Securing IoT and OT Devices in Manufacturing: Lessons from the Front Lines

The manufacturing sector is undergoing a rapid digital transformation, with IoT (Internet of Things) and OT (Operational Technology) devices now central to operations. However, this increased connectivity brings new risks and challenges. In a recent webinar, Asimily and GuidePoint Security experts shared actionable insights on how manufacturers can reduce OT and IoT risk, build comprehensive risk mitigation plans, and foster cross-team collaboration for stronger security.

The Visibility Challenge: What’s Really on Your Network?

One of the most persistent issues in manufacturing is the lack of comprehensive visibility across OT environments. Many organizations don’t have a clear inventory of devices connected to their networks, often underestimating the complexity and interconnection between IT and OT assets. Traditional IT tools frequently fall short in correctly identifying and classifying OT devices, leaving significant blind spots.

Organizational silos compound this lack of visibility. OT asset owners, third-party system integrators, and IT security teams often operate independently, making it difficult to share crucial information about device ownership and network architecture. As one expert noted, “Everybody has to work well together” to achieve true visibility and reduce risk.

Legacy Equipment: The Security Achilles’ Heel

Manufacturers rely heavily on long-lived equipment that often runs on outdated or unsupported operating systems like Windows 98 or XP. Unlike IT environments, where upgrading is routine, OT systems prioritize availability and safety. Shutting down or replacing a legacy HMI (Human-Machine Interface) or PLC (Programmable Logic Controller) can disrupt production, so these devices remain in service—sometimes for decades—without critical security updates.

This creates a significant challenge: How do you secure devices with known vulnerabilities that can’t be patched? The answer lies in compensating controls, such as network segmentation, strict access controls, and disabling unneeded services.

Skills Gap: Bridging IT and OT Security Expertise

There’s also a pronounced shortage of OT cybersecurity skills. IT security professionals may be adept at protecting enterprise networks but are often unfamiliar with the unique requirements of OT environments. For example, scanning an OT network with traditional vulnerability tools can inadvertently disrupt operations or even bring down entire production lines—a lesson some manufacturers have learned the hard way.

Organizations must invest in cross-training and leverage external expertise to bridge this gap. As the experts highlighted, “OT cybersecurity skills are gold right now in the industry,” and both IT and OT teams need to understand each other’s priorities and constraints.

Scaling Security: The M&A Factor

Manufacturers frequently scale operations up or down, whether through expanding facilities or mergers and acquisitions. Each new acquisition introduces unknown risks, as legacy OT environments from acquired companies may lack even basic security controls or inventories. Deploying tools like Asimily during due diligence can help assess and mitigate these risks before integration.

The Stakes: Why It Matters

System intrusions in manufacturing are at an all-time high, with ransomware and data breaches posing existential threats to production and intellectual property. Statistics show that manufacturing is disproportionately targeted, accounting for up to 26% of all successful cyberattacks and between 60% and 80% of successful OT attacks.

A Practical Roadmap: The Five Critical ICS Controls

To address these challenges, GuidePoint Security recommends starting with the SANS Five Critical Controls for Industrial Control Systems (ICS):

1. Asset Inventory
   Maintain a complete, up-to-date inventory of all OT hardware and software across sites. Most organizations lack this foundational visibility, making it impossible to manage risk effectively.
2. Defensible Architecture & Secure Remote Access
   Implement segmentation between IT and OT networks, enforce secure remote access, and ensure only authorized communication paths exist. This helps prevent lateral movement and enforces “air gaps” where feasible.
3. Incident Response Planning
   Develop OT-specific incident response plans and playbooks. These should clearly define roles, responsibilities, and procedures for responding to attacks on critical OT assets.
4. Vulnerability Management
   Prioritize vulnerabilities and patches differently in OT than in IT. Focus on risk-based approaches, considering the operational impact of remediation activities.
5. Organizational Ownership
   Clearly define ownership of OT security processes. Success depends on collaboration between IT, OT, and business leadership, with someone accountable for driving the program forward.

Start Small, Build Momentum

The experts from Asimily and GuidePoint Security emphasized the importance of starting small and scaling gradually. Overwhelming teams with massive assessment reports or trying to implement every framework at once can stall progress. Instead, focus on achievable milestones, build cross-functional relationships, and celebrate quick wins to generate momentum.

Securing IoT and OT devices in manufacturing is a complex, ongoing journey. It requires visibility, collaboration, specialized skills, and a pragmatic, risk-based approach. By following proven frameworks like the SANS Five Critical Controls and leveraging solutions designed for OT environments, manufacturers can protect their operations, safeguard intellectual property, and ensure business continuity in an increasingly connected world.

To watch the full webinar, view the on-demand recording here.