OT Security: Bridging the IT/OT Gap in Modern Manufacturing

Operational technology and information technology were built for different worlds. IT is built around data, users, and applications — confidentiality and integrity of information are the priorities. OT is built around physical processes — machines, valves, motors, sensors — and the priority is availability. A server going offline is an inconvenience. A PLC going offline can shut down a production line and, in some environments, create safety hazards.

For decades those two worlds were physically separate. IT ran on corporate networks. OT ran on isolated control networks, often air-gapped, with proprietary protocols nobody outside the plant understood. That separation was itself a security model.

That model is gone. Modern manufacturing runs on OT and IT that are converged, connected, and increasingly indistinguishable. The attack surface has expanded dramatically, but most manufacturers are still defending their shop floors with the assumptions of an air-gapped past. This post breaks down what the IT/OT gap actually looks like today, why it matters, and how manufacturers close it without disrupting production.

What “OT” Actually Means on a Modern Shop Floor

OT — operational technology — is the broad category of hardware and software that monitors or controls physical equipment and processes. On a modern manufacturing floor, OT typically includes:

• PLCs (programmable logic controllers) — the small, deterministic computers that drive machinery
• SCADA systems (supervisory control and data acquisition) — the dashboards and historians that monitor production lines
• DCS (distributed control systems) — coordinated controllers managing continuous processes
• HMIs (human-machine interfaces) — the panels operators use to interact with equipment
• Industrial IoT sensors — temperature, pressure, vibration, flow monitoring
• Safety instrumented systems — emergency shutdown logic, interlocks

Twenty years ago these devices spoke proprietary protocols over serial cables, lived on isolated subnets, and rarely interacted with anything outside the plant. Today they speak Modbus TCP, OPC UA, EtherNet/IP, and MQTT over the same copper and fiber as the corporate network. Their data flows into cloud analytics platforms. Firmware updates come down through vendor portals. Remote maintenance contracts mean third parties have VPN access to equipment that was never designed with authentication in mind.

This is IT/OT convergence. It has delivered real operational gains — predictive maintenance, real-time visibility, tighter ERP integration — but it has also exposed equipment that was designed to run in isolation to the same threat environment as a corporate laptop.

Why the IT Playbook Doesn’t Work on OT

The first instinct for many manufacturers is to treat OT security like IT security. Install endpoint protection on the SCADA servers. Push patches on a monthly cycle. Enforce the same password policies. Scan the network with the same vulnerability tools.

That instinct is dangerous. OT systems have constraints that IT playbooks violate.

Availability is paramount. A workstation that reboots unexpectedly inconveniences a user. A PLC that reboots unexpectedly can halt a process, damage product-in-progress, or trigger a safety incident. Patches that require downtime cannot be applied on the IT schedule — they have to wait for planned production breaks, which in some plants come once a year.

Legacy equipment is the norm, not the exception. Industrial equipment is designed for 15–30 year service lives. A PLC running Windows XP Embedded on a controller installed in 2011 is still doing its job reliably. Pulling it out because “XP is unsupported” is not an option. Neither is patching it — the vendor stopped releasing patches a decade ago.

Scanning breaks things. Standard network vulnerability scanners send traffic patterns that OT devices weren’t designed to handle. A Nessus scan against an industrial protocol stack can freeze the controller. The first time a plant IT team runs a scan on the OT network, they often take the production line down.

Authentication was an afterthought. Many industrial protocols have no meaningful authentication. Modbus, in particular, was designed to be simple and fast — any device on the network can send commands, and the receiving controller will execute them. Retrofitting authentication is often technically impossible without replacing the equipment.

Safety is a hard constraint. Some OT systems are safety-critical. Changing their configuration, adding monitoring agents, or inserting network taps can affect safety logic in ways that regulatory frameworks (OSHA, IEC 61511, ISA-84) take seriously. Security changes require hazard analysis.

The result is that OT security requires its own playbook. The goal isn’t to lock down OT with IT controls — it’s to protect OT given its constraints.

The IT/OT Gap in Practice

When we assess Texas manufacturers, the IT/OT gap shows up as a predictable set of failure patterns.

Flat networks. The corporate and production networks share VLANs, routing, and firewall zones. A laptop that gets a phishing-borne malware infection in finance can discover and talk to a PLC on the shop floor. This is the single most common finding and the most dangerous.

Default credentials on industrial devices. HMIs, PLCs, SCADA servers — many shipped with default admin passwords that nobody changed because “nobody can reach them anyway.” Now that they’re reachable, the defaults matter.

Remote access without controls. Vendors often have VPN credentials for remote troubleshooting. Those credentials are shared among the vendor’s technicians, never rotated, and sometimes sitting in an email from five years ago. Every vendor is a potential entry point.

No visibility into OT traffic. Security teams monitor the corporate network with SIEM, EDR, and NDR tools. The OT network is dark. Anomalous communication between a workstation and a PLC goes unseen because nobody is looking.

Unmanaged devices sneaking in. Contractors bring laptops onto the plant floor and plug into the production network to configure equipment. Those laptops may or may not be managed. They may have visited unsavory corners of the internet. Now they’re on the same subnet as the MES server.

