As OT systems become more connected both across the plant floor and with enterprise systems, manufacturing assets such as PLCs, HMIs, and industrial servers are increasingly vulnerable to sophisticated cybersecurity threats.
As a result, many manufacturers need to harden these assets to protect themselves from cybersecurity threats. While it may seem like extending existing corporate IT cybersecurity policies to the plant floor is the most efficient approach, this is rarely a straightforward effort. OT environments generally have different operating requirements, technical constraints, and risk profiles versus the IT systems corporate policies were designed to protect.
Why IT Policies Don’t Translate to OT
Since many corporate IT cybersecurity policies were built for systems that are frequently patched, regularly replaced, and centrally managed, the standard tools and methods developed to implement such policies cannot always be directly applied to OT environments. OT assets often have long lifecycles with many systems using legacy equipment that’s difficult or impossible to patch, require high availability that makes downtime for maintenance or upgrades difficult, use proprietary platforms, and have user roles that don’t fit neatly into traditional IT access control models.
Most critically, the technology component of OT has simply not had the same attention paid to it compared to IT systems supporting business critical applications.
As a result, even relatively modern OT systems may not be able to support modern IT practices. For example, many manufacturers encounter challenges when trying to apply IT-standard identity and access management (IAM) frameworks in OT environments.
While corporate policy may call for integration with modern IAM systems that rely on authentication and authorization protocols like SAML or OAuth, these are often not supported by industrial software applications. Some systems may not even have been created with network connectivity capable of supporting an integrated access control scheme. In such cases, organizations must implement workarounds such as building a layered access control system using existing IT tools like Active Directory while placing compensating controls around legacy equipment.
When deciding how to implement IT cybersecurity policies on the plant floor, you need to determine how to prioritize your efforts. To do this, start by performing a comprehensive gap analysis of your industrial automation and control system (IACS) assets. This structured assessment can be used to identify the weaknesses of your OT assets by comparing your current security posture against your defined cybersecurity standards and policies.
The results will highlight any vulnerabilities and compliance gaps, helping your organization prioritize remediation and minimize operational disruption.
To effectively perform a gap assessment, it’s best to have either an internal or third-party expert or team with deep knowledge of both IT and OT domains lead the effort. Additionally, the person, or team, leading this effort should be familiar with multiple frameworks such as the National Institute for Standards and Technology’s (NIST) cybersecurity framework (CSF) and the IEC 62443 series.
This knowledge ensures that full value will be derived from the assessment regardless of your progress in bridging IT policies to the shop floor. These frameworks also can provide valuable guidance to help map out a risk-based approach to implementing OT cybersecurity best practices for segmentation, access control, and change management.
Applied Control Engineering (ACE) cybersecurity experts recently helped one American supplier of special bar quality (SBQ) steel products perform a gap assessment where they evaluated more than 1,500 IACS assets and determined that around 75 percent of the devices were either safety critical or operationally critical assets.
ACE also used this assessment to identify where certain uncoordinated protection efforts were in place that needed to be documented as well as areas where new processes needed to be developed and implemented and conveyed their findings using a NIST CSF -based report.
Developing a Strategic Implementation Plan
Once cybersecurity gaps are known and risks are prioritized, solutions that utilize existing tools as much as possible must be selected. Where possible, you should try to integrate new security controls with existing IT governance systems, avoiding the need to reinvent tools or policies.
Once your desired solutions are selected, you can then develop a strategic implementation plan that allows for phased deployment of remediation efforts. As part of this plan, performing testing in a simulated production environment, especially when legacy systems or vendor-supported equipment is involved, is essential to ensure changes are validated without introducing risk to operations.
Aligning IT and OT Teams
For many organizations, one of the biggest hurdles to successful cybersecurity implementation is organizational, not technical. This is because IT and OT teams often operate in silos, using different tools, speaking different languages, and fulfilling different needs in the organization.
To foster alignment, you need to start with creating shared objectives and accountability, which may involve steps such as:
- Defining clear roles and responsibilities for cybersecurity ownership at both the corporate and local levels.
- Appointing a cross-functional liaison or working group that includes both IT security and plant operations.
- Conducting joint workshops or tabletop exercises to evaluate risk scenarios and response strategies.
- Agreeing on using a standard such as the NIST CSF to help structure discussions around shared goals and mutual constraints.
A current trend for fostering IT/OT alignment is to create a dedicated OT team within the IT organization that is tasked with helping manage concerns such as cybersecurity and the adoption of modern infrastructure practices while supporting traditional OT engineering’s maintenance of the process. ACE has helped many organizations starting these teams with bridging the gap between these groups so that instead of perceiving a top-down mandate there is instead buy-in through practical, plant-specific solutions.
One of the most compelling arguments for aligning IT and OT cybersecurity is the reduction of risk—not just from cyberattacks, but also those that may have a direct impact on your bottom-line. This may include items such as regulatory penalties, increased insurance premiums, and potential operational losses.
For example, insurers and regulators increasingly expect manufacturers to demonstrate strong cybersecurity practices, and those who can often experience tangible benefits such as:
- Lower premiums.
- Fewer audits.
- Faster recovery times if an incident does occur.
- Higher operational resilience.
Bringing IT cybersecurity policies to the plant floor should not be all about enforcing compliance. Instead, to effectively protect your OT assets, the focus must be on adapting strong security principles to unique industrial environments. With the right approach, manufacturers can extend corporate cybersecurity protections to their OT assets without compromising operational performance.
The result? A more resilient, secure, and agile organization that is ready to face the challenges of an increasingly connected manufacturing landscape.