By Charles Swihart, Founder & CEO, Preactive IT Solutions
Ask most manufacturing executives what their cybersecurity posture looks like, and they will describe their business network: firewalls, endpoint protection, email filtering, maybe multi-factor authentication on their ERP. What they usually cannot describe with the same confidence is the security posture of their production floor — the PLCs, SCADA platforms, HMIs, and industrial control systems that actually run the equipment.
That gap is not an oversight. It is the predictable result of applying an IT security mental model to an OT environment that was never designed to accommodate it, and it is the single biggest reason manufacturers keep showing up at the top of ransomware target lists.
WHY INDUSTRIAL CONTROL SYSTEMS ARE DIFFERENT
IT systems are built around an assumption of regular patching, flexible configuration, and periodic maintenance windows. OT systems are built around the opposite assumption: continuous, deterministic operation with minimal interruption. Many PLCs and SCADA platforms run on operating systems that are years, sometimes over a decade, out of vendor support, because the control logic running on top of them has been validated against that exact software version and revalidating it is expensive and disruptive.
That is a legitimate engineering constraint, not negligence. But it means the traditional security answer — “patch it” — is frequently not available. Security for OT has to be built around compensating controls: network segmentation, access control, and monitoring, rather than patch management alone.
THE FLAT NETWORK PROBLEM
The most common vulnerability I encounter in manufacturing environments is not a missing patch. It is a flat network — one where a compromised office workstation can reach production controllers because nothing was ever built to stop it. That architecture was typically not a deliberate decision. It accumulated: a switch added here, a remote access pathway opened for a vendor there, a new server dropped onto existing infrastructure without redesigning the network around it.
The consequence is that a routine phishing email opened on an accounting workstation can become a production-halting event because there is no boundary between where that workstation lives and where the equipment controllers live. Ransomware groups that specialize in manufacturing know this pattern well, and they design their lateral-movement tooling around finding exactly that kind of unsegmented path.
WHAT EFFECTIVE ICS SECURITY ACTUALLY LOOKS LIKE
- Network segmentation that creates real boundaries between IT and OT — not a VLAN in name only, but enforced, monitored communication paths between the two.
- Asset visibility — an accurate, current inventory of every device on the production network, since you cannot secure what you do not know exists.
- Access control on remote connections — vendor and integrator remote access is one of the most common entry points, and it needs to be time-limited, monitored, and revocable, not a standing VPN credential nobody remembers granting.
- Monitoring built for OT traffic patterns, not repurposed IT tooling that generates false positives on legitimate industrial protocols like Modbus or OPC-UA and gets ignored as a result.
- An incident response plan that accounts for production continuity — because “isolate and rebuild” looks very different when the asset in question is a controller running a physical process.
THE COMPLIANCE OVERLAY
Frameworks like NIST CSF 2.0 and, for manufacturers in the defense supply chain, NIST 800-171 and CMMC, increasingly formalize these expectations. That is useful because it gives manufacturers a structured way to prioritize the work rather than trying to secure everything at once. But I would caution against treating compliance as the goal. A manufacturer can pass an audit and still have a flat network, because audits sample controls, they do not test the entire attack surface. Compliance should be the byproduct of good architecture, not a substitute for it.
WHERE TO START
If your organization has not yet done so, the starting point is a genuine asset inventory and network map of the production environment — not the network diagram from five years ago, but what is actually connected today. Almost every serious security gap I have found in a manufacturing environment was visible the moment that map was built honestly. The technology to close those gaps is well understood. The harder part is usually just being willing to look.

About the Author
Charles Swihart is the Founder and CEO of Preactive IT Solutions, a process-driven Managed IT Services provider founded in 2003 and specializing in manufacturing, engineering, and construction organizations across Houston, Austin, Beaumont, and San Antonio, Texas. He is the author of On Thin Ice, an Amazon best-selling book on cybersecurity, and was named MSP Titan of the Industry in 2024.

