OT/IT Convergence in Manufacturing: How to Secure Your Factory Floor in 2026
The factory floor has changed dramatically over the past decade. Industrial robots talk to enterprise resource planning (ERP) systems. Programmable logic controllers (PLCs) pull data from cloud dashboards. Sensors on conveyor belts feed real-time analytics to executives hundreds of miles away. The promise of the connected factory — lower costs, faster production cycles, better quality control — has largely delivered.
But there's a serious problem that most manufacturers are either unaware of or actively avoiding: the same connectivity that makes modern manufacturing powerful has made it dangerously vulnerable.
The convergence of Operational Technology (OT) — the hardware and software that controls physical industrial processes — with traditional Information Technology (IT) has created an attack surface that most security strategies weren't designed to cover. And attackers have noticed.
According to Dragos's 2025 OT Cybersecurity Year in Review, ransomware attacks targeting industrial organizations increased by 87% over a two-year period, with manufacturing remaining the most targeted sector for the third consecutive year. The FBI's Internet Crime Complaint Center reported that manufacturing sector cyber incidents resulted in average losses exceeding $4.2 million per event when downtime, remediation, and reputational damage were factored in.
This isn't a distant threat. If your facility runs SCADA systems, industrial control systems (ICS), or any internet-connected equipment — and in 2026, almost every facility does — this post is for you.
Understanding the OT/IT Divide (and Why It's Disappearing)
For most of industrial history, OT and IT existed in completely separate worlds. IT handled business systems: email, accounting, HR, customer databases. OT handled physical operations: machinery, sensors, actuators, and the specialized software that controls them.
These two environments had entirely different design philosophies. IT systems were built with confidentiality and integrity as top priorities. OT systems were engineered for availability and safety above all else — if a blast furnace or pharmaceutical filling line goes down, the consequences are immediate and potentially catastrophic.
For decades, OT security relied on "air gaps" — physical separation from any network accessible by the outside world. If attackers couldn't reach the network, the thinking went, they couldn't compromise the machinery.
The Death of the Air Gap
The Industry 4.0 movement — the integration of smart manufacturing, IoT devices, digital twins, and cloud analytics — has made true air gaps nearly impossible to maintain. Modern manufacturers need:
- Remote monitoring and diagnostics from equipment vendors
- Real-time production data flowing to enterprise systems and cloud analytics platforms
- Supply chain integration with customers and suppliers
- Predictive maintenance systems that rely on continuous sensor data
Each of these use cases punches holes in the air gap. And each hole is a potential entry point for attackers.
The Purdue Model, a traditional framework for organizing industrial network architecture into hierarchical zones, was designed for an era when those zones were physically isolated. Today, data flows laterally across what used to be hard boundaries, and legacy OT systems that were never designed to be network-connected suddenly find themselves reachable from the internet.
Why Manufacturing Is a Prime Target
Manufacturers make attractive targets for several interconnected reasons.
Production Downtime Is Catastrophic
In most industries, a cyberattack is a serious problem. In manufacturing, it can be existential. A single day of unplanned downtime at an automotive assembly plant can cost between $1.3 million and $3 million according to industry estimates. For food and beverage manufacturers with perishable inventory, the calculus is even worse. Ransomware actors understand this, and they price their demands accordingly.
Legacy Systems Are Everywhere
Manufacturing environments are littered with OT equipment running operating systems that predate modern security practices. It's not unusual to find PLCs running Windows XP embedded, or SCADA systems that haven't received a security patch since 2013 — not because IT teams are negligent, but because updating these systems requires taking production offline, revalidating processes, and often re-certifying equipment with regulatory agencies. The operational and financial cost of patching can be prohibitive.
Supply Chain Complexity
Large manufacturers often have hundreds of suppliers, contract manufacturers, logistics partners, and equipment vendors with varying levels of remote access into their environments. Each of these third parties represents a potential entry point. The 2021 Colonial Pipeline attack — which caused fuel shortages across the Eastern United States — began with a compromised VPN account belonging to a contractor.
Regulatory Pressure Is Increasing
Manufacturers operating in defense, aerospace, food safety, and pharmaceutical sectors face growing regulatory scrutiny. CMMC 2.0 requirements for defense contractors (covered separately on this blog) are just one example. The FDA's updated cybersecurity requirements for medical device manufacturers, the EU's NIS2 Directive affecting European operations, and CISA's cross-sector cybersecurity performance goals all impose new obligations on manufacturing organizations.
