Legacy OT Security: How Manufacturers Reduce Risk in 2026
A plastics manufacturer in Hialeah called us last spring because their production floor had gone dark. Not a power outage - a ransomware attack that entered through a Windows XP workstation connected to their injection molding line. The machine hadn't been patched because the vendor warned that updates would void the support agreement. So it stayed connected, unprotected, and within reach of the network for six years. The attack cost them 11 days of production and a ransom demand in the mid-six figures.
Attacks on industrial control systems and OT environments increased by more than 70 percent in 2023, with manufacturers accounting for the largest share of targeted sectors. The reason manufacturers are disproportionately hit isn't because attackers love manufacturing - it's because legacy OT environments are hard to defend and the business pressure to avoid downtime makes companies more likely to pay quickly.
The most important thing to understand about legacy OT security is that you don't have to replace your equipment to meaningfully reduce your risk. The most effective defenses are built around your existing systems. This guide covers what's working for manufacturers right now.
Key Takeaways
- Legacy OT systems - PLCs, SCADA platforms, HMIs - are the most exploited assets in manufacturing and the hardest to patch through standard IT processes.
- Network segmentation between IT and OT is the single highest-impact control you can implement without touching production equipment.
- Passive OT monitoring gives you full visibility into your industrial network without any risk of disrupting operations.
- Virtual patching at the network perimeter can protect unpatched OT devices without requiring a vendor support waiver or a maintenance window.
- CMMC Level 2 includes OT systems in scope for defense suppliers - documentation and controls are mandatory, not optional.
Why Legacy OT Is Your Biggest Cybersecurity Blind Spot
The Problem Is Connectivity, Not Age
Most manufacturers have at least one piece of equipment running the same firmware it shipped with. PLCs, SCADA systems, HMIs, and industrial control systems weren't designed for modern enterprise networks. They were designed to run reliably for 20 to 30 years in isolated environments.
That changed when manufacturers connected OT systems to IT networks for data visibility, remote management, and ERP integration. The connectivity solved real operational problems. But it created a security problem that wasn't in the original design spec for any of that equipment.
The age of a PLC or SCADA system isn't what makes it dangerous. What makes it dangerous is connecting a device with no security capabilities to a network that attackers can reach. A 30-year-old PLC that's air-gapped from everything is far safer than a 5-year-old HMI sharing a subnet with your email server.
OT Was Designed for Reliability, Not Security
Industrial control systems have a different engineering philosophy than IT systems. In OT, uptime is the non-negotiable first priority. That means OT vendors built systems that couldn't be patched without risk, couldn't run security agents, and couldn't support encrypted communications without performance issues. A PLC controlling a conveyor line needs to respond in milliseconds and can't tolerate a security scan that spikes CPU usage.
Those were valid design decisions for isolated environments. The problem is that they're now colliding with a threat landscape that doesn't care about legacy design constraints. Attackers don't respect engineering specifications. They find unpatched devices on reachable networks and they use them.
Actionable tip: Pull your OT asset list and flag every device running an end-of-life operating system, with no available vendor patch, or sitting on the same network segment as your IT systems. That's your risk register - and it's where every OT security conversation has to start.
How Attackers Get Into Manufacturing OT Environments
The IT/OT Bridge Is the Most Common Entry Point
Most OT attacks don't start by targeting a PLC directly. They start by compromising a standard IT system - a Windows workstation, a remote access server, an engineering laptop - and then moving laterally into the OT network. If your IT and OT environments share a flat network or connect through a single jump server with weak access controls, an attacker who compromises any IT asset can potentially reach your production systems.
This is why IT/OT network segmentation is the top control for industrial environments. It doesn't prevent the initial IT compromise, but it limits the blast radius once an attacker is inside. Containment is the goal.
Ransomware operators who target manufacturers have also learned that OT environments typically have weaker logging and monitoring than IT environments. Attackers can move laterally through an industrial network for days before triggering any alert. If you don't have visibility into your OT network traffic, you don't know what's in there right now. That's the condition most manufacturers are operating in today.
