What is the difference between IT and OT in a manufacturing environment?

IT (Information Technology) covers the systems you'd find in any business: email, ERP, file servers, workstations, Microsoft 365. These systems prioritize confidentiality, integrity, and availability — in that order. OT (Operational Technology) covers systems that directly control physical processes: PLCs (Programmable Logic Controllers), SCADA systems, HMIs, CNC machine controllers, DCS systems. OT systems prioritize availability and safety above all else — a patching operation that reboots a PLC mid-cycle can damage equipment or endanger workers. This fundamental difference means IT security practices cannot be directly applied to OT without engineering involvement.

Can ransomware spread from the IT network to OT systems?

Yes — this is exactly what happened in the Colonial Pipeline attack (2021), the Norsk Hydro attack (2019), and dozens of less publicized manufacturing incidents. If the IT and OT networks are on the same flat network or poorly segmented, ransomware that encrypts business systems can pivot to OT systems. Even if OT encryption doesn't succeed, operators often shut down OT systems preemptively when IT is compromised to prevent spread — causing the same production downtime. Proper network segmentation (DMZ between IT and OT, unidirectional data flows) prevents lateral movement from IT to OT.

How do you patch OT systems that can't be taken offline?

OT patching requires a coordinated approach between IT, OT engineering, and often the OT vendor. The general process: validate the patch in a test environment that mirrors the production OT system, schedule patching during planned maintenance windows (not as emergency patches), obtain approval from OT engineering before any change, and have rollback plans ready. Some OT systems run on unsupported operating systems (Windows XP, Windows 7) that can no longer be patched — the mitigation strategy for these is network isolation and application whitelisting rather than patching. Your IT provider should never patch OT systems on the standard IT patching schedule.

What is an engineering workstation and why is it the highest-risk asset?

Engineering workstations are computers used to program and configure OT devices (PLCs, SCADA, CNC controllers). They're the highest-risk asset because they have access to both the IT network (for email, documentation, vendor support connections) and the OT network (to communicate with controllers). If an engineering workstation is compromised — through a phishing email or malicious USB drive — an attacker can reach OT systems through it. Engineering workstations should be hardened with application whitelisting, USB port restrictions, no general internet browsing, and separate authentication. They should be treated as critical infrastructure, not standard workstations.

OT/IT Network Security for Manufacturers: The Plain-English Guide

Most IT providers are good at securing offices. Manufacturers don't have offices — they have production floors, where the computers run machines that can cause physical damage, worker injuries, or multi-million-dollar production shutdowns if configured incorrectly.

This guide explains OT/IT security in terms that both IT professionals and plant managers can use together. Because in manufacturing, if IT and operations aren't aligned on security, neither function can do its job safely.

Why You Can't Apply Standard IT Security to the Shop Floor

Standard IT security is built on three principles, usually prioritized in this order:

Confidentiality: Only authorized people see the data
Integrity: Data is accurate and hasn't been tampered with
Availability: Systems are up when people need them

OT security flips this entirely:

Safety: Physical processes must not harm people or equipment
Availability: Production must continue
Integrity: Control logic must be accurate
Confidentiality: Least priority for most OT systems

A standard IT patch management approach says: apply security patches within 30 days, reboot as needed. Applied to a PLC controlling a hydraulic press, this could cause an unexpected mid-cycle shutdown that damages the tooling, the workpiece, or — in a worst case — the operator. This is why the IT team cannot own OT security decisions unilaterally. And it's why OT can't be left completely unmanaged from a security perspective either.

The Purdue Model: Your Network Architecture Blueprint

The Purdue Reference Model (also called ISA/IEC 62443 architecture in its modern form) is the standard framework for structuring OT/IT networks. Think of it as a layered model where each layer only communicates with the layers directly adjacent to it — never jumping layers.

Level 4–5: Enterprise Network (IT)

Your standard business network. Email, ERP (Sage, SAP, Epicor), Microsoft 365, file servers, HR systems. Standard IT security practices apply here: patch regularly, enforce MFA, use EDR, log everything.