The Most Dangerous Threats Facing Manufacturers Right Now
Ransomware With OT-Awareness
Early ransomware simply encrypted files. Modern ransomware groups — including Lockbit successors, ALPHV/BlackCat variants, and emerging RaaS operators — have developed OT-aware capabilities. Some variants are designed to identify and interact with industrial protocols like Modbus, DNP3, and OPC-UA, allowing attackers to manipulate or disable physical processes before deploying encryption. The goal is to maximize leverage and extract higher ransoms.
Living-Off-the-Land Attacks
Rather than deploying malware that might be detected by endpoint tools, sophisticated attackers increasingly use legitimate administrative tools already present in the environment — PowerShell, WMI, RDP, and legitimate vendor remote access software — to move laterally and maintain persistence. In OT environments, this is especially problematic because many security tools aren't deployed on industrial endpoints at all.
Supply Chain and Third-Party Vendor Compromise
Attackers who can't penetrate a hardened manufacturer directly will target their suppliers. Equipment vendors with legitimate remote access to a facility's OT network are particularly high-value targets. Once a vendor's credentials or systems are compromised, attackers can pivot directly into the operational environment.
Insider Threats
The manufacturing sector has one of the highest rates of insider threat incidents, driven by workforce turnover, contractor access, and the prevalence of legacy access management practices. Disgruntled former employees with retained credentials represent a persistent and underappreciated risk.
Building a Security Strategy for Converged OT/IT Environments
Securing a manufacturing environment requires a fundamentally different approach than securing a corporate IT network. Here's a practical framework for getting started.
Step 1: Know What You Have
You can't protect what you don't know exists. This sounds obvious, but manufacturing environments routinely have undocumented devices — legacy PLCs, rogue engineering workstations, sensors added informally during a production line modification — that have never appeared on any asset inventory.
Conduct a thorough OT asset discovery using tools designed specifically for industrial environments (Claroty, Dragos, and Nozomi Networks offer purpose-built OT asset visibility platforms). Your inventory should capture every device, its operating system, firmware version, communication protocols, and network connections.
This discovery exercise typically surfaces surprises — equipment communicating to unexpected external IP addresses, devices with default credentials, or connections between network segments that were supposed to be isolated.
Step 2: Segment Your Networks — For Real
Network segmentation is one of the most impactful security controls in a converged OT/IT environment, and one of the most commonly done poorly. The goal is to create defensible zones that limit an attacker's ability to move laterally between IT and OT systems.
At minimum, industrial environments should implement a Demilitarized Zone (DMZ) between IT and OT networks through which all traffic must pass and be inspected. This DMZ should contain data historians, remote access jump servers, and other systems that legitimately need to communicate with both sides of the environment.
Layer27's Infrastructure Pro service helps manufacturers design and implement network architectures that enforce proper segmentation without disrupting production workflows — including firewall policies, VLAN configurations, and the monitoring infrastructure needed to detect boundary violations.
Step 3: Get Visibility Into OT Traffic
Traditional security monitoring tools — SIEMs, endpoint detection agents, network behavior analytics — weren't designed to parse industrial protocols. Deploying standard agents on OT equipment is often impossible due to vendor restrictions and validation requirements.
The answer is passive network monitoring at the OT network level. OT-aware monitoring solutions tap into industrial network traffic without touching the devices themselves, parse industrial protocols, establish behavioral baselines, and alert on anomalies. This is a core capability in a mature OT security program.
Layer27's Managed Detection & Response (MDR) and 24x7 SOC capabilities can extend to cover OT environments when paired with the right passive monitoring infrastructure. Having human analysts reviewing OT alerts around the clock — not just during business hours — is increasingly critical as attackers have learned to time their actions for nights and weekends.
Step 4: Harden Remote Access
Remote access is the most common initial access vector in manufacturing attacks. Vendor remote access, in particular, is frequently managed poorly — with shared credentials, no multi-factor authentication, and persistent connections that are never terminated.
Implement a privileged access management (PAM) solution for all remote access to OT environments. Require MFA for every session. Use session recording so you have forensic evidence of what was done during any remote access event. Enforce least-privilege principles — a HVAC vendor's technician should only have access to the building management system, not the entire OT network.
Step 5: Build a Patch and Vulnerability Management Program for OT
Given the constraints of industrial environments, traditional patch management approaches don't work. You can't just push patches to a PLC on Tuesday night. But "we can never patch" isn't an acceptable answer either.