Backups that don’t cover OT. Corporate file shares are backed up. The SCADA historian, PLC logic archives, and HMI project files often aren’t — because “the OT vendor handles that.” When a ransomware incident hits, the recovery timeline is measured in days not because the malware is clever, but because rebuilding the HMI from memory takes that long.

Each of these is fixable. The question is how to fix them without doing more damage than the threats they’re intended to address.

Closing the Gap: What Actually Works

The practical playbook for bridging IT and OT security rests on five moves. None of them require ripping out legacy equipment.

1. Segment Aggressively

The highest-leverage control is network segmentation. The goal is to ensure that a compromise on the corporate IT network cannot propagate to the OT network, and that OT devices can only talk to what they need to talk to.

The reference model is the Purdue Enterprise Reference Architecture, which organizes industrial networks into layers (Level 0 through Level 5) with defined trust boundaries. In practice, most manufacturers don’t need the full Purdue treatment — they need three things:

• A demilitarized zone (DMZ) between the corporate network and the OT network, with strictly controlled data flows in both directions
• Micro-segmentation within the OT network so that a compromise of one cell doesn’t cascade to another
• Explicit deny rules on OT-to-corporate traffic that don’t serve a documented business purpose

Segmentation gives you the equivalent of the air gap that used to exist, with the connectivity modern operations require.

2. Monitor OT Traffic Passively

Because active scanning breaks OT, the right monitoring tools use passive techniques. A network tap feeds industrial traffic to a dedicated OT-aware analyzer — Claroty, Nozomi, Dragos, Tenable OT Security, and similar platforms understand Modbus, DNP3, OPC UA, and other industrial protocols. They build a map of devices, baseline normal behavior, and alert when something changes.

Passive monitoring gives you visibility without risk. It doesn’t stop attacks, but it tells you when something anomalous happens — a new device on the OT network, an HMI suddenly sending configuration commands to an unusual PLC, a workstation initiating traffic it has never initiated before.

3. Control Remote Access

Vendor and third-party remote access is a high-probability compromise vector. The controls are straightforward:

• Route all remote access through a documented jump host, not direct VPN to the plant
• Require multi-factor authentication for every remote session
• Log every session to video or at minimum command-level audit logs
• Use time-limited, request-based access rather than always-on accounts
• Rotate credentials on a schedule, not on a vendor’s convenience

Many manufacturers implement this through a dedicated remote access broker (Claroty Secure Remote Access, Dispel, Cyolo, and similar). The specific tool matters less than the discipline.

4. Protect What You Can’t Patch

When a PLC runs unpatchable firmware, you cannot close the vulnerability. You can make it unreachable. Segmentation handles the broad case. For specific legacy devices, consider:

• Application allowlisting on adjacent workstations so only approved software can talk to the controller
• Unidirectional gateways (data diodes) that let information flow out for monitoring but prevent any flow in
• Host-based protections on Windows HMIs using tools that don’t require agent installation on the controllers themselves
• Compensating documentation so auditors understand the control strategy

5. Back Up the OT Side

PLC logic, HMI project files, SCADA configurations, historian databases — back them up, version them, and test restores. A ransomware incident that wipes out a HMI project file takes a plant down for days if no one has a backup. It takes hours if someone does. Include OT assets in the organization’s backup strategy, not in a separate silo the vendor manages on their timeline.

The Leadership Question

OT security rarely fails because the technology is unavailable. It fails because nobody owns the problem. Plant engineering says security is IT’s job. IT says they don’t understand PLCs. The CISO has never been inside the plant. The vendor said the system was secure when they installed it.

Bridging the IT/OT gap is as much an organizational problem as a technical one. It requires:

• A named owner with authority over both IT and OT security decisions — often a virtual CISO or fractional CIO role at the mid-market level
• A documented risk framework that covers production downtime and safety, not just data confidentiality
• Change management processes that include OT systems, not just IT assets
• A tabletop exercise calendar that includes manufacturing-specific scenarios (production ransomware, supply chain compromise of industrial equipment, third-party VPN misuse)

For Texas manufacturers with 20 to 500 employees, this is almost always the hardest part. There isn’t a full-time CISO. The plant manager knows the equipment but not the threat landscape. The IT team knows the threat landscape but can’t be inside the plant every week. The fix is usually to bring in fractional security leadership that can operate across both worlds, then build the organizational muscle to sustain the program after the initial gap is closed.

Bottom Line

OT security isn’t a matter of buying the right tool and pointing it at the shop floor. It’s a matter of recognizing that IT and OT operate under different constraints, building a program that respects both, and closing the gap between them with segmentation, passive monitoring, controlled remote access, and named ownership.

The manufacturers who treat this as a strategic problem — not a project — tend to come out of the convergence wave with stronger operations and fewer incidents than the ones that wait until a ransomware hit forces the conversation.

If you want a structured look at where your current OT/IT posture stands, start with GXA’s manufacturing industry page or schedule a consultation. And if SB 2610 compliance is on your radar — it should be, for any Texas manufacturer under 250 employees — our recent SB 2610 safe harbor guide walks through how OT security fits into the tiered framework requirements.