Cyber Security for Manufacturing and OT Environments

Manufacturing has become one of the most targeted sectors for cyber attacks in the United Kingdom. As factories and production facilities embrace digital transformation — connecting programmable logic controllers, SCADA systems, and industrial robots to corporate networks — the attack surface expands dramatically. Unlike traditional IT environments, operational technology (OT) systems in manufacturing were never designed with cyber security in mind. They were built for reliability, safety, and uptime — often decades before the internet existed.

The convergence of IT and OT networks creates a uniquely dangerous landscape. A single vulnerability in an internet-facing system can provide attackers with a pathway into the heart of a production line, potentially causing physical damage to equipment, endangering worker safety, and halting operations that cost thousands of pounds per minute in lost output. For UK manufacturers, this is not a theoretical risk — it is an immediate and growing threat that demands a fundamentally different approach to cyber security.

This guide explores the specific cyber security challenges facing manufacturing and OT environments, from SCADA vulnerabilities and network segmentation to NIS Regulations compliance and incident response planning. Whether you operate a small production facility or a large-scale industrial operation, understanding these risks — and the strategies to mitigate them — is essential for protecting your operations, your workforce, and your bottom line.

Understanding OT vs IT Security: A Fundamental Divide

The first and most critical concept for any manufacturer to grasp is that operational technology security is fundamentally different from traditional IT security. The priorities, methodologies, and constraints that govern each domain are often in direct conflict, and applying IT security practices directly to OT environments can be just as dangerous as leaving them unprotected.

In IT environments, the priority hierarchy follows the CIA triad — confidentiality first, then integrity, then availability. Data protection and access control take precedence. If a server needs to be taken offline for an emergency patch, the inconvenience is manageable. In OT environments, the priority is completely reversed. Availability is paramount — a production line that stops unexpectedly can cause physical damage to equipment, spoil materials in process, and create safety hazards. Integrity comes second, ensuring that sensor readings and control commands are accurate. Confidentiality, while important, ranks third.

This difference in priorities has profound implications for how security is implemented. In IT, you might deploy an intrusion prevention system (IPS) that actively blocks suspicious traffic. In OT, an IPS that incorrectly blocks a legitimate control command could cause a furnace to overheat, a chemical process to destabilise, or a robotic arm to malfunction — with potentially catastrophic consequences.

Lifecycle and Legacy Challenges

IT systems typically operate on three-to-five-year refresh cycles. Servers are replaced, operating systems are upgraded, and legacy software is retired. OT systems, by contrast, are designed to run for 15 to 25 years — sometimes longer. It is not uncommon to find manufacturing environments running Windows XP, Windows Server 2003, or even proprietary real-time operating systems from the 1990s. These systems cannot simply be “upgraded” without potentially disrupting the industrial processes they control.

Many OT devices use proprietary protocols — Modbus, DNP3, BACnet, PROFINET — that were designed for reliability and deterministic communication, not security. These protocols transmit data in cleartext, lack authentication mechanisms, and have no built-in encryption. An attacker who gains access to the OT network can often read and inject commands without needing any credentials whatsoever.

SCADA and ICS Vulnerabilities in Modern Manufacturing

Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) form the backbone of manufacturing automation. These systems monitor and control physical processes — temperature, pressure, flow rates, motor speeds, robotic movements — in real time. When these systems are compromised, the consequences extend far beyond data theft.

Common SCADA and ICS Attack Vectors

The most prevalent vulnerabilities in manufacturing OT environments stem from their historical isolation. When these systems were first deployed, they operated on dedicated, air-gapped networks with no connection to the corporate IT infrastructure or the internet. Security was physical — locked cabinets, restricted access to control rooms, and trusted personnel. That model has been progressively eroded as manufacturers connect OT systems to enterprise networks for remote monitoring, predictive maintenance, and data analytics.

