The times of the “Air Gap” – of physically cutting off production from the Internet – are definitely over. The digitisation of industrial plants represents a leap in productivity, but at the same time opens doors that were previously tightly closed. However, many companies are making a cardinal mistake: they are attempting to secure production halls with the same methods as accounting departments. In the world of OT (Operational Technology), however, it is not just data that is at stake, but the physical security of machines and business continuity.
Modern industry is an interconnected system. Industrial automation used to live in its own isolated world. Today, the network of production facilities is inextricably intertwined with IT systems. This is a business necessity, but from a cyber security perspective – a nightmare. The enlarged attack surface means that hackers don’t have to force their way through the factory walls. All they need to do is find an ajar digital window.
The domino effect: from phishing to stopping the tape
The biggest threat to industry today is what is known as lateral movement. The scenario is usually similar: an attacker gains access to a less secure office (IT) network – for example, via an infected email in the HR department. In a traditional flat network structure, the path from the office to the production floor stands open.
The consequences of such a ‘breakthrough’ into the OT zone are devastating. Unlike IT, where an attack usually means data theft or server downtime, in OT the consequences are physical. Production lines stop, raw materials break down and the company loses its ability to generate revenue in real time.
A clear, sad example of this mechanism is the story of the napkin manufacturer Fasana. A ransomware attack that started in the IT systems paralysed production. The chain effect was merciless: the lack of production led to a loss of liquidity and ultimately to the insolvency of the company. This case should be a red light for every chief operating officer: cyber security is the foundation of financial stability today.
Three myths that put people to sleep
Implementing security in industry often comes crashing down due to a misunderstanding of the specifics of OT. Here are three of the most common myths that lead to wrong investment decisions.
Myth 1: “We have firewalls and VLANs, so we are safe”.
This is an approach from the 1990s. Classical IT segmentation mainly serves to optimise network traffic. In industry, this is not enough. Putting up a firewall is not enough if we do not understand the specifics of industrial protocols. Successful OT segmentation must be based on so-called ‘whiteitelisting’. Effective OT segmentation must be based on so-called *whitelisting*. This means reversing the logic: instead of blocking what is known to be bad, we block everything and only let through traffic that is essential to the technological process. Communication must not only be visible, but also strictly controlled.
Myth 2: “Segmentation will slow down my production”.
This is the biggest concern of traffic engineers. There is a belief that additional layers of security will introduce delays (latency) that will interfere with precision machinery. In reality, well-designed segmentation acts like watertight bulkheads on a ship. It increases the resilience of the system. In the event of a failure or attack in one section, the problem is isolated and does not spill over to the entire plant. Instead of disrupting processes, segmentation protects them from unwanted interventions.
Myth 3: “We do it once and have peace of mind”.
A factory is a living organism. Machines are upgraded, new IoT sensors are added, processes change. Treating segmentation as a one-off ‘implement and forget’ project is asking for trouble. What is required is a dynamic concept that keeps up with the evolution of the network over decades of systems operation.
How to implement segmentation and not ‘blow up’ production?
The key to success is not the purchase of the most expensive equipment, but the operating methodology. The implementation of OT segmentation must be different from IT implementations.
Firstly: Passive inventory
You can’t protect something you don’t know exists. A full inventory of assets is the basis. However, in the OT world, active network scanning, familiar from IT, cannot be used, as older PLCs may not survive this and suspend machine operation. So passive traffic analysis is used – tools listen to the network without interfering, identifying devices and protocols.
Second: Flow Mapping
Before we put up any barriers, we need to understand who is ‘talking’ to whom. Analysing the actual communication relationships allows us to design safety zones that reflect the real production process, rather than a theoretical scheme from the documentation (which is often outdated).
Third: Standards (ISA/IEC 62443)
- There is no need to break down an open door. The leading reference framework for OT security, the ISA/IEC 62443 standard, introduces the concepts of Zones and Conduits.
- Zones group resources with similar levels of risk (e.g. a separate zone for control systems, a separate zone for monitoring).
- Channels are controlled communication paths between these zones.
Each zone is given a target security level (SL – Security Level), tailored to its criticality. The ERP system does not need to be protected in the same way as the smelter furnace controller, but communication between the two must be strictly rationed.
The ‘Legacy’ problem and legal requirements
The industry is facing a problem of technological debt. The halls are still running machines controlled by systems that remember the beginning of the century (e.g. Windows XP). They cannot be updated and it is economically unjustifiable to replace them. Segmentation is their only salvation – it allows such assets to be surrounded by a ‘digital cordon sanitaire’, enabling them to work safely in a modern networked environment.
An additional motivator is regulation, such as the NIS2 directive. The new regulations place great emphasis on limiting the spread of incidents and controlling access. Segmentation is therefore no longer just a good engineering practice, but is becoming a necessary element to achieve compliance.
Resilience as a strategy
Protecting industrial sites is no longer a purely technical task. It is a strategic responsibility of management.
OT segmentation is becoming fundamental to business resilience. The trend is towards integrating these activities with continuous monitoring solutions and a factory-specific Zero Trust model. Investing in logical network segmentation is an insurance policy that, at a critical moment, can determine whether a company survives a cyber attack or becomes another sad example in the industry statistics.
