIS servers: Any unauthorized modification to SIS configuration files or executable code is immediately flagged. This is the detection control for Triton/TRISIS-class attacks.
- SIS vendor access prohibition during normal operations: SIS vendors do not have remote access to SIS equipment during normal operations. All vendor access is in-person, during planned maintenance windows, with operations supervision.
Process historian security in continuous environments
Process historians in continuous manufacturing environments aggregate real-time process data from DCS systems - they contain the operational parameters, process trends, and production records that represent the accumulated operational knowledge of the facility. Historians are high-value targets for both ransomware (disrupting access to process data forces manual operation) and espionage (process parameter data reveals proprietary production methods). Historian servers require Industrial DMZ architecture that brokers all data flows between the historian and IT-side consumers without creating direct network connectivity between IT endpoints and DCS systems.
|
Security Control |
Priority in Discrete Manufacturing |
Priority in Process Manufacturing |
|---|---|---|
|
PLC network segmentation by zone |
Highest - flat PLC networks are the primary lateral movement risk |
Moderate - DCS architecture typically provides more inherent segmentation |
|
Engineering workstation access governance |
Highest - dual-homed workstations are the primary IT/OT bridge |
High - DCS engineering workstations require equivalent controls |
|
Safety Instrumented System isolation |
Not applicable in most discrete environments |
Highest - SIS security is a process safety obligation |
|
Patching compensating controls |
Moderate - maintenance windows exist; patch management is feasible |
Highest - years between turnarounds require compensating controls for unpatched systems |
|
OT network monitoring |
High - needed for PLC network lateral movement detection |
High - needed for DCS anomaly detection and SIS integrity monitoring |
|
Remote vendor access governance |
Highest - machine vendors are the most exploited entry point |
High - DCS vendor access requires equivalent governance |
|
Process historian DMZ architecture |
Moderate - MES historians have similar requirements |
Highest - historian contains proprietary process IP and is primary IT/OT bridge |
5. Applying IEC 62443 Across Both Manufacturing Types
IEC 62443 Security Levels and the zones and conduits model apply to both discrete and process manufacturing environments, but the zone definitions and Security Level assignments differ based on the consequence analysis for each environment.
In discrete manufacturing, zones are typically defined by production line or functional area - robotic assembly zone, CNC machining zone, quality control zone, engineering workstation zone - with Security Level 2 as the baseline for all production zones and Security Level 3 applied to zones with the highest production impact or IP sensitivity.
In process manufacturing, zones are defined by process unit and consequence level - reactor control zone, SIS zone, utility systems zone, historian zone - with Security Level 2 as the baseline for process control zones and Security Level 3 applied to high-consequence process units. The SIS zone requires special treatment: its physical and logical isolation requirements exceed what Security Level definitions prescribe, because the consequence of SIS compromise is qualitatively different from the consequence of DCS compromise.
|
Bottom Line Discrete and process manufacturing are not variations on the same OT security problem. They have different control system architectures, different threat profiles, different operational constraints on security implementation, and different consequence profiles for OT security incidents. A security program designed for a discrete assembly plant will not adequately protect a continuous chemical process facility, and vice versa. The starting point for any manufacturing OT security program is an accurate characterization of the production environment - and a security architecture that accounts for what makes that environment operationally and technically distinct. |
Frequently Asked Questions
Our facility has both discrete assembly and continuous batch process operations. How do we structure the security program?
Mixed manufacturing environments require zone-based security architecture that treats each production area according to its own operational characteristics and consequence profile. The discrete assembly area and the continuous batch process area should be defined as separate security zones with separate security requirements - even if they share facility infrastructure. The highest-consequence zone determines the floor for security investment across the facility: if the batch process area includes a SIS-protected reactor, the SIS isolation requirements apply to that zone regardless of what security controls are in place in the adjacent assembly area. A unified IEC 62443 zone and conduit assessment that maps the full facility - including the connections between the discrete and process sections - is the appropriate starting point.
Why is patching harder in process manufacturing than in discrete manufacturing?
Discrete manufacturing production lines can typically be stopped at shift changes or between production runs for maintenance activities including software updates - the production impact is a defined, planned downtime period. Continuous process manufacturing - chemical plants, refineries, pharmaceutical fermentation facilities - operates 24 hours a day with no planned interruption between major maintenance events called turnarounds. A turnaround for a large continuous process facility is a multi-week event that occurs every two to five years, involves thousands of maintenance tasks, and is planned years in advance. Applying a security patch to a DCS controller requires taking that controller out of service - which in a continuous process means either routing the process around it (if redundancy exists) or stopping the process. Neither is practical between turnarounds. The security response is not to force patching at operationally infeasible times - it is to implement compensating controls that reduce the exploitability of unpatched vulnerabilities for the years they remain in the environment.
Do discrete manufacturers need Safety Instrumented Systems?
Some discrete manufacturing processes involve energy, pressure, temperature, or chemical hazards that require SIS protection - large metal pressing operations, heat treatment furnaces, paint booth solvent environments, and laser processing systems may all trigger SIS requirements under process safety regulations. However, most discrete assembly and machining operations do not operate at the hazard levels that require SIS protection. The relevant determination is not the manufacturing type but the process hazard analysis: if the process involves stored energy, flammable or toxic materials, or pressure above safe handling thresholds, a SIS may be required regardless of whether the overall facility is classified as discrete or process manufacturing.
Which is more at risk from ransomware - discrete or process manufacturing?
By volume of incidents, discrete manufacturing is more frequently targeted by ransomware operators. The combination of accessible IT/OT boundaries, just-in-time supply chain pressure that creates payment urgency, and the relative familiarity of ransomware operators with IT-centric attack techniques applied to OT-adjacent systems makes discrete manufacturing a higher-frequency ransomware target. However, the operational impact of a ransomware incident in continuous process manufacturing is often more severe per incident: a discrete assembly plant that loses SCADA visibility can halt production lines and restore from backups within days. A continuous process facility that loses DCS visibility faces the choice between operating without normal monitoring capability or executing an emergency process shutdown - either of which has significant operational and financial consequences that exceed the impact on most discrete manufacturing operations.
Share via