• Default and hardcoded credentials — many PLCs and HMIs ship with well-known default passwords that are never changed, and some devices have hardcoded credentials that cannot be modified
• Unencrypted communications — Modbus TCP, a protocol used by millions of industrial devices, transmits all commands and data in plaintext with no authentication
• Insecure remote access — VPN concentrators, remote desktop solutions, and vendor maintenance ports often provide direct access into OT networks with minimal access controls
• Vulnerable HMI software — Human-Machine Interface applications frequently contain buffer overflow vulnerabilities, SQL injection flaws, and cross-site scripting weaknesses
• Unpatched firmware — PLCs and RTUs running outdated firmware with known CVEs that vendors have not issued patches for, or that cannot be patched without a production shutdown
• USB-borne malware — removable media used by maintenance engineers to transfer configuration files can introduce malware into air-gapped or semi-isolated OT networks

Notable Manufacturing Cyber Incidents

The threat is not theoretical. Major manufacturers worldwide have suffered devastating attacks. The 2017 Triton/TRISIS malware specifically targeted safety instrumented systems (SIS) — the last line of defence against catastrophic industrial accidents. The 2020 Honda attack forced the shutdown of production facilities across multiple countries. In the UK, manufacturing firms have faced targeted ransomware campaigns that encrypted both IT and OT systems simultaneously, with attackers specifically seeking to maximise operational disruption to increase ransom payments.

The Purdue Model for Industrial Network Architecture

The Purdue Enterprise Reference Architecture (PERA), also known as the Purdue Model, provides the foundational framework for segmenting industrial networks. Originally developed at Purdue University in the 1990s, this model defines a hierarchical structure of network zones that separates enterprise IT systems from the shop floor, with controlled data flows between each level.

Understanding the Purdue Levels

The Purdue Model defines six distinct levels, grouped into three zones:

Enterprise Zone (Levels 4–5)

• Level 5 — Enterprise Network: Corporate IT infrastructure, email servers, ERP systems, internet access, and business applications
• Level 4 — Site Business Planning: Site-specific IT systems including production scheduling, materials management, and local business applications

Industrial Demilitarised Zone (IDMZ)

• Level 3.5 — IDMZ: The critical buffer zone between IT and OT. Contains data diodes, firewalls, jump servers, and data historians that allow controlled, one-directional data flow from OT to IT. No direct traffic should ever flow from the enterprise zone into the manufacturing zone without passing through the IDMZ

Manufacturing Zone (Levels 0–3)

• Level 3 — Site Operations: SCADA servers, engineering workstations, patch management servers, and domain controllers specific to OT
• Level 2 — Area Supervisory Control: HMIs, operator workstations, and local supervisory systems
• Level 1 — Basic Control: PLCs, RTUs, DCS controllers, and safety instrumented systems
• Level 0 — Physical Process: Sensors, actuators, motors, valves, and the physical equipment being controlled

Implementing the Purdue Model in Practice

For many UK manufacturers, implementing a full Purdue Model architecture from scratch is impractical — their networks have evolved organically over decades. The pragmatic approach is to work towards Purdue alignment incrementally, starting with the most critical control: establishing the IDMZ between the enterprise and manufacturing zones.

A properly configured IDMZ should contain:

• Industrial firewalls with deep packet inspection capable of understanding OT protocols (Modbus, EtherNet/IP, OPC UA)
• Data diodes for truly unidirectional data flow where OT data is pushed to IT historians without any return path
• Jump servers for controlled remote access into the manufacturing zone, with full session recording and multi-factor authentication
• Replica data historians that mirror OT data for business intelligence consumption without exposing the live OT historian

Network Segmentation Strategies for OT Environments

Beyond the Purdue Model, effective OT security requires micro-segmentation within the manufacturing zone itself. A flat OT network — where all PLCs, HMIs, and engineering workstations share the same subnet — means that an attacker who compromises a single device can reach every other device on the network.

Zone and Conduit Model

The IEC 62443 standard introduces the concept of zones and conduits. A zone is a grouping of assets that share common security requirements — for example, all devices associated with a specific production line. A conduit is the controlled communication path between zones, with defined rules about what traffic is permitted.

