BLOG

Author
Denrich Sananda

Date
10-02-2026

Cybersecurity Manufacturing

6 Best Practices for Manufacturing OT Security

Securing manufacturing environments has become critical. Production networks now blend traditional OT (operational technology) systems – PLCs, SCADA, DCS, and factory automation – with IT, IIoT, and cloud services. High-profile incidents have underscored the stakes: in 2025, cyberattacks on Asahi Group and Jaguar Land Rover forced factory-wide shutdowns. Given that downtime in manufacturing can cost millions per day, strong OT security is non-negotiable. This article lays out six vendor-neutral best practices for manufacturing OT cybersecurity, grounded in NIST, CISA, and industry guidance. Implementing these steps will help you "secure the shop floor" – from network segmentation and device hardening to monitoring and compliance – while maintaining safe, reliable operations.

1. Perform Comprehensive OT Risk Assessments and Asset Management

The first step is understanding your OT environment. Inventory every control system asset – PLCs, RTUs, HMIs, servers, smart sensors, industrial PCs, network switches, etc. – and map how they connect and communicate. CISA and NIST stress that maintaining an up-to-date OT/ICS asset inventory is foundational. For example, CISA recommends: "Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure". This lets you know exactly what is on the network and where security gaps may lie.

Next, conduct a thorough risk assessment of your OT systems. Consider threats specific to manufacturing: ransomware on production servers, malware on HMIs, or supply-chain attacks on PLC firmware. Use a risk-based approach to prioritize high-value or high-risk assets for tighter controls. NIST's Risk Management Framework (RMF) and Cybersecurity Framework (CSF) can guide these assessments in OT settings. In particular, NIST's upcoming SP 800-82 revision (OT Security guide) emphasizes aligning risk management with frameworks like the NIST CSF 2.0 and industry standards.

Practical actions:

  • Maintain a detailed inventory of OT assets (hardware and software) – automated tools can help.
  • Categorize each asset by criticality (e.g., life-safety PLCs vs. non-critical sensors).
  • Perform a gap analysis: compare current protections to references like NIST, ISA/IEC 62443, NERC CIP, etc., and identify missing controls.
  • Involve both OT and IT/security teams – risk decisions must balance operational continuity and cyber defense.

With a clear view of assets and risks, you can tailor the other best practices (segmentation, Patching, monitoring, etc.) to the areas of greatest need.

2. Implement Defense-in-Depth with OT Network Segmentation

Manufacturing OT networks should not be flat. Segment and zone the network so that critical equipment is isolated from other systems. NIST calls network segmentation a "common architecture for supporting a defense-in-depth approach" in OT. In practice, this means using VLANs, industrial firewalls, or unidirectional gateways (data diodes) to separate corporate IT, DMZ, and plant floor networks. For example, safety systems and critical DCS segments often require separate switches or physical air gaps.

Proper segmentation enforces "deny-all, permit-by-exception" rules between zones. NIST specifically notes that "when properly configured, network segmentation helps enforce security policies" by allowing only authorized traffic. In other words, if an attacker gains a foothold in one segment, segmentation prevents easy lateral movement across the plant network.

Key techniques include:

  • Perimeter firewalls and OT DMZs: Isolate the OT zone from business IT and the internet. All traffic between segments goes through firewalls or data diodes. NIST recommends modern stateful firewalls with deep packet inspection for OT environments.
  • Use of Purdue model or IEC/ISA levels: Organize OT into layers (enterprise, DMZ, control, field). Each zone has its own controls. For example, treat Level 3 (SCADA/DCS level) differently from Level 2 (PLC/RIO level).
  • Remove unnecessary access: Disable unused ports and services on network devices and PLCs (avoid rogue connections).
  • Planned segmentation for IIoT: If devices join a wireless or cloud network, place them in separate zones with strict rules.

In short, assume breaches will happen and limit them by layering barriers. As NIST summarizes, a strong defense-in-depth makes it "easy to focus attention and defensive mechanisms on critical functions". Segmenting your manufacturing network is one of the most effective ways to do that.

