Why Industrial Cybersecurity Is the Most Urgent Problem in Manufacturing Today
In 2021, an attacker accessed a water treatment facility in Oldsmar, Florida and attempted to increase sodium hydroxide levels to dangerous concentrations — all through a remote access connection to a SCADA system. The operator caught it in time. Most attacks aren’t caught that quickly. The Colonial Pipeline ransomware attack the same year shut down 5,500 miles of fuel pipeline along the U.S. East Coast, triggering fuel shortages across multiple states. Both incidents shared a common thread: operational technology (OT) systems that were connected to networks without adequate security controls.
If you work with PLCs, SCADA systems, DCS, or any industrial control system (ICS), cybersecurity is no longer something you can delegate to the IT department. It’s now a core engineering responsibility. This guide covers what industrial cybersecurity means in practice, the frameworks that govern it, and the specific steps you can take today to reduce risk in your facility.
IT vs OT Cybersecurity — Why They Are Fundamentally Different
Most cybersecurity training is built around IT systems — servers, workstations, databases, and enterprise networks. The principles are broadly correct, but applying them directly to OT environments without modification can actually make things worse. Here’s why.
In IT, the security priority order is Confidentiality → Integrity → Availability (the CIA triad). A server going offline for patching is an acceptable temporary disruption. In OT, the priority is flipped: Availability → Integrity → Confidentiality. A PLC controlling a chemical dosing pump cannot be taken offline for an unplanned reboot without risk of a process upset, a safety incident, or an environmental violation. This fundamental difference shapes every security decision in industrial environments.
OT systems also have lifecycles that IT systems don’t. A Windows 10 laptop gets replaced every 3–5 years. A DCS controller or PLC installed in a refinery might run for 20–30 years without a hardware refresh. Many industrial devices run firmware that cannot be patched because the vendor no longer supports it, or because any firmware change requires a full re-validation of the control system. Security by patching — the default IT approach — simply doesn’t work in these environments.
Real-time requirements are another critical difference. A SCADA system polling field devices every 100 milliseconds cannot tolerate the latency introduced by an active network security scan. Many IT security tools that run aggressive scans will crash older industrial protocols like Modbus, DNP3, or EtherNet/IP devices simply by sending packets they weren’t designed to handle. I’ve seen a facility lose communications to an entire PLC network because a well-meaning IT engineer ran a vulnerability scanner on the OT subnet.
The IEC 62443 Standard — The Foundation of Industrial Cybersecurity
IEC 62443 is the primary international standard for industrial automation and control system (IACS) cybersecurity. Published by the International Electrotechnical Commission, it provides a comprehensive framework specifically designed for OT environments. Unlike generic cybersecurity frameworks, IEC 62443 was developed with input from industrial automation vendors, system integrators, and end users who understood the unique constraints of production environments.
The standard is organized into four series. Series 1 covers general concepts and terminology. Series 2 addresses policies and procedures for asset owners — the companies that operate industrial facilities. Series 3 covers system-level requirements, including the zone and conduit model for network segmentation. Series 4 addresses component-level requirements for vendors building industrial devices.
One of the most important concepts introduced by IEC 62443 is the Security Level (SL) framework. Security levels range from SL 1 (basic protection against unintentional or accidental violations) through SL 4 (protection against sophisticated nation-state level attacks). For most manufacturing facilities, SL 2 is the practical target — protection against intentional violation using simple means. Critical infrastructure like power generation, water treatment, and oil pipelines should target SL 3.
The zone and conduit model is particularly useful for PLC and SCADA engineers. A zone is a grouping of assets with similar security requirements — for example, all PLCs on a single production line. A conduit is any communication path between zones. By mapping your facility into zones and conduits, you can apply appropriate security controls at each boundary rather than trying to secure every device individually.
NIST Cybersecurity Framework Applied to Industrial Control Systems
The NIST Cybersecurity Framework (CSF) provides a five-function model that translates well to industrial environments when combined with IEC 62443. The five functions are Identify, Protect, Detect, Respond, and Recover. For OT engineers, here is what each function means in practice.
Identify means building a complete asset inventory of every PLC, HMI, engineering workstation, historian, SCADA server, and network device in your OT environment. You cannot protect what you don’t know exists. Many facilities are surprised to discover industrial devices connected to their networks that were never officially commissioned — old test systems, vendor laptops left connected, or modems installed by field service technicians years ago.