Practical segmentation strategies for UK manufacturers include:

1. VLAN-based segmentation — separate OT devices into VLANs based on production line, cell, or function, with inter-VLAN routing controlled by industrial firewalls
2. Cell-level isolation — each manufacturing cell (a discrete group of machines performing a specific function) operates on its own network segment, limiting the blast radius of any compromise
3. Safety system isolation — safety instrumented systems (SIS) should always be on a dedicated, isolated network segment with no direct connectivity to standard OT or IT networks
4. Vendor access segmentation — third-party maintenance connections should land in a dedicated segment with strict access controls, time-limited sessions, and full audit logging

UK Manufacturing Cyber Threat Landscape

The United Kingdom’s manufacturing sector faces a unique combination of threat actors and attack methodologies. According to the NCSC’s 2025 Annual Review and Make UK’s Cyber Security Report, the sector is experiencing a sustained escalation in both the volume and sophistication of attacks.

Threat Actor Categories

UK manufacturers face threats from multiple categories of adversary:

• Ransomware groups — organised criminal gangs such as LockBit, BlackCat, and Cl0p specifically target manufacturers because operational downtime creates immense pressure to pay ransoms quickly. Average ransomware demands against UK manufacturers now exceed £2.1 million
• Nation-state actors — Chinese, Russian, and North Korean state-sponsored groups target UK defence manufacturers, aerospace suppliers, and advanced materials firms for intellectual property theft and pre-positioning for potential future conflict
• Supply chain attackers — compromising a small supplier’s network to pivot into a larger manufacturer’s OT environment. The interconnected nature of UK manufacturing supply chains makes this particularly effective
• Insider threats — disgruntled employees, negligent workers, and compromised contractor accounts represent a significant risk in environments where physical and digital access are closely intertwined

NIS Regulations Compliance for UK Manufacturers

The Network and Information Systems (NIS) Regulations 2018, as amended and updated post-Brexit, impose specific cyber security obligations on operators of essential services (OES) in the UK. Many manufacturers — particularly those in energy, water, transport, and digital infrastructure supply chains — fall within scope of these regulations.

Key NIS Requirements

The NIS Regulations require operators of essential services to take “appropriate and proportionate” technical and organisational measures to manage risks to their network and information systems. The NCSC’s Cyber Assessment Framework (CAF) provides the guidance structure, organised around four objectives:

1. Objective A — Managing Security Risk: Establishing governance structures, risk management processes, and asset management for both IT and OT systems
2. Objective B — Protecting Against Cyber Attack: Implementing access controls, data security, system security, and resilient network architecture
3. Objective C — Detecting Cyber Security Events: Deploying monitoring capabilities, security event detection, and anomaly identification across IT and OT environments
4. Objective D — Minimising the Impact of Incidents: Incident response planning, recovery procedures, and lessons learned processes

Non-compliance can result in enforcement action from the relevant competent authority, with potential fines of up to £17 million for the most serious failures. Beyond regulatory penalties, demonstrating NIS compliance is increasingly a prerequisite for winning contracts in regulated supply chains.

OT Security Framework Comparison

Several frameworks address OT and industrial cyber security. Understanding their differences helps manufacturers choose the right approach for their specific requirements and regulatory obligations.

Framework	Focus Area	Applicability	Key Strength	UK Relevance
NCSC CAF	Essential services cyber resilience	UK operators of essential services	Aligned with NIS Regulations	Primary framework for NIS compliance
IEC 62443	Industrial automation security	All industrial environments	Zone and conduit segmentation model	Gold standard for OT-specific controls
NIST CSF 2.0	Enterprise cyber security	All organisations	Comprehensive risk-based approach	Widely adopted by UK multinationals
ISO 27001	Information security management	All organisations	Certifiable management system	Common in UK supply chain requirements
Cyber Essentials Plus	Baseline cyber hygiene	UK organisations	Government-backed certification	Mandatory for some UK government contracts
MITRE ATT&CK for ICS	OT threat intelligence	Security operations teams	Adversary behaviour mapping	Essential for OT SOC operations

Monitoring OT Networks: Visibility Without Disruption

One of the greatest challenges in OT security is achieving network visibility without introducing risk to the production environment. Traditional IT security monitoring tools — vulnerability scanners, active network discovery, endpoint agents — can destabilise OT systems. A vulnerability scan that sends unexpected packets to a legacy PLC can cause it to crash, halting the production process it controls.