3. Harden OT Devices and Maintain Patching

Many manufacturing attacks exploit poorly patched or misconfigured devices. Best practice is to harden every OT endpoint and update firmware/software regularly, as much as the environment safely allows. CISA explicitly lists "Update all software" and risk-based patch management as top ICS best practices. In a manufacturing context, that means patching SCADA servers, HMI workstations, PLC firmware, and even network switch OS with a priority on critical fixes. Always test patches in a safe environment first to avoid disruptions to the process.

Other hardening steps include:

  • Disable unused features: Turn off unnecessary protocols or ports on PLCs and HMIs (e.g., disable Telnet if it's not in use). This reduces the attack surface. CISA advises turning off unused ports/services after verifying operations.
  • Replace end-of-life (EoL) equipment: Legacy devices often lack updates and have known vulnerabilities. If possible, upgrade or segment them out of production networks.
  • Application allowlisting: Use allow-lists on engineering PCs and HMIs so only approved software can run.
  • Strong configuration standards: Apply vendor-recommended secure settings on devices. For example, secure PLC ladder logic with passwords, and secure SCADA with encrypted communications (OPC UA).
  • Backup and Recovery: Keep known-good backups of device configurations and critical OT data offline. This speeds recovery from ransomware or misconfiguration.

Remember, some OT assets have constraints (e.g., PLCs may require vendor firmware). But fundamental principles remain: patch frequently (when safe), minimize unnecessary services, and follow hardening guidance. These practices directly counter the "old" vulnerabilities that attackers still exploit.

4. Enforce Secure Access Controls and Zero Trust

Limiting who can access OT networks and how is crucial. Strict access control means requiring authentication (preferably multi-factor) for all remote connections and privileged accounts. CISA lists "enforce multi-factor authentication (MFA) for remote access" as an ICS best practice. In manufacturing, this applies to VPNs, remote support tools, jump servers, and any interface into OT. Don't allow generic or default accounts. Use strong, unique passwords and rotate them regularly.

Where possible, adopt Zero Trust principles: never implicitly trust any user or device, even inside the perimeter. NIST encourages considering Zero Trust Architecture (ZTA) for OT, noting that traditional perimeters no longer fully protect distributed, cloud-connected environments. In practice, this might mean continuously validating devices (certificates) and micro-segmenting access. For example, even after logging into an HMI, an operator shouldn't be able to freely command all PLCs – authorization rules should confine them to specific operations.

Steps to secure access:

  • MFA and Identity Management: Require MFA on VPNs and remote OT tools. Integrate with centralized identity systems if feasible.
  • Network Access Control (NAC): Use NAC to ensure only authorized (trusted) devices connect.
  • Least-privilege: Grant the minimum rights needed. An operator account should not have admin privileges on PLCs unless needed.
  • Vendor Remote Access: Do not allow vendor laptops to roam freely; use jump hosts or one-time access tokens. Monitor and log their activity.
  • Zero Trust roll-out: For example, place ZTA controls in higher OT zones (e.g., Level 3/DMZ). NIST suggests applying ZTA where tech supports it (e.g., servers, HMIs), even if field devices can't fully implement it.

In essence, treat every connection (even from IT) as untrusted by default. Requiring continuous authentication and explicit authorization for each session drastically reduces the risk that compromised credentials or a single breach will lead to a catastrophic intrusion.

5. Continuous Monitoring, Logging, and Incident Response

Even with the strongest controls in place, intrusions may also happen. So, monitoring our OT networks and getting ready for any incident is also important. CISA has advised us, and the industry has also agreed. They emphasize the importance of using OT-specific monitoring and logging. This includes, for example, keeping logs of PLC, HMI, and network activities and centralizing their collection on a server called the Security Operations Center (SOC). IDS/IPS and anomaly-detection software would help us monitor the industrial floor.

Key actions:

  • Centralized Logging: Collect and archive logs from all OT devices and network equipment. Analyze them to hunt for any signs of unauthorized access or malware. NIST says that strong logging of critical devices, such as HMIs and jump servers, is important.
  • OT-Specific IDS/IPS: Use an appliance that understands the differences among protocols such as Modbus, DNP3, and OPC. Example: Use a network tap on the control VLAN as an input to your monitoring appliance. Be sure automated tools do not have an impact by putting them out of band.
  • Behavioral Analytics: Look into OT security analytics, or even SIEMs specifically designed for ICS that provide alerting on anomalies (sudden PLC code changes, unusual command sequences, etc.)
  • Incident Response Plan: Maintain a written playbook for OT incident response. Given the implications for production, these plans should include safe shutdown procedures, system restoration, and communication with regulators. Practice with drills involving OT and IT responders.
  • Integration with IT Security: Share relevant OT alerts with corporate security and vice versa to enable cross-domain attack detection (IT→OT or OT→IT).

