OT Security for Mid-Market Companies: Why Production Controls Belong in Your ISMS

The Blind Spot in Your ISMS

When you build or operate an ISMS, you have probably inventoried servers, firewalls, laptops, and cloud services. You have policies for passwords, backup strategies, and perhaps even an incident response procedure. But what about the CNC milling machine on the production floor? The PLC that controls the packaging process? The SCADA system that monitors the entire production line?

In many mid-market companies, an invisible boundary exists between what the IT department manages and what the production team is responsible for. This boundary has grown historically, is embedded in organizational structures, and is technically understandable. Unfortunately, an attacker does not care about it.

The reality is: production facilities are networked today. They communicate over Ethernet, use Windows-based operator terminals, exchange data with ERP systems, and are partially maintained remotely. This makes them an attack surface. And that means they belong in the ISMS. Those who do not yet have an ISMS will find a practical guide in the article on building an ISMS.

What Is OT and How Does It Differ from IT?

OT stands for Operational Technology. The term encompasses all hardware and software systems that monitor, control, or regulate physical processes. Specifically, this includes:

Programmable Logic Controllers (PLC): The workhorses of automation. They control individual machines or plant components according to a programmed sequence. A PLC monitors sensors, processes the data, and switches actuators such as valves, motors, or heaters.

SCADA Systems (Supervisory Control and Data Acquisition): Higher-level control systems that coordinate multiple PLCs and provide operators with a graphical overview of the entire production process. SCADA systems collect data from the entire plant and enable centralized intervention.

DCS (Distributed Control Systems): Distributed control systems used primarily in process industries (chemicals, pharmaceuticals, food). They control continuous processes such as temperature regulation, mixing operations, or chemical reactions.

HMI (Human Machine Interface): The operator panels and screens through which machine operators interact with the control systems. These often run Windows-based software interfaces.

Industrial Network Components: Managed switches, industrial routers, protocol converters, and gateways that connect and segment OT networks.

IoT Sensors and Edge Devices: Modern additions to the traditional OT world. Vibration sensors, temperature probes with wireless connectivity, camera systems for quality control.

The Fundamental Difference from IT

In IT security, we talk about the CIA triad: Confidentiality, Integrity, Availability — in that order. In the OT world, the priority is reversed:

This reversal has massive implications for every security measure. In IT, you can take a compromised system off the network, analyze it, and then bring it back online. In OT, taking it off the network may cause greater damage than the attack itself.

A concrete example: a blast furnace in a steel plant runs continuously. An unplanned shutdown can damage the furnace because the material inside solidifies. Restarting takes weeks and costs millions. Here, a firewall update that causes five minutes of downtime is not trivial — it is a real operational risk.

Additionally, the OT world introduces the aspect of safety. When a control system fails, people can be injured or killed. A manipulated pressure sensor in a chemical plant, a miscontrolled robot axis in assembly, a deactivated safety valve in a steam boiler system — these are not abstract scenarios but documented incidents.

Why OT Security Must Be on the Agenda Now

Three developments make OT security a topic that can no longer be postponed:

1. The Threat Landscape Has Intensified

Ransomware groups have discovered that manufacturing companies are particularly willing to pay. The reason is simple: every hour of production downtime costs real money. For a mid-market machine builder, that can quickly reach EUR 50,000 to 200,000 per day. The willingness to pay a ransom is correspondingly high.

Attack patterns have evolved as well. While early ransomware attacks primarily hit IT systems and only indirectly affected production through the loss of ERP or order management, current campaigns deliberately target OT networks. Malware families like PIPEDREAM (also called INCONTROLLER) were specifically developed for industrial control systems and can directly manipulate PLCs from various manufacturers.

2. NIS2 Requires the Inclusion of All Relevant Systems

The NIS2 directive and the German implementation act make no distinction between IT and OT. Article 21 requires risk management that covers all network and information systems. If you are in manufacturing and fall under NIS2 (from 50 employees or EUR 10 million revenue in regulated sectors such as manufacturing, chemicals, food, or energy), then your production infrastructure belongs within the scope of your ISMS.

The BSI has clarified multiple times in its technical guidelines and guidance documents that limiting the ISMS to traditional IT infrastructure is not sufficient when the company operates OT systems relevant to the provision of critical services.

3. The EU Machinery Regulation 2023/1230 Introduces Cybersecurity Requirements for Machines

Starting January 20, 2027, the new EU Machinery Regulation 2023/1230 replaces the previous Machinery Directive 2006/42/EC. The new regulation contains explicit cybersecurity requirements for machines with digital elements for the first time.

Specifically, this means: machines that contain software or are connected to networks must be designed so that a connection to external devices does not create a hazardous situation. The safety functions of the machine must not be impaired by intentional or unintentional digital interference.

For mid-market machine operators, this has two consequences. First: new machines you purchase from 2027 onward must meet these requirements, and the manufacturer must confirm this through CE marking. Second: your existing machine base does not automatically become secure. You must continue to take your own measures to manage the risks of your networked legacy equipment.