Protect covers all the preventive controls: network segmentation, access control, secure remote access, hardening of device configurations, and management of removable media like USB drives. For PLC environments, protection also means disabling unused communication ports on controllers, removing default passwords, and establishing change management procedures for any modification to the control system.
Detect is where many OT environments fall short. Industrial networks often have no monitoring at all — no logging, no anomaly detection, no baseline of normal behavior. Establishing detection capability means deploying passive network monitoring tools that can identify unexpected communication patterns without disrupting real-time control traffic. Vendors like Claroty, Dragos, and Nozomi Networks build OT-specific detection platforms designed for this purpose.
Respond and Recover require documented incident response plans specific to OT. Who do you call at 2 AM when your SCADA server shows signs of ransomware? Do operators know how to run the plant in manual mode while the control system is compromised? Is there a tested backup of every PLC program and HMI configuration stored offline where it cannot be encrypted by malware?
Network Segmentation for PLC and SCADA Systems
Network segmentation is the single most effective control you can implement in an OT environment. The Purdue Enterprise Reference Architecture (PERA) model, also known as the Purdue Model, divides industrial networks into levels from Level 0 (field devices) through Level 5 (enterprise). Security controls at each level boundary limit how far an attacker can move if they compromise one part of the network.
At a minimum, your OT network should be separated from your corporate IT network by a firewall or demilitarized zone (DMZ). The firewall rules should be explicit and restrictive — only the specific traffic needed for business operations (such as production data flowing to an ERP system) should be permitted. Everything else should be denied by default. Bidirectional access between IT and OT networks is a major risk factor. Data historians sitting in a DMZ can pull data from OT and push it to IT without opening direct connections between the two networks.
Within the OT network itself, further segmentation by production area, safety system, or criticality level reduces the blast radius of any single compromised device. A malware infection that reaches a PLC on Line 1 should not automatically have network access to the PLCs on Lines 2 through 10. Managed switches with VLAN configuration, combined with firewall rules between VLANs, can achieve this segmentation without requiring a full network rebuild.
Securing Remote Access to PLC and SCADA Systems
Remote access is the most common attack vector against industrial control systems. COVID-19 dramatically accelerated OT remote access deployments as facilities needed vendors and engineers to troubleshoot systems without traveling on-site. Many of those remote access connections were set up quickly without proper security controls and never reviewed afterward.
Secure remote access for OT environments requires several layers. First, all remote access should go through a dedicated jump server or secure remote access platform — never directly to a PLC or HMI from the internet. The jump server sits in a DMZ and enforces authentication before allowing any connection into the OT network. Second, multi-factor authentication (MFA) should be required for all remote access sessions, including vendor access. A username and password alone is not sufficient given the prevalence of credential theft attacks. Third, every remote session should be logged with full session recording so you have a complete record of what was done and when.
Vendor remote access deserves special attention. Many industrial facilities grant broad, always-on remote access to equipment vendors for maintenance purposes. This creates significant risk because you have limited visibility into the security posture of the vendor’s network. Best practice is to use just-in-time access — the vendor requests access, an operator approves it for a specific time window, and the connection is automatically terminated when the window closes. Tools like Claroty SRA and Tosibox are purpose-built for this use case.
PLC and HMI Hardening Best Practices
Hardening refers to reducing the attack surface of individual devices by removing unnecessary services, changing default credentials, and applying secure configurations. For PLCs and HMIs specifically, hardening means the following actions.
Change all default passwords immediately on commissioning. Many PLCs ship with default usernames and passwords that are publicly documented in vendor manuals. Leaving these in place is equivalent to leaving your front door unlocked. Password policies for PLCs should require a minimum length and should be stored in a secure password vault, not on a sticky note attached to the panel door.
Disable all unused communication ports and protocols. If your PLC uses EtherNet/IP for control but has an unused Modbus TCP port enabled, disable it. Each open port is a potential entry point. Many PLCs also have built-in web servers for diagnostics — if you don’t need the web interface, disable it.
Enable write protection or run mode locks where available. Many PLC platforms allow you to lock the processor into run mode so that program downloads are blocked without a physical key switch or explicit operator authorization. This prevents an attacker who gains network access from pushing malicious logic to the controller.
Maintain offline backups of all PLC programs, HMI configurations, and historian tag databases. Store these backups in a location that cannot be reached from the network — ideally on physical media stored in a secure location. A ransomware attack that encrypts your SCADA server is recoverable if you have a clean backup. Without a backup, recovery requires reprogramming every PLC from scratch, which can take weeks or months.