As NIST notes, monitoring and adapting defenses is part of an effective defense-in-depth strategy. In practice, this means not just setting up tools, but also having skilled staff or service providers to review alerts and act on them quickly.

6. Align with Standards and Train Your Workforce

Manufacturing OT security does not happen in a vacuum. Adopting proven frameworks and training your people are essential supporting practices.

  • Standards and Frameworks: Leverage existing cybersecurity standards. ISA/IEC 62443 is the global benchmark for IACS (Industrial Automation and Control Systems) security, providing detailed zone-based requirements. For U.S. manufacturers in critical infrastructure, NERC CIP (for bulk power), or CISA's Critical Manufacturing guidelines (sector-specific) may apply. NIST's guidance explicitly recommends aligning OT security with standards such as the NIST Cybersecurity Framework, SP 800-53 controls, and IEC 62443 best practices. In other words, use these standards as a checklist: authentication controls, patch processes, physical security, etc. For example, a SOC 2 report can demonstrate that your overall control environment (including OT) meets industry benchmarks.
  • Policy and Governance: Establish OT security policies covering access control, change management, and maintenance. Ensure plant managers understand cyber-risk as part of operational risk. Incorporate OT cyber requirements into procurement and vendor contracts (e.g., require secure default settings on new PLCs or HMIs).
  • Training and Awareness: Technology alone isn't enough; your people need awareness. NIST advises that all personnel who interact with OT systems – operators, engineers, third parties – receive OT-specific cybersecurity training. This goes beyond generic "security awareness" and covers topics like recognizing phishing that could reach OT staff, or how to connect a new sensor safely. As one NIST guide puts it, train staff to support the security environment and reduce risky behaviors. Periodically test and refresh this training. If your organization treats OT as an "IT problem," gaps will remain – invest in educating control engineers and factory operators on basic cyber hygiene.

By tying your OT program to recognized standards and a trained workforce, you cement long-term security. Audits against ISA/IEC 62443, NIST CSF, or even ISO/IEC 27001 can provide external validation of your efforts. Furthermore, mature OT security (e.g., certified at the ISA 62443 "Secure by Design" level) can improve buyer confidence and insurance terms.

Summary of Key Takeaways

  • Know Your Assets: Keep an up-to-date OT asset inventory and perform risk assessments to prioritize controls.
  • Segment and Isolate: Use defense-in-depth by zoning the network and enforcing strict firewall/allow-list rules between OT layers.
  • Harden and Patch: Regularly update firmware/software on PLCs/SCADA systems, turn off unused ports, and apply ICS hardening guidelines to reduce vulnerabilities.
  • Control Access: Require MFA for any remote or privileged access, and adopt Zero Trust principles in OT where feasible.
  • Monitor Continuously: Centralize logging and deploy ICS-aware monitoring to detect anomalies. Have an incident response plan ready.
  • Leverage Standards and Train: Align with NIST, ISA/IEC 62443, or sector-specific guidelines, and train all OT staff on cyber risk.

Implementing these six best practices will significantly improve the security of manufacturing control networks. They reflect not only technical controls, but also processes and people – exactly what experts say is needed for resilient OT security. Remember that manufacturing OT security is a continuous journey. Keep abreast of new standards and threats, and routinely audit your defenses. By building on these fundamentals, you ensure that your factory remains safe, operational, and ready to produce – even in the face of evolving cyber threats.

Ready to reduce plant-floor cyber risk without disrupting production? Talk to Arista Cyber for an OT/ICS risk assessment and a practical remediation roadmap.

Link: https://aristacyber.io/contact-us

 

Frequently Asked Questions:

What is OT security in manufacturing, and why is it important?