The regulation does not operate in isolation but complements NIS2 and the Cyber Resilience Act. While NIS2 places obligations on operators and the Cyber Resilience Act addresses manufacturers of digital products, the Machinery Regulation closes the gap for mechanical engineering. For companies that both manufacture and operate machines, this creates a regulatory triangle that demands OT security from all sides.

Typical OT Vulnerabilities in Mid-Market Companies

Before you plan measures, it helps to know the typical vulnerabilities that recur in mid-market production environments:

Missing Network Segmentation

The classic issue: IT and OT networks are connected to the same switch. Proper network segmentation is the most important first step. Or there are separate VLANs, but the firewall rules between them are so open that the separation is merely cosmetic. In practice, this means: a compromised office PC can directly access the controls of a production line.

Outdated Operating Systems

PLC programming environments and HMI panels frequently run on Windows 7 or even Windows XP. Not due to negligence, but because the machine manufacturer has only certified its software for these operating systems. An upgrade is often impossible without voiding the manufacturer's warranty or triggering costly recertifications.

Default Passwords and Missing Authentication

Many industrial protocols such as Modbus, Profinet, or EtherNet/IP were developed in an era when network security was not a concern. They simply offer no authentication. Anyone with network access can send control commands. Add to this default passwords on HMI panels and engineering workstations that have never been changed since commissioning.

Uncontrolled Remote Maintenance Access

Machine manufacturers and maintenance service providers regularly require remote access to equipment. This often runs via TeamViewer, VPN connections with shared credentials, or even ports directly reachable from the internet. The connections are not disabled after maintenance, and nobody logs who accesses which system when.

No Patch Management

Software updates for OT systems are complex. They require manufacturer approvals, testing in staging environments (which often do not exist), and planned production shutdowns. As a result, patches are either not applied at all or applied with massive delays. Known vulnerabilities remain open for years.

Missing Monitoring

While SIEM systems, endpoint detection, and network monitoring are standard in the IT world, the OT network is often a black box. There is no logging, no alerting, no anomaly detection. When an attacker is active in the OT network, nobody notices until the plant goes down.

Integrating OT Security into the ISMS: The Roadmap

Integrating OT security into your ISMS does not have to start as a massive project. The following approach has proven effective in practice:

Step 1: Create an OT Asset Inventory

You cannot protect what you do not know. A structured IT asset management also forms the foundation here. The first and most important step is a complete inventory of all OT assets. For each system, document:

Basic data: Name, location, manufacturer, model, firmware/software version, IP address (if applicable), network zone

Criticality: How important is this system to the production process? What happens if it fails? How long does recovery take? Is there redundancy?

Dependencies: Which other systems are affected if this system fails? Which systems must be running for this system to function? Are there dependencies on IT (ERP, MES, order management)?

Recovery steps: What exactly must be done to restore this system after a failure? Who can do it? What backups exist? How long does it take?

Responsibilities: Who is responsible for operations? Who for maintenance? Who has access rights?

This inventory is the foundation for everything that follows. Without it, you cannot perform a meaningful risk assessment or plan effective measures. In ISMS Lite, OT assets can be documented with criticality ratings, dependency chains, and recovery steps, so that all relevant information is available in one place during an emergency.

Step 2: Expand the ISMS Scope

If your ISMS has so far only covered IT infrastructure, you must formally expand the scope. This means: the OT systems are named in the scope document, the relevant locations and processes are included, and responsibilities are adjusted.

You do not have to include everything at once. A pragmatic approach is to start with the most critical OT systems — those whose failure would cause the greatest damage. These are typically the central SCADA systems and the PLCs that control safety-relevant functions.

Step 3: Conduct an OT-Specific Risk Assessment

The risk assessment for OT systems follows the same basic principle as for IT systems: you identify threats, assess vulnerabilities, and determine the impact of an incident. However, the assessment criteria must be adapted to the OT world.

When assessing impact, consider not only financial damages and data loss but also:

• Personal injury (safety)
• Environmental damage (for chemical or energy plants)
• Production downtime (duration and cost)
• Quality issues (defective products, recalls)
• Reputational damage (especially in safety-critical industries)

Step 4: Define and Implement Measures

Based on the risk assessment, define measures. The principle: not everything at once, but prioritized by risk. Typical quick wins include:

Network segmentation: Separate IT and OT with a firewall. Only allow the truly necessary connections (e.g., ERP integration via defined interfaces). This alone massively reduces the attack surface.

Secure remote maintenance: Inventory all remote access connections, route them centrally through a jump server, secure them with multi-factor authentication, and log them. Automatically disable temporary connections after maintenance.

Backup and recovery: Create backups of all critical PLC programs and SCADA configurations and test them regularly. Document how each system is restored in an emergency.

Awareness: Include production staff and maintenance technicians in security awareness training. Content must be tailored to OT-specific risks: USB drives on machine controls, social engineering targeting maintenance providers, physical access controls to control cabinets.

Step 5: Adapt Policies and Processes

Your existing ISMS policies must be extended with OT-specific aspects:

Access policy: Expand to include physical access to control cabinets and operator panels. Define rules for maintenance access.

