OT Security in Manufacturing: Why Companies Struggle and How to Overcome It

---

I’ve worked in the technology industry for over 30 years, lately as a strategic consultant in OT Security. Off the back of a large-scale OT security transformation with a global pharmaceutical company, I’ve been connecting with manufacturers of all sizes and coaching leaders on their journey to strengthening their OT cyber security risk posture.

Throughout my years leading security transformations, I’ve seen that manufacturers face unique challenges in implementing a successful OT cybersecurity programme. So, I wanted to share my thoughts on why this is so and what can be done about it. My goal is to help not only the engineers and IT/OT teams involved in the actual security regime but also the business leaders who are increasingly accountable for operational resilience.

OT security in manufacturing has become a critical challenge as factories face increasing cyber threats. From ransomware halting production lines to regulatory pressures like NIS2, manufacturers must strengthen their OT security posture to stay resilient.

Cybersecurity in manufacturing is usually not defined in a business context, but it should be. I approach OT security as a business continuity risk that, if realised, can have dire consequences such as:

• Theft or corruption of sensitive designs, IP, or production data
• Ransomware halting production lines
• Destruction or malfunction of plant equipment
• Serious safety events that may physically harm workers or impact processes

In manufacturing, the consequences are magnified: a single day of downtime can cost millions and disrupt customer supply chains. A cyber incident can also damage hard-won customer trust, put contracts at risk, and in highly regulated industries (like automotive, food & beverage, or pharmaceuticals), lead to regulatory penalties or even product recalls.

In speaking with manufacturers, I see four recurring situations that hold back OT security efforts:

• Companies that don’t know where to even begin and are unaware of the problem
• Companies that know what they want to do, but can’t get sponsorship or funding
• Companies that have funding but don’t know how to start effectively
• Companies that have started but cannot get traction within their factories or plants

Here are my recommendations to help manufacturers overcome these roadblocks and implement effective OT security programmes.

In manufacturing, OT security initiatives are often seen as a cost centre rather than a driver of business resilience. Leaders will only engage when the conversation shifts from technical risks to operational and financial impact.

For example, framing security investment as “protecting OEE (Overall Equipment Effectiveness), supply chain continuity, and customer trust” resonates far more than talking about vulnerabilities or firewalls.

When plant managers and business leaders see OT security as directly tied to production uptime, safety, and quality, the discussion changes – and so does funding.

Even with strong justification, the ownership question becomes tricky. Who is really responsible for OT security – the central IT team, plant managers, or corporate leadership?

In many manufacturers, central teams understand cyber risk but don’t own P&L, while business units own operations but don’t always understand cyber. This divide stalls progress.

The solution I’ve found effective is a joint venture approach between corporate teams and local plants. This creates a common language and mutual understanding of:

• What OT systems are critical to production
• What risks exist, and their true business impact
• How safety, quality, and OEE align with security priorities

Once this baseline is established, both sides can build a joint strategy that prioritises the most impactful steps first. Corporate acts as an enabler, while plants retain ownership of implementation.

Cybersecurity is not a one-off project. Manufacturers must build an ongoing OT Cybersecurity Operating Model that considers:

• Who is responsible for day-to-day security in the plants
• How system lifecycle management and patching will work for legacy equipment that cannot easily be upgraded
• Integration with maintenance schedules and change management processes
• Business Continuity (BCP) and Disaster Recovery (DR) planning
• What skills are needed – and where to source them in a tight talent market
• Whether to build in-house capability or rely on trusted partners for services like monitoring and incident response

Manufacturers often look at peers who have invested millions in full-scale OT programmes and feel overwhelmed. But trying to do everything at once is a recipe for failure.

Instead, I advise starting small, proving value, and scaling steadily. For example:

• Begin with a high level risk/security gap assessment to understand where you stand
• Make sure you have an up to data Asset Inventory – You Can’t Protect What You Can’t See

• Deliver a quick win like staff training or a network segmentation pilot
• Bring in experienced partners for the heavy lifting – e.g., assessments, technology implementation, security monitoring, or incident response readiness etc.

This approach builds momentum and demonstrates measurable business value early, which makes it easier to unlock funding for the next phase.

There’s no doubt that the journey to effective OT security is a challenging one. Many manufacturers are still living in the world of “It won’t happen to me” or “Margins are already tight, we can’t afford this.”

But cyberattacks are already happening across the manufacturing sector – ransomware attacks that shut down plants, supply chain breaches that ripple across entire industries, and safety incidents triggered by insecure legacy equipment. Just take a look at JLR over the past month or two.

Also, with NIS2 coming into effect in October 2024, the stakes are higher than ever. Non-compliance will not only bring financial penalties but could also impact your ability to continue operating as a trusted supplier in critical industries.

The reality is simple: manufacturers must act now. Start small, prove value, and build a sustainable security programme that protects operations, customers, and your bottom line.

If you want to benefit directly from John’s expertise, why not book a consultation with him or one of our team? It’s completely free, and you’ll be under no obligation to take things further. Book a call here!