OT (operational technology) security in manufacturing means protecting control systems (PLCs, SCADA, DCS, etc.) and their networks from cyberattacks. It's crucial because cyber incidents can halt production lines or damage equipment. For example, NIST notes that manufacturing control systems are "becoming more vulnerable to cybersecurity threats," leaving them susceptible to disruption. Real-world cases (e.g., factory shutdowns at Asahi and Jaguar Land Rover) demonstrate how a breach can halt production. Good OT security ensures safety, uptime, and data integrity in industrial processes.

How does network segmentation improve OT security in manufacturing?

Segmentation separates critical OT devices from other networks, so an incident in one segment cannot easily spread to others. NIST emphasizes that "properly configured segmentation "helps enforce security policies by isolating traffic between zones. In practice, this means placing PLC/SCADA networks behind firewalls or VLANs, only allowing explicitly authorized communication (a "deny-all, permit-by-exception" policy). This layered approach reduces the blast radius of an attack and is a core defense-in-depth strategy.

What are the biggest threats to manufacturing control systems (SCADA/PLC)?

Manufacturing control systems face threats such as malware (including ransomware), unauthorized access, and misconfiguration. NIST specifically calls out malware attacks on ICS as a key risk to operational data integrity. Likewise, news reports show ransomware and targeted attacks have forced factory stoppages. Other critical threats include insider errors (e.g., wrong commands or disabled defenses) and unpatched vulnerabilities in legacy OT gear. In sum, disruptive malware and human errors rank high, but manufacturers still largely work on basic IT hygiene (inventory, patching, monitoring) as recommended by CISA.

How do I perform a cybersecurity risk assessment for a manufacturing plant?

A risk assessment starts with identifying all OT assets and their functions, then listing potential threats and vulnerabilities to those assets. Use a structured framework (like NIST's Cybersecurity Framework or ISA/IEC 62443) to assess likelihood and impact. NIST's ICS guide (SP 800‑82) provides countermeasures mapped to common threats, which can guide your analysis. For each asset, rate the business impact of a compromise (e.g., downtime or safety risk) versus the likelihood of attack. Summarize this to prioritize controls. In other words, follow NIST 800‑82 and related standards to map controls to risks and systematically identify gaps.

Which industry standards (e.g., ISA/IEC 62443, NIST) apply to OT security in manufacturing?

Key standards include ISA/IEC 62443 (a series of standards specifically for industrial control systems) and NIST guidance (e.g., SP 800-82 for ICS and the NIST Cybersecurity Framework). NIST is explicitly aligning its OT guidance with frameworks and standards: the draft of SP 800-82 Rev. 4 references alignment with NIST CSF 2.0 and "OT cybersecurity standards and practices". ISA/IEC 62443 provides zone-based requirements and security levels for manufacturers. In the U.S. critical manufacturing sector, other rules can apply (for example, NERC CIP if the plant supplies power). Together, these standards help define policies for OT asset management, access control, and secure configurations.

What are the best practices for securing PLCs and SCADA systems in manufacturing?

Follow OT-specific "fundamentals" for PLC/SCADA security. CISA's guidance highlights measures like maintaining an ICS asset inventory, regular Patching (risk-based), and allowing approved applications on HMIs. It also calls for isolating SCADA networks from corporate/internet networks and turning off unused ports/services. In practice, apply strong passwords or keys on PLCs, harden control system OS (disable Telnet, enable firewalls), and regularly back up configurations. Use antivirus and endpoint monitoring on servers/HMIs, and keep PLC firmware up to date. These controls align with NIST's ICS recommendations to mitigate common attack vectors.

How can a factory implement continuous monitoring of its OT network?

Continuous monitoring means collecting logs and using OT-aware detection tools. Implement centralized log collection from HMIs, PLCs, and switches, and use an OT-specific SIEM or IDS to spot anomalies in ICS traffic. CISA advises on "log collection and retention" and on leveraging specialized OT monitoring solutions to alert on malicious behavior. For example, deploy an IDS that understands Modbus/IEC protocols, and set up alerts for unusual PLC commands. Regularly review alarms and correlate with other data. Continuous monitoring closes the feedback loop of cyber defense, as NIST notes that monitoring and adaptation are key to a layered security strategy.