Launching an OT cybersecurity program can feel overwhelming, especially in manufacturing and critical infrastructure environments where legacy systems, air-gapped networks, and production uptime constraints complicate every decision. In this guide, IIoT World breaks down the first 90 days into a clear, phased framework that security leaders can follow regardless of industry vertical. From conducting an initial asset inventory and risk assessment to establishing network segmentation policies and governance structures, this article provides the actionable steps that CISOs, plant managers, and OT security engineers need to move from zero visibility to a defensible baseline. Whether you are inheriting an existing program or building one from scratch, understanding these foundational milestones is critical to reducing operational risk without disrupting production.
IIoT World covers OT cybersecurity strategy through practitioner-led sessions and expert articles, including ICS Cybersecurity Day on October 14, 2026. Cyber threats targeting manufacturing environments are becoming more sophisticated—and more relentless. But for many industrial organizations, the biggest challenge isn’t dealing with ransomware. It’s knowing where to start.
In the session “From the Concrete to the Carpet: Assessing and Navigating OT Risk” at IIoT World Manufacturing Day 2025, cybersecurity leaders from Armis, Olin, and Fortinet laid out clear, actionable steps for manufacturers taking their first steps toward operational resilience. The consensus: you don’t need to boil the ocean—just start with what you can control.
Step 1: Get Eyes on the Network
Before deploying any controls, you need visibility. That means understanding exactly what’s in your environment, how it’s communicating, and what shouldn’t be there. In OT, that’s not always straightforward—many networks rely on tribal knowledge, outdated spreadsheets, or informal lists stored in someone’s desk drawer.
A modern passive asset discovery tool can map out your environment without disrupting operations. This not only gives security teams a foundational inventory but also provides early detection of unknown or rogue devices.
Step 2: Segment—But Do It Right
Once you can see your environment, the next step is network segmentation. While manufacturers often understand the need to isolate OT from IT, poor segmentation remains common—and dangerous. One critical tip: block initiated traffic from the IT/business network into the OT environment. Let the plant network “talk up,” not the other way around.
Smart segmentation doesn’t require tearing everything down. Start with critical assets or high-value production lines. Isolate where the risk is highest, and build out from there.
Step 3: Recruit an OT Ally
One of the most overlooked success factors in OT security is not technical—it’s human. Identify someone within operations who understands both plant realities and cyber requirements. Make them part of your core security team.
This insider can translate between the cybersecurity and plant operations teams, helping you avoid friction, reduce miscommunication, and implement policies that won’t get ignored or overridden.
Step 4: Plan for Exceptions
In IT, it’s common to patch weekly. In OT, you may only touch a system once every three years. Accept it—and build around it. This means documenting exceptions, setting reminders, and aligning compensating controls like network monitoring or endpoint restrictions.
Also critical: a risk acceptance process. If a system can’t be patched or hardened, document why, when it will be addressed, and who signed off. Without this, security teams may be left holding the blame for something they had no power to change.
Step 5: Think Beyond Compliance
Finally, don’t confuse frameworks with outcomes. Whether you’re using NIST 800-82, IEC 62443, or CIS Controls, these are tools, not finish lines. Use them to guide your architecture and priorities, but adapt them to your environment. OT cyber maturity is a journey, not a checklist.
Start Small. Start Now. But Start.
You don’t need a million-dollar budget to make meaningful progress. You just need the right strategy, the right partners, and internal alignment. Because in cybersecurity, action beats perfection every time.
This article is based on insights from the session “From the Concrete to the Carpet: Assessing and Navigating OT Risk”, part of IIoT World’s Manufacturing Day 2025, sponsored by Fortinet.
Related articles:
FAQ
1. What should the first 30 days of an OT cybersecurity program focus on?
The first 30 days should prioritize asset discovery and inventory. Most industrial facilities lack a complete, accurate catalog of their OT devices, controllers, and communication pathways. During this phase, teams typically identify 20% to 40% more connected assets than previously documented. Passive network monitoring tools can map traffic flows without disrupting operations. The output of this phase is a baseline asset register that serves as the foundation for all subsequent risk assessment and segmentation work.
2. How does OT cybersecurity differ from traditional IT cybersecurity?
OT cybersecurity must account for real-time process control requirements, legacy protocols such as Modbus and DNP3, and systems with lifecycles that often exceed 15 to 20 years. Unlike IT environments where patching can occur on regular schedules, OT systems often cannot tolerate downtime for updates. Safety is the top priority in OT; a breach can cause physical harm, environmental damage, or production shutdowns. This means risk frameworks like IEC 62443 and NIST SP 800-82 are used instead of, or alongside, conventional IT frameworks.
3. What are the most common mistakes when starting an OT cybersecurity program?
The three most frequent mistakes are: applying IT security policies directly to OT without adaptation, neglecting to involve operations and engineering teams in planning, and attempting to deploy active scanning tools that can crash sensitive PLCs and SCADA systems. Another common error is underestimating the importance of network segmentation between IT and OT zones. Programs that skip the governance and stakeholder alignment phase in the first 90 days often stall within six months due to organizational resistance.
Related from IIoT World: