OT cybersecurity for mid-market manufacturers

A mid-market manufacturer runs two computing environments that speak different languages. The corporate IT environment runs email, ERP, CAD, document management, the same software stack every mid-market company runs. The operational technology environment runs the shop floor. PLCs, HMIs, SCADA systems, industrial protocols, specialized historian databases, dedicated engineering workstations. For 40 years those two environments were separated by a simple air gap, and the air gap handled most of the cybersecurity conversation.

That air gap stopped existing years ago. Modern manufacturers connect OT to corporate IT for production dashboards, remote diagnostics, predictive maintenance, MES integration and cloud-based analytics. Every one of those connections is valuable. Every one of those connections is also a path through which the corporate IT risks cross into the shop floor.

Ransomware events across US manufacturing in the last 5 years have shown what happens when OT gets compromised by an attack that started on the corporate side. Plant shutdowns measured in weeks. Insurance recoveries measured in cents on the dollar. Customer commitments missed during recovery. OT cybersecurity is no longer an optional workstream for a mid-market manufacturer.

What follows is the practical framing we use when a manufacturer asks us how to approach OT cybersecurity without either underinvesting or buying enterprise tooling the operation does not need.

Why OT is not just “IT on the shop floor”

A cybersecurity program designed for the corporate IT environment will not work on the shop floor. The constraints are fundamentally different.

• Uptime requirements are extreme. A patch that reboots a server is a minor inconvenience in corporate IT. A patch that reboots a PLC during production is an unplanned downtime event that can cost tens of thousands of dollars.
• Equipment lifespans are measured in decades. PLCs deployed in 2005 still run production floors. They cannot always be patched, upgraded or replaced on the cadence corporate IT treats as normal.
• Protocols are older and often unauthenticated. Modbus, EtherNet/IP, Profinet and the rest of the industrial protocol set were designed in an era that assumed the network itself was trustworthy.
• Safety matters. A PLC that misbehaves can injure a worker. Cybersecurity changes that affect control logic are safety decisions, not just IT decisions.
• Vendors are narrow and specialized. The corporate IT environment has dozens of competing vendors at every layer. The OT environment often has one vendor per system, and that vendor’s practices define what is possible.

An OT cybersecurity program has to work inside those constraints rather than ignore them.

The framework most programs anchor on

IEC 62443 is the dominant framework for industrial cybersecurity. It is written specifically for the OT context and mapped at a level of detail a mid-market manufacturer can actually apply.

Key concepts from IEC 62443 that shape practical programs:

• Zones and conduits. The OT environment is divided into zones based on function and criticality, and the traffic between zones flows through defined conduits with documented security requirements.
• Security levels. Each zone is assigned a target security level (1 through 4) based on the skill level of the adversary it needs to defend against. Most mid-market manufacturing environments target SL 2 or SL 3.
• Foundational requirements. A set of 7 categories (identification and authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, resource availability) that each zone is assessed against.
• Lifecycle orientation. The framework assumes OT cybersecurity is a lifecycle practice, not a one-time project.

Most mid-market manufacturers do not pursue formal IEC 62443 certification. What the framework provides, even without certification, is a vocabulary and a structure the program can use.

The practical sequence for a mid-market manufacturer

A program that works inside typical mid-market constraints usually sequences the work as follows.

Phase 1, asset inventory and network mapping

You cannot protect what you cannot see. The first phase establishes ground truth.

• What OT devices exist, what their firmware versions are, what protocols they speak
• How they are connected, both to each other and to the corporate IT environment
• What conduits carry traffic between zones today
• What undocumented connections exist (almost always at least some)

Passive monitoring tools (Nozomi, Dragos, Claroty, Armis) can do this without generating traffic on the OT network, which matters because some OT devices misbehave when probed actively.

Phase 2, segmentation

Separate the OT environment from the corporate IT environment through controlled conduits, and segment within OT by function.

• A documented industrial DMZ between corporate IT and OT
• Firewall rules that allow only the specific traffic each conduit requires
• Segmentation between production cells, utilities and safety systems where feasible
• Remote-access paths routed through a single, controlled, monitored mechanism rather than direct VPN into the OT environment

Segmentation is the single highest-impact control in most OT programs. It is what makes the difference between a corporate IT compromise contained to corporate IT and a corporate IT compromise that takes down production.

Phase 3, identity and access

OT identity management is historically weak. Shared credentials, vendor remote-access tools with unclear access boundaries, engineering workstations with local admin by default.

• Unique credentials for each operator, not shared accounts
• Named vendor access with documented expiration and monitoring
• Multi-factor authentication on any remote access into OT
• Jump-host architecture for all remote engineering access

Phase 4, monitoring and detection

Active monitoring of the OT environment for anomalous behavior, using passive tools that do not generate traffic.

• Baseline behavior for each device
• Alerts on deviations (new devices joining the network, protocol anomalies, command-injection attempts)
• Integration with the corporate SOC or MDR service, with OT-appropriate triage

Phase 5, patching and vulnerability management

The slowest and most constrained phase. OT patching happens during planned maintenance windows, not on corporate IT’s monthly cadence.

• A documented vulnerability management process that distinguishes “patch now” from “mitigate through other means” from “accept and document”
• Coordinated patching during planned production downtime
• Compensating controls (segmentation, monitoring) for vulnerabilities that cannot be patched

Phase 6, incident response

An OT-specific incident response plan that coordinates with the corporate incident response plan.

• Documented roles for operations, engineering, IT and safety
• Decision frameworks for isolating OT zones during an incident
• Runbooks for restoring production systems from known-good backups
• Tabletop exercises that involve both the OT and corporate sides of the business

What a realistic first-year looks like

For a mid-market manufacturer starting from a typical baseline (partial air gap, some undocumented connections, shared credentials on the shop floor, no active OT monitoring):

• Months 1 to 3. Asset inventory, network mapping, initial risk assessment
• Months 3 to 6. Industrial DMZ design and deployment, initial segmentation, remote-access consolidation
• Months 6 to 9. Identity cleanup on OT, MFA on remote access, passive OT monitoring deployment
• Months 9 to 12. First OT-involving incident response tabletop, initial vulnerability management process, cyber insurance renewal with improved OT posture

A realistic first-year investment at a 200 to 500-employee manufacturer typically runs $150,000 to $400,000, depending on the scale of the OT environment and the starting posture. The spend compares favorably against the claim history of manufacturers that had to rebuild after a ransomware event crossed from corporate IT into the shop floor.

Where we fit

Atticus Rowan supports manufacturing clients where the OT cybersecurity workstream is distinct from the corporate IT workstream. The practical engagement model treats OT as a specialized environment with its own risk profile, its own vendor relationships and its own change-control discipline. We coordinate with the plant engineering teams, the operations leadership, the OT equipment vendors and the cyber insurance broker rather than operating solely inside the IT conversation.

Our manufacturing practice concentrates on the $10 million to $500 million revenue band, where the plant is large enough that OT cybersecurity matters, and small enough that the corporate security team is not going to stand up a dedicated OT program from scratch. The working model is a hybrid program, anchored on IEC 62443 vocabulary, sequenced to fit real production constraints.

If your manufacturing operation has an OT environment that has outgrown its air-gap era and you want to understand what a credible OT cybersecurity program looks like without enterprise overhead, schedule a discovery call. We can walk through the current state and scope the practical first year.