Patch management policy: Include OT-specific processes for risk-based patching. Define compensating controls for systems that cannot be patched.

Incident response plan: Include OT-specific scenarios. Define escalation paths that involve both IT security and production management. Clearly specify who makes the decision to shut down equipment in an emergency.

Change management: Every change to OT systems (firmware updates, configuration changes, new network connections) must be documented and approved.

Step 6: Build Monitoring

Start with passive network monitoring. Specialized OT security tools like Nozomi Networks, Claroty, or Dragos can passively monitor network traffic in the OT network without affecting the control systems. They detect anomalies, identify unknown devices, and alert on suspicious communication patterns.

The advantage of passive approaches: they require no changes to the control systems themselves and pose no risk to availability. This is critical in the OT world because active scanners or agents on sensitive control systems can cause problems.

The Organizational Challenge

The biggest hurdle in integrating OT security into the ISMS is often not technical but organizational. IT and OT have different reporting lines, different budgets, and different cultures in many companies.

The IT department typically reports to the CFO or CIO. Production engineering reports to the COO or production manager. When the CISO comes from IT (which is the case in most organizations), they have no authority over production engineering. And production engineers often have legitimate concerns that IT security measures will destabilize their equipment or cause production stoppages.

The solution lies in three approaches:

Joint governance: Establish an OT security board where IT security and production engineering are equally represented. Decisions about security measures in OT are made jointly.

Pilot projects instead of mega-projects: Start with a single production line or a manageable plant section. Demonstrate that OT security measures do not endanger production but stabilize it. Success stories convince more than slide decks.

Find a common language: IT security professionals must learn to think in production terms. And production engineers must understand why cybersecurity is no longer a pure IT topic. Joint workshops and training help bridge the gap.

Documenting OT Assets in ISMS Lite

Documenting OT assets differs from IT asset documentation in several key respects. You need additional fields for:

Criticality assessment: Not just the confidentiality of data, but the impact on production, safety, and the environment. A five-level scale (from "informational" to "life-threatening") has proven effective.

Dependency chains: OT systems are often linked in complex chains. When PLC A fails, not only machine A stops but also downstream machines B, C, and D because the material flow is interrupted. These dependencies must be documented so you can set the right priorities in an emergency.

Recovery steps: Detailed instructions for emergency restoration. Who must do what in what sequence? What tools and spare parts are needed? How long does each step take? This information is invaluable in an emergency — because the specialist who knows the system may be on vacation.

Maintenance information: Maintenance cycles, latest firmware version, manufacturer support status, maintenance contracts, manufacturer contact persons.

A good OT asset register is not a one-time project but a living document. Every change to the production infrastructure must be reflected in it. Ideally, integrate the maintenance of the OT asset register into your change management: no change to a production system without updating the register.

The First Three Months: A Realistic Plan

If you are now thinking "this is all correct, but where do I start," here is a pragmatic 90-day plan:

Month 1: Create visibility

• Create an OT asset inventory (even if initially incomplete)
• Draw a network diagram of the production infrastructure
• Inventory remote maintenance connections
• Clarify responsibilities between IT and OT

Month 2: Implement quick wins

• Review and improve IT/OT network segmentation
• Secure remote maintenance connections
• Create backups of critical PLC programs
• Change default passwords on HMI panels

Month 3: Start ISMS integration

• Formally expand the ISMS scope
• Conduct an OT-specific risk assessment for the most critical systems
• Extend the incident response plan with OT scenarios
• Launch initial awareness measures for production staff

After these three months, you have a solid foundation to build on systematically. It will not be perfect, but you will have closed the most important gaps and can demonstrate during a NIS2 audit that you are actively addressing OT security.

Regulatory Outlook

The regulatory landscape for OT security will become denser in the coming years. Beyond NIS2 and the EU Machinery Regulation 2023/1230, further developments are relevant:

Cyber Resilience Act (CRA): Starting in 2027, manufacturers of digital products — including industrial control systems — must meet cybersecurity requirements across the entire product lifecycle. This means: the OT products you buy in the future will be more secure. But the transition takes time, and your legacy equipment is not affected.

IEC 62443: The international standard for industrial cybersecurity is gaining increasing importance. More and more machine manufacturers are seeking IEC 62443 certification. For operators, the standard offers a structured framework for OT security measures.

Industry-specific standards: In regulated industries such as energy (BDEW Whitepaper, IT security catalog), water (IT security guideline W 1060), or chemicals (NAMUR recommendations), there are additional requirements that explicitly address OT security.

The message is clear: OT security is not an optional add-on topic but is being demanded from all sides by regulation. The sooner you start, the better prepared you will be.

Further Reading

• IT/OT Convergence: Risks at the Interface Between Office and Production
• The Purdue Model Explained: Network Zones in Production
• Securing SCADA and PLC: Practical Measures Without Production Stops
• Risk Assessment for OT Systems: Different Priorities Than in IT
• EU Machinery Regulation 2023/1230: Cybersecurity Requirements from 2027