Actionable tip: Check whether your SIEM or endpoint detection platform has any coverage of your OT network traffic. If the answer is no, you have zero visibility into lateral movement between IT and OT. That gap needs to be first on your security roadmap.
What You Can Do Without Replacing Your Equipment
Here's where most OT security conversations go wrong: they lead with capital expenses. Replace the PLCs. Upgrade the SCADA platform. Rebuild the network. Those projects aren't wrong, but they're not where you start if your goal is meaningful risk reduction in the next 90 days.
Network Segmentation Delivers the Most Protection Per Dollar
Segmenting your IT and OT networks - placing them behind separate firewalls with restricted, explicit traffic rules between them - is the highest-impact control available to most manufacturers. It doesn't touch the OT devices. It doesn't require vendor support. And it significantly limits what an attacker can reach after compromising your IT environment.
A proper segmentation design uses a demilitarized zone (DMZ) between IT and OT, with controlled data flows for any production data moving from OT to IT. Historian servers, SCADA workstations, and any asset bridging the two environments should live in this DMZ, not directly on either network.
I sat with a plant manager near Doral last year who assumed their IT and OT were already segmented because they were on different VLANs. After a network mapping session, we found seven paths between the two environments with no firewall inspection on any of them. VLANs separate broadcast domains. They don't inspect traffic. True segmentation requires a firewall with an explicit, documented ruleset between the two environments.
Passive OT Monitoring Gives You Visibility Without Production Risk
Standard IT security tools - vulnerability scanners, EDR agents, active network probes - interact with the systems they protect. In OT environments, that interaction can destabilize or crash industrial control systems. You can't run a network vulnerability scan against a PLC and expect the line to keep running.
Passive OT monitoring solves this. It works by capturing a mirror of your OT network traffic at the switch level - it reads the data but sends nothing to the devices. Purpose-built industrial monitoring platforms can build an asset inventory from that traffic, detect anomalous communication patterns, and alert on behavior that doesn't belong - all without touching production equipment.
For manufacturers with no current visibility into their OT network, passive monitoring is often the most important first investment. You can't prioritize risks you can't see.
Virtual Patching Protects Devices You Can't Patch
If your OT vendor doesn't offer patches for known vulnerabilities, or if applying patches requires a maintenance window you can't schedule, virtual patching is the practical alternative. A next-generation firewall placed between your IT and OT environments can apply network-level rules that block known exploits targeting specific vulnerabilities - even if the underlying device is never patched.
This isn't a permanent substitute for patching. But for a SCADA workstation running Windows 7 with no available update, or a PLC with a known CVE that has no firmware fix, virtual patching is often the only available compensating control. It's recognized in industrial cybersecurity practice and referenced in NIST's OT security guidance.
Actionable tip: Ask your firewall vendor whether their platform supports OT protocol inspection - Modbus, DNP3, EtherNet/IP, and Profinet are the most common. A firewall that only inspects IP addresses and ports isn't inspecting the industrial protocol traffic passing through it.
If you're not sure where your OT environment sits on the risk spectrum, a free IT and OT security assessment from GDS will map your actual exposure - not a theoretical risk model, but a documented view of what's reachable from outside your production floor.
What CMMC Level 2 Means for Your OT Environment
OT Is In Scope Whether You've Planned for It or Not
Defense contractors have been focused on CMMC Level 2 compliance for Controlled Unclassified Information in their IT systems. What gets less attention is that OT systems connecting to networks that carry CUI fall within the same compliance scope.
For a precision parts manufacturer or aerospace supplier, that can include the SCADA system managing a CNC machine running DoD contract work, or an engineering workstation that connects to both the shop floor and the corporate network. If CUI flows through or near that equipment, CMMC requirements apply to it.
The CMMC requirements that most directly affect OT include access control, configuration management, and system and communications protection. Each has OT-specific implementation guidance that differs from standard IT controls. If you haven't mapped your OT environment to these requirements, you're likely underestimating your assessment scope. Working with a managed compliance partner who understands both CMMC and industrial environments is the fastest way to close that gap.
