Free IT tools for business owners — try them now, no sign-up
Manufacturing IT • 6 min read

Industrial IoT Security: How to Secure Smart Factory Equipment Without Stopping Production

Connecting production equipment to the network unlocks real-time data. It also creates attack surfaces that most manufacturers haven't addressed.

Quick Answer

Industrial IoT (IIoT) security requires: complete asset inventory of all connected equipment, network segmentation separating IIoT devices from IT systems, passive monitoring to detect anomalous behavior without disrupting device operation, firmware management processes coordinated with equipment vendors, and strict vendor remote access controls. IIoT devices should never communicate directly with the internet — all external connectivity should go through a DMZ with controlled access.

What Counts as Industrial IoT in a Manufacturing Environment

The definition is broader than most manufacturers realize. Industrial IoT includes:

  • CNC machines and machining centers with Ethernet connectivity
  • Injection molding machines with remote monitoring capabilities
  • Industrial robots with networked controllers
  • Environmental monitoring sensors (temperature, humidity, air quality)
  • Energy monitoring systems
  • Conveyor systems and automated guided vehicles (AGVs) with wireless connectivity
  • Vision inspection systems
  • Barcode readers and RFID scanners
  • Label printers networked to ERP systems
  • Building management systems (HVAC, access control, fire suppression)

Many of these devices were connected without formal IT involvement — an equipment vendor ran a cable to the office switch, or someone added a wireless access point near a production line. The result is an undocumented attack surface.

The Three Primary IIoT Attack Scenarios

  1. Network pivot: Attackers compromise a weakly-secured IIoT device and use it as a staging point to reach other systems — ERP servers, domain controllers, business workstations. The IIoT device isn't the target; it's the door.
  2. Direct production disruption: Ransomware or targeted attacks that reach production control systems and halt manufacturing. Colonial Pipeline is the high-profile example, but manufacturing-specific attacks (LockerGoga ransomware at Norsk Hydro in 2019, causing $71M in damages) demonstrate the direct OT risk.
  3. Intellectual property theft: Production recipes, CNC programs, quality specifications, and process parameters are valuable IP. Attackers accessing IIoT systems can potentially extract this data.

Step 1: Complete Asset Inventory

You can't secure what you don't know about. Asset discovery in manufacturing environments requires different tools than standard IT discovery, because:

  • Many IIoT devices use industrial protocols (Modbus, EtherNet/IP, PROFINET, OPC-UA) that standard IT scanners don't recognize
  • Some IIoT devices crash or behave unpredictably when scanned with active scanning tools
  • Devices may connect intermittently (a CNC machine only on the network when running a program)

Passive network monitoring tools (Claroty, Dragos, Nozomi Networks, or Armis for mixed IT/OT environments) listen to network traffic without sending probes — safe for OT environments and able to identify industrial protocols. A passive scan typically reveals 20–40% more devices than manual inventory in most facilities.

Step 2: Firmware and Patch Management

IIoT firmware management is fundamentally different from IT patch management:

  • Firmware updates for production equipment must be tested against the specific machine configuration — applying a generic update can change machine behavior or void calibration
  • Updates may require production downtime and coordination with maintenance — you can't patch a running machine
  • Some older equipment no longer receives firmware updates from vendors — document these as known risks and compensate with additional network controls

Process for IIoT firmware management:

  1. Inventory current firmware versions for all connected equipment
  2. Subscribe to vendor security advisories for each equipment type
  3. When updates are available, request the release notes and security fixes from the vendor
  4. Schedule test updates on non-production equipment first
  5. Coordinate production maintenance windows for updates
  6. Document the update in your asset inventory

Step 3: Network Segmentation for IIoT

IIoT devices should live on isolated VLANs with strict firewall rules. The key principles:

  • IIoT devices should only communicate with the systems they legitimately need to reach — typically a data historian, MES system, or specific server
  • IIoT devices should not have direct internet access — vendor remote access should go through a DMZ jump server
  • Group devices by function and risk level — a wireless barcode scanner is less risky than a CNC machine controller, and they don't need to be on the same network segment

See our detailed guide on OT/IT network segmentation for the full architecture.

Monitoring IIoT Devices Without Disrupting Operations

Traditional endpoint security (antivirus, EDR agents) cannot run on most IIoT devices. The alternatives:

  • Network behavior monitoring: Passive tools that watch what devices communicate — alerting when a CNC machine suddenly starts communicating with an external IP or a new internal system
  • Protocol analysis: Industrial protocol-aware monitoring that can identify malformed commands or out-of-range values in Modbus or EtherNet/IP traffic
  • Firewall logging: Even without purpose-built OT monitoring tools, logging all traffic through your OT/IT boundary firewall provides visibility into unusual communication patterns

Frequently Asked Questions

Do I need OT-specific security tools, or can standard IT security tools work?

For passive monitoring of OT/IIoT environments, purpose-built OT tools (Claroty, Dragos, Nozomi) provide better protocol support and risk scoring for industrial devices. For firewalls and network segmentation, enterprise IT firewalls (Palo Alto, Fortinet) work well in OT environments if properly configured. Standard endpoint security agents don't run on most IIoT devices.

How do I handle equipment that is 10+ years old and never receives firmware updates?

Legacy equipment that can't be patched must be compensated with network controls: strict VLAN isolation, firewall rules limiting communication to only what's required, enhanced monitoring for anomalous behavior, and documented risk acceptance reviewed annually. Include these devices in your cybersecurity risk assessment as known gaps.

Should my IT team or my maintenance team be responsible for IIoT security?

Both, with clear ownership boundaries. IT is responsible for network infrastructure, segmentation, and monitoring. Maintenance/engineering owns the equipment and its firmware, coordinating with vendors. Cybersecurity decisions about IIoT require collaboration between both teams — pure IT decisions about OT equipment create operational risk, and pure OT decisions about connectivity create security risk.

How Secure Is Your Shop Floor Network?

Most manufacturers have significant IIoT security gaps they're not aware of. Get an assessment from a manufacturing IT specialist.

Get Manufacturing IT Quote