Manufacturing Under Attack: OT vs IT Security

Information Technology (IT) covers the systems most businesses are familiar with, from email servers and databases to laptops, ERP platforms, and cloud applications. The priorities in IT security are confidentiality, integrity, and availability, in that order.

Operational Technology (OT) is different. OT refers to the hardware and software that monitors and controls physical processes, such as SCADA systems, Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), and broader Industrial Control System environments.

In these settings, the priority order is reversed. Availability comes first. A factory that cannot run is losing money by the minute, which makes OT vs IT security a fundamentally different problem. SCADA security, for instance, must account for the fact that taking a system offline to apply a patch may be operationally impossible. Operational technology security requires a different discipline, different tools, and a different mindset.

Ransomware groups are not selecting their targets at random. Manufacturing businesses are attractive for a straightforward reason: production downtime is immediately and visibly costly. Every hour a line is stopped, orders are missed, contracts are at risk, and the pressure to restore operations grows. That pressure is precisely what attackers rely on.

According to Dragos's Q2 2025 industrial ransomware analysis, manufacturing accounted for 65% of all ransomware incidents recorded across industrial sectors in that period [1]. The concentration is not coincidental. Manufacturing businesses often hold sensitive supply chain data, operate on tight margins that make downtime financially devastating and, critically, many have not invested in manufacturing cybersecurity at the same pace as sectors such as financial services.

Attackers know this, and they continue to exploit it.

For much of the history of industrial computing, factory systems were isolated. They operated on dedicated networks, used proprietary protocols, and had no meaningful connection to corporate IT infrastructure. That separation provided a natural layer of protection.

IT and OT convergence has changed that picture entirely. Manufacturers have connected production systems to enterprise networks to enable real-time monitoring, remote diagnostics, and data-driven decision-making. Smart factory initiatives, cloud integration, and remote access tools have introduced genuine operational benefits, but they have also created pathways that did not previously exist. When an attacker gains a foothold in the corporate IT environment through a phishing email or a compromised VPN credential, lateral movement into the OT network becomes a realistic next step.

Industrial cybersecurity now must account for threats that were once stopped by simple physical separation. ICS security planning must assume that the boundary between office and factory floor is no longer reliable.

ICS environments carry vulnerabilities that most IT teams would not encounter in a standard office network. These OT cybersecurity risks are well-documented, and Industrial Control System cyberattacks exploit them with increasing regularity.

The most common weaknesses include:

• Legacy Operating Systems: PLCs and HMIs often run unsupported software, leaving known vulnerabilities permanently unpatched.
• Default Credentials: Many industrial devices ship with factory-default passwords that are never changed, making unauthorised access straightforward.
• Poor Network Segmentation: Without clear OT zone boundaries, attackers move laterally with limited resistance.
• Incompatible Endpoint Protection: Most OT devices cannot run conventional security software.
• Third-Party Vendor Access: Supplier remote sessions are frequently undermonitored. SCADA security is particularly exposed here.

Reducing the risk of a production line cyberattack requires a deliberate approach built around the realities of industrial cybersecurity and operational technology security.

Network segmentation is the most important foundational step: separating OT systems into clearly defined zones limits how far an intrusion can spread. Access control and least-privilege principles restrict what users and systems can reach. Continuous monitoring, using tools designed for industrial protocols, surfaces suspicious behaviour before it escalates. Finally, backup and recovery planning must account for OT specifically.

Standard IT processes do not cover PLC and SCADA configurations, and knowing what needs to be restored before an incident occurs can be the difference between hours of downtime and weeks.

Air-gapping means physically isolating a system from all external networks so that no data can pass in or out without a physical medium. In theory, air gapping OT systems makes them unreachable from most attackers. In practice, very few modern manufacturing environments are fully isolated.

The IT and OT convergence that drives efficiency, from remote monitoring to supplier access, and cloud-connected SCADA, introduces connection points that break true isolation, and each one is a potential attack surface. For most manufacturers, a layered approach is more realistic, with rigorous network segmentation, strict boundary controls, and continuous traffic monitoring between zones. Critical infrastructure security depends on depth, not a single line of defence.

OT patch management is one of the most difficult problems in industrial cybersecurity, and it rarely has a straightforward resolution. Unlike a standard IT environment, manufacturing systems are often deeply integrated into live processes, run on software that has not received vendor support for years, and cannot be taken offline without disrupting production schedules.

Where direct patching is not possible, legacy OT systems security depends on compensating controls: segmenting the vulnerable system from the broader network, restricting access to authorised personnel, and monitoring for unusual behaviour. Underpinning all of this is a thorough asset inventory, because security teams cannot make informed risk decisions about systems they have not documented.

The groups behind manufacturing ransomware are organised, well-resourced, and familiar with industrial environments. RansomHub and PLAY are among the most active, and their methods are worth understanding.

Their common attack methods include:

• Phishing and Credential Theft: Initial access is typically gained through phishing campaigns targeting employees with access to IT and OT systems, or via credentials from previous breaches.
• VPN and Remote Access Exploitation: Attackers exploit weak credentials and unpatched vulnerabilities in remote access tools to establish a foothold.
• Lateral Movement into OT: Once inside the IT network, poor IT and OT convergence controls allow attackers to reach production infrastructure.
• Delayed Detonation: Sophisticated groups establish persistence and exfiltrate data before triggering encryption, with OT patch management gaps extending the window available to them.

Manufacturing organisations face a challenge that most standard IT security providers are not equipped to address. The combination of legacy systems, production pressures, and the convergence of IT and OT environments requires a partner that understands both the technical and operational realities of industrial cybersecurity.

Solace Cyber works with manufacturers to assess and improve their security posture across both IT and OT environments without disrupting production. Our incident response capability is OT-aware: when a manufacturing ransomware attack occurs, our team arrives on-site the same day, works through a proven six-step recovery process, and handles digital forensics in a way that preserves evidence for insurance claims and legal proceedings.

We have close working relationships with the police, Regional Organised Crime Units, and Action Fraud, which matters when the attackers are organised criminal groups. Beyond incident response, we support manufacturers with ICS security assessments, network segmentation strategy, business email compromise (BEC), and ongoing threat monitoring. Our 24/7/365 response capability means that manufacturing cybersecurity support is available whenever it is needed, not just during business hours.

OT vs IT security is not a distinction that most general cybersecurity providers are built to handle. For manufacturers, the stakes of getting it wrong extend far beyond a data breach: production lines stop, supply chains fracture, and the financial consequences accumulate by the hour. Traditional IT security alone is not sufficient in an environment where industrial control systems, legacy infrastructure, and converged networks are the reality.

If your business is ready to assess its OT and IT security posture, Solace Cyber's specialist team is available to help. Call us on 01202 308818 or contact us through our contact form to discuss how we can help.

[1] Dragos, “According to Dragos's Q2 2025 industrial ransomware analysis, manufacturing accounted for 65% of all ransomware incidents recorded across industrial sectors in that period”: https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q2-2025