Actionable tip: Walk your CMMC scoping exercise through the plant floor, not just the server room. If a machine connects to a network that touches CUI - even indirectly - document it and include it in your boundary analysis before your assessment starts.
How to Build a Legacy OT Risk Roadmap
Asset Inventory Is the Non-Negotiable First Step
You can't protect what you don't know you have. In OT environments, asset visibility is consistently the first gap that shows up in security assessments. IT teams often have no accurate picture of what's on the plant floor network. OT teams know the machines but not the network topology or firmware versions. And no one has a current list of patch status, open ports, or active network connections across the production environment.
A passive OT discovery tool will build this inventory automatically once deployed. If you're not ready for a monitoring platform, a manual walkthrough with a network diagram and device list is a legitimate starting point. The minimum useful inventory: device name, type, IP address, firmware version, last known patch date, network segment, and connected systems. That's the foundation everything else gets built on.
Our managed IT services include OT asset discovery as part of onboarding for manufacturing clients - because every security decision you make after that depends on knowing what's in the environment.
Prioritize by Risk, Not by Equipment Age
Once you have an asset inventory, decide what to address first. The temptation is to rank by age - fix the oldest stuff first. That's the wrong model.
Risk in an OT environment is a function of three things: criticality (what happens to production if this device goes down), vulnerability severity (known CVEs, unpatched software, default credentials), and network exposure (how many paths exist from the IT network to this device). A 15-year-old PLC that's genuinely isolated is lower risk than a 3-year-old SCADA workstation with an RDP port open to the corporate network and a default admin password. Prioritize by exposure and criticality, not vintage.
Frequently Asked Questions
Can I patch legacy OT systems without shutting down production?
It depends on the device and the patch. Some OT vendors offer hot-patch procedures for specific firmware updates, and some modern PLCs support updates during a reduced-speed cycle. For most legacy equipment, patching requires a controlled maintenance window. If no patch exists or the vendor no longer supports the device, virtual patching at the network layer is the recognized compensating control in both NIST and CISA guidance for industrial environments.
What is virtual patching and how does it work in manufacturing?
Virtual patching uses a network security device - typically a next-generation firewall or intrusion prevention system - to block traffic patterns that match known exploits targeting a specific vulnerability. The underlying OT device doesn't get patched, but the network stops the exploit before it reaches the device. It's a recognized control for unpatched OT assets where direct patching isn't feasible.
Does CMMC apply to my OT systems?
If your OT systems are on a network that processes, stores, or transmits Controlled Unclassified Information, they fall within the CMMC assessment boundary. This includes machines connected to corporate networks, SCADA platforms that handle DoD contract production data, and engineering workstations touching both shop floor and enterprise systems. When unsure, include any OT system with network connectivity in your scoping analysis and work backward from there.
How do I know if my IT and OT networks are properly segmented?
The test is straightforward: can a device on your IT network communicate directly with a device on your OT network without passing through a firewall with explicit, logged rules? If yes, your networks aren't properly segmented. VLANs are not segmentation - they separate broadcast domains but don't inspect traffic. True segmentation requires a firewall or industrial DMZ between the two environments with a documented, minimal-privilege ruleset.
What's the difference between IT security tools and OT security monitoring?
IT security tools are designed to interact with the systems they protect - scanners probe devices, EDR agents run on endpoints, active monitors send test traffic. In OT environments, that interaction can crash industrial control systems not built to handle it. OT security monitoring uses passive techniques, capturing a copy of network traffic without sending anything to the monitored devices. This makes it safe to deploy on production networks where any disruption has direct operational and financial consequences.
Ready to Reduce Your OT Risk Without Stopping Production?
Most manufacturers don't need a full equipment replacement to meaningfully secure their OT environment. What they need is a clear picture of what's exposed, a prioritized plan for compensating controls, and a partner who understands both the IT and OT sides of the equation. A free security assessment from GDS maps your OT exposure, identifies the highest-risk gaps, and gives you a roadmap with clear priorities. Visit our manufacturing security page or schedule your assessment and we'll get started within the week.