Passive Network Monitoring

The gold standard for OT network monitoring is passive monitoring using network TAPs (Test Access Points) or SPAN (Switched Port Analyser) ports. These capture a copy of network traffic without injecting any packets into the OT network. Specialised OT monitoring platforms — such as Claroty, Nozomi Networks, Dragos, and Microsoft Defender for IoT — analyse this traffic to provide:

• Asset discovery — automatically identifying every device on the OT network, including make, model, firmware version, and communication patterns
• Vulnerability assessment — mapping discovered assets against known CVE databases without actively probing devices
• Anomaly detection — establishing a baseline of normal network behaviour and alerting on deviations that could indicate compromise
• Protocol-aware analysis — understanding OT-specific protocols to detect malicious commands, such as unauthorised write operations to PLCs or changes to safety system parameters

OT Security Operations Centre (SOC)

Larger manufacturers are establishing dedicated OT SOC capabilities, either in-house or through managed security service providers (MSSPs). An effective OT SOC requires analysts with specialist knowledge of industrial protocols, manufacturing processes, and the specific behaviour patterns of OT devices — skills that are in extremely short supply in the UK market. The cost of establishing an in-house OT SOC typically starts at £350,000 per year for a mid-sized manufacturer, making managed OT security services an attractive alternative at £5,000–£15,000 per month.

Patching Legacy Industrial Systems: A Pragmatic Approach

Patching is one of the most contentious topics in OT security. In IT environments, regular patching is a fundamental security control. In OT environments, applying a patch to a production system carries genuine risk: the patch could introduce instability, break compatibility with other components, or require a system reboot that disrupts operations.

The OT Patching Dilemma

Consider a PLC running firmware from 2012, controlling a critical production line that operates 24/7. The vendor has released a firmware update that addresses a known vulnerability. However:

• Applying the update requires a production shutdown, costing £50,000 per hour in lost output
• The update has not been tested with the specific configuration and programme running on this PLC
• If the update causes issues, rolling back may not be straightforward
• The maintenance window available is limited to the annual shutdown period, six months away

This is the reality of OT patching. The solution is not to ignore patches, but to implement a risk-based patching strategy that accounts for the unique constraints of the manufacturing environment.

Compensating Controls for Unpatchable Systems

When patching is not immediately feasible, manufacturers must deploy compensating controls to reduce the risk:

1. Network isolation — place vulnerable devices on dedicated, tightly controlled network segments with strict firewall rules
2. Application whitelisting — on Windows-based OT systems (HMIs, engineering workstations), deploy application whitelisting solutions that prevent unauthorised executables from running
3. Enhanced monitoring — increase monitoring intensity around unpatchable assets, with specific alerting rules for known exploitation techniques
4. Access restriction — limit network access to vulnerable devices to only the specific IP addresses and ports required for their function
5. Virtual patching — deploy IPS rules at the network boundary that block known exploit traffic targeting specific vulnerabilities

IT/OT Convergence Security: Managing the Collision

The convergence of IT and OT is not optional — it is driven by compelling business requirements. Industry 4.0 initiatives, predictive maintenance, digital twins, real-time supply chain visibility, and AI-powered quality control all require data to flow between the shop floor and enterprise systems. The challenge is enabling this convergence securely.

Common Convergence Risk Scenarios

The most dangerous scenarios arise when IT and OT systems are connected without adequate security controls:

• Flat network merging — connecting OT devices directly to the corporate LAN, exposing them to every threat on the enterprise network
• Shared credentials — using the same Active Directory for both IT and OT authentication, meaning a compromised office workstation could provide credentials valid in the OT environment
• Uncontrolled cloud connectivity — connecting OT devices directly to cloud platforms for IoT analytics without passing through a secure gateway
• Shadow OT — engineers deploying unauthorised wireless access points, consumer IoT devices, or personal laptops on the OT network for convenience

Secure Convergence Architecture

A secure IT/OT convergence architecture should incorporate the following principles:

• IDMZ enforcement — all data flowing between IT and OT must traverse the Industrial Demilitarised Zone, with no exceptions
• Separate identity systems — OT environments should have their own authentication infrastructure, with dedicated accounts that are not synchronised with the corporate directory
• API-based integration — use well-defined, monitored APIs in the IDMZ for data exchange rather than direct database connections or file shares
• Edge computing — process and aggregate OT data at the network edge before sending summarised, non-sensitive information to cloud or enterprise systems
• Unified governance — establish a converged IT/OT security governance structure with representation from both IT security, OT engineering, and production operations

The Cost of Getting Convergence Wrong

For UK manufacturers, the financial impact of a poorly managed IT/OT convergence is severe. According to a 2025 Make UK survey, the average cost of a significant OT security incident — including production downtime, incident response, regulatory penalties, and customer impact — is £4.3 million. For manufacturers in automotive, aerospace, and food and beverage sectors, the costs can be substantially higher due to contractual penalties and supply chain disruption.

