Why manufacturing CISOs cannot ignore their OT/IoT blind spots

In the relentless pursuit of efficiency and innovation and in response to the challenges of recent years, modern manufacturing is undergoing a profound digital transformation. The promise of smart factories, digital twins, and advanced automation is undeniable, offering unprecedented levels of productivity and insight. Yet, this rapid digitization brings with it an unseen downside: it fundamentally reshapes the cybersecurity landscape, creating a new set of complex exposures that demand a radical rethink in defense strategy.

For CISOs and their SOC teams in manufacturing, the challenge is clear: the traditional security perimeter has dissolved. Digitalization is creating dangerous blind spots in connected factories, and adversaries are actively seeking them out. This blog explores how the convergence of information technology (IT), operational technology (OT), and the Internet of Things (IoT) is redefining what it means to secure a modern manufacturing enterprise.

Understanding the Purdue Model

Historically, industrial control systems (ICS) and OT environments were designed with robust segmentation and physical isolation in mind. The Purdue Model, a widely recognized architectural framework, illustrates this traditional, layered approach to industrial automation and control:

Level 5 (Enterprise Zone): Represents the business IT network, handling activities like email, intranet, and enterprise applications.
Level 4 (Demilitarized Zone (DMZ)): This layer, often isolated by firewalls, manages site business planning and logistics, acting as a buffer between enterprise IT and industrial zones.
Level 3 (Industrial Security Zone): Focuses on site manufacturing operations and control, including production control and optimizing systems.
Level 2 (Cell/Area Zone): Deals with supervisory control and human-machine interfaces (HMIs).
Level 1 (Basic Control): Involves batch, discrete, sequence, continuous, and hybrid controls directly interacting with the physical process.
Level 0 (Process): Comprises the physical sensors, drives, actuators, and robots that directly manipulate the manufacturing process.

This model traditionally emphasized strict segmentation between IT (Levels 4-5) and OT (Levels 0-3), with the DMZ as clear demarcation points. Security efforts largely focused on protecting data within the enterprise IT network, assuming the lower levels were inherently secure due to air gaps or physical isolation.

The convergence blurs the lines

Today, that clear line in the sand is blurring. Modern initiatives are actively connecting these previously isolated layers, driven by the desire for real-time data, remote access, and integrated operations:

Cloud integration: Manufacturing execution systems (MES) and enterprise resource planning (ERP) systems are moving to the cloud, demanding connectivity with OT systems. This creates new pathways between Level 5 and Level 4, and potentially down to Level 3, introducing exposures in publicly accessible cloud environments.

Remote access for OT: Supply chain partners and maintenance teams require remote access to industrial control systems, often bypassing traditional physical controls. This introduces connections from Level 4 (DMZ) or even directly into Level 3 (Industrial Security Zone), making these remote access points prime targets for external adversaries.

Industrial IoT (IIoT) sensors: Billions of IIoT devices are deployed to monitor and optimize production, directly connecting physical processes (Level 0 and Level 1) to IT networks and the internet. These devices, often residing at Level 0, 1, or 2, create new external exposures if not properly secured from the outside.

Third-party vendor access: Vendors often have persistent access to industrial systems for support or updates, extending the attack surface beyond direct organizational control and potentially impacting Levels 3, 4, and 5 as their networks become pathways.

This pervasive connectivity means that a compromised laptop at Level 4, once a relatively contained IT incident, can now potentially reach a programmable logic controller (PLC) at Level 1. An internet-exposed IIoT device at Level 0 or Level 1, like a smart sensor on a production line, inadvertently creates a direct entry point for an attacker if left unsecured. The strict segmentation envisioned by the Purdue Model is being eroded by pervasive digital transformation.

The rise of the invisible attack surface

Many of these new connections, particularly when driven by staggered IoT deployments or uneven digital transformation efforts across multiple manufacturing sites, create a new class of exposures that are often invisible to traditional security tools. These include:

Shadow IT in OT/IIoT: Local teams or vendors deploy devices or connections for convenience, bypassing central IT oversight. These unmanaged assets, which can exist across Purdue Model Levels 3, 4, and 5, become critical blind spots for CISOs. This is a major concern as nearly 60% of manufacturing CISOs lack confidence in their OT and IoT threat detection capabilities.

Forgotten assets: Older industrial systems or test environments, never designed for internet exposure, remain online and connected, forgotten by IT asset inventories. These could be legacy MES dashboards in Level 3, older supply chain portals in Level 4, or decommissioned enterprise applications at Level 5.

Misconfigured cloud connections: Cloud services bridging IT and OT are often misconfigured, leaving critical interfaces or data buckets openly accessible from the internet at Level 5.

Attackers are actively looking for these unseen pathways. They are not trying to "break in" through the hardened enterprise firewall; they are finding the "unlocked doors" in the OT or IIoT space that were never meant to be external. This means the DMZ (Level 4) and Industrial Security Zone (Level 3) are no longer just internal buffers but potentially porous boundaries from an external attacker's perspective.

The physical stakes of cybersecurity

For manufacturers, the consequences of these overlooked exposures extend far beyond data loss or financial penalties. A breach that exploits an OT/IIoT exposure can have severe physical consequences, directly impacting business continuity and safety:

Production shutdowns: Ransomware attacks, which account for over 70% of attacks against manufacturers, can halt entire production lines, leading to massive revenue losses and missed deadlines. The average cost of a data breach for the industrial sector rose by an average of $830,000 in 2024, highlighting their sensitivity to operational downtime.
Equipment damage: Malicious code or commands can cause physical damage to machinery and industrial equipment.
Safety hazards: Compromised control systems could lead to unsafe operational conditions for personnel.
Supply chain disruption: An attack on one part of the manufacturing process or a vendor can ripple through the entire supply chain, affecting partners and customers. The IoT or OT environment being impacted in a breach increased the average cost by an additional $218,500.
Intellectual property (IP) theft: Unmanaged exposures can provide pathways for adversaries to steal valuable IP, including designs and proprietary processes, eroding competitive advantage. This is a particularly high-value target for sophisticated state-sponsored actors.
Regulatory fines: Failure to secure these environments can result in significant financial penalties and reputational damage from strict industry mandates, such as National Institute of Standards and Technology (NIST) 800-82 and International Electrotechnical Commission (IEC) 62443. Regulatory pressure is increasing, with new directives like Network and Information Security 2 (NIS2) Directive and Trusted Information Security Assessment Exchange (TISAX) requiring significant investment in compliance.

Relying on security models designed for a bygone era of segmented networks is no longer sufficient for manufacturers. The dissolving perimeter means every internet-facing OT or IoT device is a potential entry point. The first crucial step towards building the most secure systems is acknowledging this new, complex attack surface and proactively mapping every one of its exposures. Without this foundational visibility, manufacturers remain vulnerable to threats that can lead to devastating physical and financial consequences.