Develop a formal OT vulnerability management program that:
- Maintains an inventory of known vulnerabilities for every device (ICS-CERT advisories are a good starting point)
- Prioritizes vulnerabilities based on exploitability, network exposure, and potential physical impact
- Identifies compensating controls (network segmentation, access restrictions, increased monitoring) for vulnerabilities that can't be patched immediately
- Establishes a planned maintenance window cycle for updates that can be applied
Step 6: Prepare for Incidents Before They Happen
When a ransomware attack hits an industrial environment, the time to figure out your response plan is not during the incident. Manufacturing organizations need OT-specific incident response playbooks that address scenarios like:
- Ransomware spreading from IT into OT networks
- Unauthorized commands sent to PLCs or other field devices
- Loss of visibility into the OT environment (e.g., historian or SCADA system down)
- Physical safety incidents triggered by a cyber event
Layer27's Safe Start program helps manufacturers establish foundational security controls and documented incident response procedures. Combined with Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) for critical engineering workstations, HMIs, and historian servers, manufacturers can dramatically reduce recovery time when incidents do occur.
Compliance Considerations for Manufacturers
Depending on your sector and customer base, you may face specific regulatory cybersecurity requirements.
- Defense contractors and subcontractors must comply with CMMC 2.0, which has real implications for OT environments that touch controlled unclassified information.
- Food and beverage manufacturers fall under FDA and USDA oversight, with increasing attention to cybersecurity of process control systems.
- Pharmaceutical and medical device manufacturers face FDA cybersecurity guidance that now explicitly addresses OT and ICS security.
- Chemical sector companies are subject to CISA's Chemical Facility Anti-Terrorism Standards (CFATS), which includes cybersecurity components.
- Energy sector manufacturers with grid-connected facilities may fall under NERC CIP requirements.
Layer27's Compliance services help manufacturers navigate this patchwork of requirements, identify gaps between current controls and regulatory expectations, and build documentation that demonstrates compliance to auditors and customers alike.
The Role of Cloud in OT Security
Manufacturers are increasingly leveraging cloud infrastructure for data historians, analytics platforms, digital twin simulations, and remote management capabilities. This creates new attack surface, but it also opens new defensive opportunities.
Cloud-based security analytics can process far larger volumes of OT telemetry than on-premise systems, enabling better anomaly detection and threat intelligence integration. Secure cloud architectures — whether Private Cloud, Public Cloud, or Hybrid Cloud deployments — can provide the scalability and resilience that on-premise OT environments often lack.
For manufacturers just beginning their OT security journey, Layer27's CloudStart can help establish a secure, well-architected cloud foundation that supports industrial use cases without creating new vulnerabilities.
For organizations that need to extend their existing IT team's capabilities into OT security without building an entirely new internal practice, Co-Managed IT offers a collaborative model where Layer27's specialists work alongside your team — bringing OT security expertise that most internal teams simply haven't had time to develop.
Practical First Steps for Manufacturing Leaders
If you're a plant manager, VP of Operations, or CIO reading this and feeling overwhelmed, here's where to start:
- Conduct an OT/IT asset discovery. You need to know what's connected before you can protect it.
- Evaluate your network architecture. Are IT and OT truly segmented? Who has remote access and how is it controlled?
- Audit third-party vendor access. Revoke access that isn't actively needed. Require MFA for everything that remains.
- Assess your backup posture. If ransomware encrypted your historian and engineering workstations today, how long would recovery take?
- Train your workforce. Social engineering attacks targeting manufacturing employees — including phishing emails that appear to come from equipment vendors — are increasingly common. Layer27's Security Awareness Training helps your team recognize and report suspicious activity before it becomes an incident.
- Engage a security partner with OT experience. Generic IT security expertise isn't sufficient for industrial environments. The protocols, the constraints, and the risk calculus are different.
The Bottom Line
OT/IT convergence is not a future trend — it's the present reality of modern manufacturing. The efficiency and competitive advantages it enables are real and significant. But so are the risks, and the manufacturing sector's track record of treating cybersecurity as an IT-only problem has left thousands of facilities operating with dangerous blind spots.
The good news is that this is a solvable problem. Manufacturers who invest in OT visibility, network segmentation, access controls, and incident preparedness now will be dramatically better positioned than those who wait for a costly incident to force the issue.
The factory floor has always been a place where skilled professionals take safety seriously. In 2026, cybersecurity is part of that safety equation.
Ready to Assess Your Manufacturing Cybersecurity Posture?
Layer27 works with manufacturing organizations across the United States to assess OT/IT environments, identify gaps, and implement security programs that work within the operational realities of industrial production. Whether you're starting from scratch or looking to mature an existing program, we can help.
Contact Layer27 today to schedule an OT/IT security assessment.