Incident Response for Manufacturing Environments

Incident response (IR) in manufacturing and OT environments requires a fundamentally different approach from standard IT incident response. The primary objective shifts from “contain and eradicate” to “maintain safe operations while containing the threat.” Disconnecting a compromised OT system from the network could be more dangerous than leaving it connected if that system is controlling a critical safety function.

Manufacturing-Specific IR Principles

1. Safety first, always — no incident response action should create a safety hazard. Before disconnecting, isolating, or shutting down any OT system, assess the potential impact on physical processes and worker safety
2. Controlled shutdown over abrupt disconnection — if a production system must be taken offline, follow the standard operational shutdown procedure rather than pulling network cables or cutting power
3. Preserve forensic evidence without disrupting operations — use network captures and log collection rather than disk imaging of live OT systems wherever possible
4. Involve OT engineers in every decision — IT security analysts may not understand the physical consequences of their containment actions. Every IR decision affecting OT systems should involve the engineers who operate them
5. Pre-defined isolation procedures — document and rehearse specific isolation procedures for each critical OT zone, including which network connections can be safely severed and which must remain active

Building a Manufacturing IR Plan

An effective manufacturing IR plan should include the following elements, specific to the OT environment:

• OT-specific playbooks — documented response procedures for scenarios such as ransomware affecting HMIs, unauthorised PLC programme changes, compromised vendor remote access, and safety system anomalies
• Manual operations procedures — for each critical production process, document how to operate manually if automated control systems must be taken offline. Ensure operators are trained on these manual procedures
• Communication protocols — define escalation paths that include production managers, safety officers, OT engineers, and IT security. Establish out-of-band communication channels that do not depend on the compromised network
• Regulatory notification timelines — under NIS Regulations, operators of essential services must notify the relevant competent authority of significant incidents. Understand your notification obligations and prepare template notifications in advance
• Supply chain notification — if your manufacturing operations are part of a larger supply chain, define when and how you will notify customers and partners of incidents that may affect delivery timelines

Tabletop Exercises

Regular tabletop exercises are essential for testing your manufacturing IR plan. These should involve participants from IT security, OT engineering, production operations, health and safety, legal, and senior management. Realistic scenarios — based on actual attacks against manufacturers in your sector — help identify gaps in your plan before a real incident exposes them. We recommend conducting these exercises at least twice per year, with one exercise specifically focused on an OT-targeted scenario.

Building a Resilient Manufacturing Cyber Security Programme

Securing manufacturing and OT environments is not a one-time project — it is an ongoing programme that must evolve as threats change and as your operations grow. The most resilient manufacturers treat cyber security as a production-critical function, on par with quality control and health and safety.

Key Programme Elements

• Executive sponsorship — OT security must have board-level visibility and dedicated budget, separate from IT security spending
• Cross-functional team — establish an OT security working group that includes IT security, OT engineering, production operations, procurement, and facilities management
• Risk-based prioritisation — focus resources on the assets and processes where a compromise would have the greatest impact on safety, production, and revenue
• Continuous asset management — maintain a live, accurate inventory of every OT asset, including firmware versions, network connections, and known vulnerabilities
• Vendor management — include cyber security requirements in all OT procurement contracts, including vulnerability disclosure processes, patch availability commitments, and secure remote access standards
• Workforce development — invest in training for both OT engineers (security awareness) and IT security staff (OT technology and protocols)

For UK manufacturers seeking to build or strengthen their OT security programme, partnering with a specialist who understands both the cyber security landscape and the operational realities of manufacturing is invaluable. At Cloudswitched, we combine deep cyber security expertise with practical manufacturing knowledge to deliver OT security programmes that protect your operations without impeding production.