As manufacturers navigate the complexities of digital transformation, the integration of IT systems with operational technology (OT) has become increasingly prevalent. However, this interconnectivity brings with it a surge in cyber threats, including ransomware attacks, supply chain breaches, and targeted assaults from nation-state actors. These adversaries often exploit outdated systems and intricate hybrid environments, necessitating a robust approach to cyber resilience—the capacity to anticipate, endure, recover from, and adapt to cyberattacks.
Keeping IT incidents from becoming OT disasters
A pivotal strategy for enhancing resilience lies in the segmentation of IT and OT networks. Traditionally, OT environments operated in isolation, but the modern landscape demands seamless data flow between production systems and enterprise networks. Without adequate boundaries, a breach on the IT side can lead to catastrophic consequences for critical systems.
Effective segmentation requires positioning OT systems behind firewalls or within demilitarized zones, restricting protocols, and employing unidirectional gateways wherever feasible. This approach is not solely about isolation; it’s about establishing controlled and auditable pathways between environments.
You can’t protect what you don’t know
Many manufacturing plants are burdened with aging and undocumented devices, complicating efforts to secure and monitor them. Asset visibility tools tailored for OT can passively map all connected devices without disrupting operations. These tools lay the groundwork for inventory management, risk assessment, and anomaly detection.
With a comprehensive and real-time inventory, manufacturers can pinpoint unauthorized or unknown devices, track vulnerabilities, and prioritize defenses around their most critical assets.
Countering living-off-the-land techniques
Contemporary attackers frequently employ “living-off-the-land” (LotL) techniques, utilizing existing system tools such as PowerShell, WMI, or PsExec to navigate networks without detection. These methods are particularly effective in industrial settings where activities may not be rigorously monitored.
To combat these tactics, defenses must extend beyond traditional signature-based detection. Implementing behavioral analytics can establish a baseline for normal administrative tool usage, allowing for the identification of anomalies. Additionally, application whitelisting and context-aware endpoint security are essential for thwarting these stealthy maneuvers before they escalate.
Planning for recovery: response that keeps the line running
No defense mechanism is infallible, which underscores the necessity for incident response plans specifically designed for OT environments. Interrupting production or disconnecting devices during an incident can lead to significant safety and financial repercussions; thus, these plans must be precise and rigorously tested.
Response playbooks should encompass scenarios such as ransomware attacks on the Manufacturing Execution System (MES) or unauthorized changes to Programmable Logic Controllers (PLCs). Conducting tabletop exercises and maintaining backups—not only of data but also of control logic and device configurations—are crucial for ensuring swift and safe recovery.
Dealing with legacy systems: when you can’t patch
Many industrial assets are either too outdated to update without incurring downtime or lack vendor support altogether. In such cases, isolation and monitoring become imperative. Virtual patching, where intrusion prevention systems block known exploits at the network level, can offer protection when software updates are not an option.
Maintaining a risk register for unpatchable systems, along with documented compensating controls, is vital for long-term resilience and adherence to regulatory standards.
Access control and monitoring: securing the human element
Weak or shared credentials continue to pose a significant vulnerability in manufacturing environments. To mitigate this risk, role-based access control and multi-factor authentication (MFA) should be mandated for all sensitive systems, particularly for remote and administrative access. Privileged Access Management (PAM) tools can effectively monitor and restrict high-risk accounts.
Security monitoring through Security Information and Event Management (SIEM) or Extended Detection and Response (XDR) platforms should consolidate data from both IT and OT environments. Alerts generated by these tools, enhanced with industry-specific threat intelligence, provide early warnings of potential attacks. For high-risk sites, employing deception tools such as honeypots can add an additional layer of detection.
Cyber resilience in the manufacturing sector is not about eradicating all risks but rather about minimizing their impact and facilitating recovery without crippling operations. By implementing strategies such as segmentation, visibility, behavioral defense, and tailored response planning, manufacturers can safeguard their systems while maintaining the speed and precision that modern production demands.
Marc Wren, OT cyber security manager at Axians UK