Common Attack Vectors Targeting Industrial Control Systems
Understanding how attackers target OT systems helps you prioritize your defenses. The most common attack vectors in industrial environments are phishing and spear-phishing, supply chain attacks, removable media, and exploitation of remote access vulnerabilities.
Phishing remains the most common initial access method. An employee on the corporate IT network clicks a malicious link, the attacker establishes a foothold on the corporate network, and then pivots laterally into the OT network through any inadequately secured connection between the two. This is exactly how the Colonial Pipeline attack began. Separating IT and OT networks limits how far this lateral movement can go.
Supply chain attacks target the software and firmware used by industrial vendors. The 2020 SolarWinds attack compromised network management software used by thousands of organizations. In OT environments, engineering software like Siemens TIA Portal, Rockwell Studio 5000, or Wonderware InTouch represents a similar supply chain risk. Any software update from a vendor should be validated before deployment to production systems.
Removable media — USB drives in particular — are a persistent threat in air-gapped or semi-isolated OT environments. The Stuxnet worm, which damaged uranium enrichment centrifuges in Iran, spread through USB drives precisely because the target systems were not connected to the internet. USB ports on HMI workstations should be disabled at the hardware level or managed through endpoint controls that prevent unauthorized devices from executing code.
Building an OT Cybersecurity Program: Where to Start
If your facility has no formal OT cybersecurity program, the task can feel overwhelming. The most practical approach is to start with risk-based prioritization rather than trying to implement every control simultaneously.
Begin with asset inventory and network mapping. You need to know what’s on your network before you can protect it. Passive network discovery tools like Nozomi Networks Guardian or Dragos Platform can identify OT assets without sending active probes that might disrupt sensitive devices. A complete, accurate asset inventory is the foundation of every subsequent security decision.
Next, perform a risk assessment aligned to IEC 62443. Identify which systems have the highest consequence of failure — safety systems, environmental controls, and critical production equipment should be at the top of the list. Concentrate your first wave of security improvements on protecting those high-consequence systems.
Then implement the three highest-impact controls: network segmentation between IT and OT, multi-factor authentication for all remote access, and offline backups of all control system configurations. These three measures address the majority of real-world attack scenarios at relatively low cost and operational disruption.
From there, build a continuous improvement program with regular vulnerability assessments, security awareness training for operators and engineers, and incident response exercises that specifically test OT scenarios. Cybersecurity in industrial environments is not a project with a completion date — it’s an ongoing operational discipline that must evolve as threats and technology change.
Summary
Industrial cybersecurity for PLC and SCADA systems requires a fundamentally different approach from IT security. The priorities are availability first, the constraints are real-time operation and long equipment lifecycles, and the consequences of failure include physical damage, safety incidents, and environmental harm — not just data breaches. IEC 62443 provides the right framework for OT environments. Network segmentation, secure remote access, device hardening, and offline backups form the practical foundation that every industrial facility should have in place before tackling more advanced controls.
What is the difference between IT and OT cybersecurity?
IT cybersecurity prioritizes confidentiality first. OT cybersecurity prioritizes availability first because shutting down a production system for patching can cause safety incidents and production losses. OT devices also have much longer lifecycles and often cannot be patched using standard IT methods.
What is IEC 62443 and why does it matter for PLC engineers?
IEC 62443 is the international standard for industrial automation and control system cybersecurity. It provides a zone and conduit model for network segmentation and a Security Level framework that helps engineers prioritize controls based on the risk profile of each system.
How can I secure remote access to my SCADA system?
Use a dedicated jump server or OT-specific remote access platform in a DMZ. Require multi-factor authentication for all sessions. Log and record all remote sessions. Use just-in-time access for vendor connections so access is granted only for specific time windows.
What is the Purdue Model in industrial cybersecurity?
The Purdue Model divides industrial networks into levels from Level 0 (field devices like sensors and actuators) through Level 5 (enterprise IT). Security controls at each level boundary prevent attackers from moving freely between levels. It is the foundational architecture model for OT network segmentation.
What should I back up in my PLC and SCADA environment?
Back up all PLC programs, HMI screen configurations, historian tag databases, SCADA project files, and network device configurations. Store backups offline on physical media in a secure location that cannot be reached from the network. Test restores regularly to verify backup integrity.
Can I use standard IT security scanners on my OT network?
Generally no. Standard active vulnerability scanners can crash older industrial devices and disrupt real-time communications. Use passive network monitoring tools specifically designed for OT environments such as Dragos, Nozomi Networks, or Claroty.
