In the first blog of this series, we explored how digital transformation is dissolving the traditional security perimeter in manufacturing, creating a new, complex landscape of exposures across information technology (IT), operational technology (OT), and the Internet of Things (IoT). As IT, OT and Industrial IoT (IIoT) collide, the manufacturing attack surface has exploded.
This blog will dive deeper, unmasking the hidden threats and specific types of exposures that now target each layer of your converged industrial stack, as defined by the Purdue Model. We’ll explore specific OT/IIoT exposures across the Purdue Model and learn how Continuous Threat Exposure Management keeps production running.
A deeper dive into converged threat vectors
The Purdue Model (Levels 0-4) has long served as the architectural framework for industrial control systems (ICS), emphasizing segmentation between IT (Level 4) and OT (Levels 0-3). However, modern manufacturing initiatives are actively connecting these previously isolated layers, creating new pathways and exposures that attackers are quick to exploit.
Hadrian’s 2024 data shows that 29% of all critical exposures in manufacturing originate in Levels 3–3.5, while injection flaws in web-exposed ERP/MES portals account for 57% of validated exploits.
Level 4 (Enterprise Zone) and Level 3.5 (Demilitarized Zone (DMZ))
These layers, traditionally the domain of IT, are increasingly connected to OT for real-time data, remote access, and cloud integration. Exposures here include misconfigured cloud-based Manufacturing Execution Systems (MES) or Enterprise Resource Planning (ERP) portals, and unsecured remote access points for supply chain partners. Attackers target these internet-facing business applications, web logins, and Application Programming Interfaces (APIs) connected to backend systems. A compromised laptop at Level 4, or a phishing campaign targeting IT personnel with OT access, can now become the initial foothold for pivoting into deeper industrial layers.
Level 3 (Industrial Security Zone)
This critical layer often bridges OT to IT. Exposures here arise from production control systems, process historians, and domain controllers that become internet-accessible due to remote maintenance needs or cloud connectivity. Threats include misconfigured remote access points (e.g., Virtual Private Networks (VPNs), Remote Desktop Protocol (RDP)) or insecure APIs that, if exploited, allow direct manipulation of industrial processes. Attackers also seek out vendor-supplied equipment with default or weak credentials, which can be leveraged as pivots into the core OT network.
DNS: the forgotten junction box
Hadrian’s 2024 research shows that CNAME misconfigurations alone account for 26% of all validated manufacturing risks, overtaking exposed RDP for the first time. Attackers exploit them to hijack supplier portals and pivot into Level 3 assets. Fixing DNS may be the cheapest OT risk reduction you make this year.
Level 2 (Cell/Area Zone)
This level involves supervisory control and human-machine interfaces (HMIs), where operators interact directly with industrial processes. Exposures here can stem from weaknesses in HMIs, malware on engineering workstations that could pivot to deeper OT levels, or social engineering tactics targeting operators to gain access or deploy malicious code.
Injection is still king
Despite years of secure-coding drives, nearly 60% of critical exposures validated in 2024 were classic injection flaws (SQLi, XSS, command injection), which include web-exposed MES or bespoke APIs. These are the soft underbelly that links Level 4 dashboards to Level 2 HMIs.
Levels 1 (Basic Control) and 0 (Process)
These foundational levels comprise sensors, drives, actuators, robots, and Programmable Logic Controllers (PLCs). Exposures at these levels include exploiting known vulnerabilities in unpatched PLCs, insecure Industrial Internet of Things (IIoT) devices (e.g., smart sensors on the factory floor), or even physical tampering enabled by cyber access. An internet-exposed IIoT device at Level 0 or Level 1, if unsecured, can inadvertently create a direct entry point for an attacker. The average IoT device harbors 25 vulnerabilities, making these often-unmanaged assets particularly susceptible.
Why proactive measures are non-negotiable
For manufacturers, the consequences of these overlooked exposures extend far beyond data loss or financial penalties. A breach that exploits an OT/IIoT exposure can have severe physical consequences, directly impacting business continuity and safety:
Downtime
Ransomware attacks, which account for over 70% of attacks against manufacturers, can halt entire production lines, leading to massive revenue losses and missed deadlines. The industrial sector is highly sensitive to operational downtime, with the average cost of a data breach rising by $830,000 in 2024, according to IBM’s 2024 report. Additionally, malicious code or commands can cause physical damage to machinery and industrial equipment.
Safety and intellectual property
Compromised control systems could lead to unsafe operational conditions for personnel, making security of paramount importance. Beyond that, unmanaged exposures can provide pathways for adversaries to steal valuable IP, including designs and proprietary processes, eroding competitive advantage. This is a particularly high-value target for sophisticated state-sponsored actors.
Regulatory fines
Failure to secure these environments can result in significant financial penalties and reputational damage from strict industry mandates, such as National Institute of Standards and Technology (NIST) 800-82 and International Electrotechnical Commission (IEC) 62443 . Regulatory pressure is increasing, with new directives like Network and Information Security 2 (NIS2) Directive and Digital Operational Resilience Act (DORA) requiring significant investment in compliance.
These high stakes demand a fundamental shift from reactive security to proactive prevention.
Getting ahead of the attackers
For manufacturing CISOs, the solution lies in adopting an offensive security mindset. This means proactively identifying and neutralizing exposures before they can be exploited, rather than waiting for an incident to occur. It is about understanding the environment as an attacker would, and continuously testing defenses to find the weaknesses that matter most. Key strategies for proactive defense include:
Continuous Discovery (ASM)
This is the foundational step. Manufacturers must continuously discover and inventory all internet-facing assets across their sprawling, often decentralized, sites. This includes shadow IT, forgotten domains, and newly connected IIoT devices that often fall outside traditional visibility. Without a complete, real-time map of your external footprint, you cannot defend it.
Adversarial Exposure Validation (AEV)
Beyond simply identifying exposures, AEV actively emulates real-world attacker behavior to confirm if an exposure is truly exploitable in a live production environment. This is crucial for distinguishing between theoretical vulnerabilities and actual threats that could lead to downtime or IP theft. It cuts through alert noise and allows teams to prioritize effectively.
Targeted OT and IoT Visibility and Validation
Specialized solutions are needed to gain crucial visibility into internet-facing IoT and OT assets. These solutions detect misconfigurations and vulnerabilities unique to industrial control systems, preventing lateral movement into sensitive production networks.
Third-Party and Supply Chain Exposure Mitigation
Given the reliance on complex supply chains, manufacturers must extend their security focus beyond their direct control. Proactive solutions identify and monitor exposures within third-party vendor systems and partner integrations, preventing them from becoming a weak link that introduces cascading exposures.
Intellectual Property Protection
Proactive offensive security directly contributes to safeguarding valuable Intellectual Property. By continuously identifying and validating exposures that could lead to data exfiltration, manufacturers can protect their designs, processes, and trade secrets from cybercriminals and state-sponsored actors.
Compliance Reporting Automation
With increasing regulatory pressure, manufacturers need solutions that streamline compliance efforts by providing automated reporting and clear evidence of continuous security posture improvement. This helps avoid fines and demonstrates due diligence to regulators.
Proactivity keeps production running
Relying on security models designed for a bygone era of segmented networks is no longer sufficient for manufacturers. The convergence means every internet-facing OT or IoT device is a potential entry point. The solution lies not in more reactive tools, but in a proactive, offensive security strategy that continuously maps, validates, and prioritizes exposures from an attacker's perspective. By adopting this approach, manufacturers can build truly secure systems, ensure uninterrupted operations, protect their intellectual property, and navigate the complexities of digital transformation with confidence.
.webp)