Industrial DMZ (The Critical Boundary)

A demilitarized zone between your IT network and your OT network. This is where data is transferred between the two worlds in a controlled, monitored way. Components typically include:

Industrial firewalls (Fortinet FortiGate, Palo Alto, Cisco IE series)
Historian servers that collect OT data and make it available to IT without allowing direct IT-to-OT connections
Data diodes (hardware that allows data to flow only one direction — from OT to IT) for the most security-sensitive environments
Jump servers for authorized engineering access to OT systems

The DMZ design principle: no direct connections from IT to OT or from OT to IT. All data exchange happens through controlled intermediaries.

Level 3: Manufacturing Operations (MES)

Manufacturing Execution Systems, production scheduling, batch management, quality management. This layer bridges IT and OT — it receives production orders from the ERP above and sends execution data down to control systems below. MES systems require careful access control: engineering and operations can configure production parameters; shop floor workers interact with it but shouldn't be able to modify configuration.

Level 2: Supervisory Control (SCADA/HMI)

SCADA systems, HMI workstations, historian servers at the OT level. These are the "eyes" of the production floor — operators see process status and can intervene. Patching is complex here because vendor-supplied SCADA software may have OS dependencies that can't be changed without revalidation. Security relies more on network isolation and application whitelisting than on patching.

Level 1: Control Systems (PLCs, DCS)

The devices that actually control physical processes. PLCs, DCS controllers, motion controllers. These run proprietary firmware and often run for years without change. Security comes entirely from network isolation — they should have no direct network exposure to IT or the internet.

Level 0: Physical Process

Sensors, actuators, drives, robots, CNCs. Physical layer — IT has no role here, but OT network connectivity affects these devices' behavior.

The Engineering Workstation: Your Biggest Risk

Engineering workstations are where attacks pivot from IT to OT. They're used to program PLCs, configure SCADA, update HMI logic — and they also run Windows, receive email, and connect to engineering vendor portals.

A phishing email that installs malware on an engineering workstation gives an attacker a foothold in both the IT world and the OT world simultaneously. From there, they can:

Observe production processes and identify sabotage opportunities
Modify PLC logic to cause equipment malfunction
Exfiltrate proprietary production recipes, tooling parameters, and process data
Install ransomware payloads that execute simultaneously on IT and OT systems

Hardening Engineering Workstations

Application whitelisting: Only approved applications can run — no ad-hoc software installation. Windows AppLocker or a commercial tool like Carbon Black enforces this.
USB port restriction: USB drives are a common OT attack vector (the original Stuxnet used USB). Engineering workstations should require IT authorization for any USB device.
No general internet browsing: Engineering workstations should not be used for general web browsing or personal email. Separate a "browsing" machine for internet access if needed.
Separate authentication: Engineering workstation credentials should be separate from standard domain credentials. If the IT domain is compromised, attackers shouldn't automatically have access to engineering workstations.
Network segmentation: Engineering workstations should be on a dedicated VLAN with firewall rules that restrict their connections to only required OT systems and vendor support portals.

Remote Access to OT Systems

OT vendors (Rockwell, Siemens, Beckhoff, Mitsubishi) often require remote access for support. This is a significant risk surface. Best practices:

No persistent VPN connections: Remote vendor access should be activated on-demand, monitored in real time, and terminated when the session ends
Jump server architecture: Vendors connect to a jump server in the DMZ, not directly to OT devices
Session recording: All vendor remote sessions recorded and retained
MFA for vendor access: Even if the vendor complains, MFA on remote access is non-negotiable

What to Ask Your IT Provider

These questions separate providers who understand OT from those who will figure it out at your expense:

"Can you describe our OT network architecture and what your recommendations would be for segmentation?"
"How do you handle patching for OT systems running on legacy operating systems?"
"What industrial firewalls have you deployed? Have you configured an industrial DMZ before?"
"How would you handle a ransomware incident that started in the IT network — what's your protocol to prevent it reaching OT?"
"Have you worked with a machine builder or OT vendor on network integration? Who do you call when an IT change affects OT?"

If they can't answer these specifically, they haven't done OT security. Manufacturing requires an IT provider who has — find out more about what manufacturing IT support looks like and what qualifications to look for in a provider who's actually worked on shop floors.