Stop fixing OT security with IT thinking

In this Help Net Security interview, Ejona Preçi, Group CISO at Lindal Group, discusses the specific cybersecurity challenges in manufacturing environments. The conversation covers why standard IT security practices break down on shop floors, where PLCs and decade-old firmware were never designed to be networked.

She explains how nation-state actors quietly settle into industrial networks, using stale accounts and compromised workstations to map environments without triggering alarms. She addresses patch management in OT, where production lines cannot simply be taken offline, and describes how security teams use compensating controls to manage risk without breaking operations. The interview also examines how adding sensors and telemetry can generate noise that hides real threats, and how AI pipelines connecting IT and OT systems create new attack surfaces.

Most people picture cybersecurity as a software problem. But on a manufacturing floor, you are dealing with PLCs, SCADA systems, and decade-old firmware that was never designed to be networked. Where does the conventional cybersecurity playbook simply break down?

Traditional cybersecurity assumes systems are designed to be patched frequently, restarted when needed, and controlled through modern identity and endpoint security tools. That assumption does not hold on a shop floor. Many industrial systems were built for reliability and safety long before cybersecurity became a priority. So for instance, PLCs and industrial controllers can run for years without interruption. Some firmware is more than a decade old and cannot be updated easily without affecting production environment.

This is where the conventional security playbook breaks down. In IT, downtime is inconvenient. In manufacturing, downtime paralyses the business, sometimes completely. Security strategies therefore cannot rely on constant patching or aggressive system hardening. Instead, the focus must shift to architecture. Strong network segmentation,zero trust, strict control of remote access, and separation between IT and Operational Technology (OT) become the foundation of security. In industrial environments, controlling pathways is often more important than controlling individual devices.

Nation-state actors have shown sustained interest in manufacturing infrastructure, not always to destroy it, but sometimes just to sit quietly inside it. What does long-term, low-and-slow persistence look like in these environments, and why is it so hard to detect?

Nation state actors understand very well that manufacturing companies sit at the center of critical supply chains. Their goal is sitting stealthy in the organization to trigger something in the future. They gain insights from business processes, network traffic, intellectual property, supplier relationships, etc.

Persistence in these environments can look surprisingly ordinary. It might start with a phishing link to the end user, compromised engineering workstation or a stale maintenance account that still has access to the production network. Once inside, sophisticated actors stay silent, they rarely trigger alarms. They move slowly, observe system behavior, map the environment and try to do lateral movements and escalate privileges.

This activity is difficult to detect because operational networks are built for stability. Traffic patterns are predictable and rarely change. Many factories (historically) have limited logging and monitoring capabilities. An attacker who blends into normal industrial communication can remain unnoticed for long periods of time. That’s why improving network visibility, introducing SASE and monitoring across operational environments has become a top priority for czber defense teams in manufacturing.

Patch management in OT is often described as nearly impossible because you cannot take a line down to apply a firmware update. How do the most security-mature manufacturers handle this problem in practice?

Patching in operational environments is completely different from patching in IT. Production lines cannot always be stopped to apply updates. Some systems require long restart cycles or complex revalidation processes.

That’s why most of cyber defense teams in manufacturing address this challenge with discipline rather than unrealistic expectations. They align patching activities with the vendors and schedule far ahead the maintenance windows. They test updates in staging environments before deploying them to production systems. Most importantly, they prioritize vulnerabilities based on risk.

When immediate patching is not possible, we should implement compensating controls. Network segmentation, zero trust, strict access management, and monitoring can significantly reduce exposure. Security maturity in OT is about managing risk in a smart way while not breaking business operations.

There is a growing push to add more sensors, more telemetry, and more monitoring into OT environments, but more visibility also means more attack surface and more data to manage. Where is the right line?

Visibility is essential for security. Without it, we are operating in blind. However, adding sensors and monitoring tools without purpose can introduce unnecessary complexity and new integration points that attackers may exploit.

The right balance is to focus on meaningful data. Security teams should prioritize monitoring the signals that reveal real risk such as network communication between zones, changes to controller configurations, remote access sessions, and activity on priviledged accounts.

Collecting every possible datapoint does not automatically improve security. In fact, too much data can overwhelm security teams, create unnecessary noise and hide important signals. Effective monitoring focuses on the operational behaviors.

AI is being embedded into manufacturing systems for predictive maintenance, quality control, and process optimization. What new attack surfaces does that create, and are we thinking seriously enough about securing those systems before they become critical?

AI adds a new layer of attack surface on top of an already fragile environment. Before, in manufacturing, we worried mainly about PLCs, HMIs, remote access, and the IT/OT boundary. Now we also have to protect data pipelines, model outputs, sensors, inference engines, APIs, cloud connections etc. That is a major shift!

AI systems depend heavily on data. That data must be collected, processed, and analyzed, often across multiple systems. Each of those connections creates a potential attack surface. If attackers manipulate the data feeding these models, they can influence decisions. For instance, poisoning datasets could distort predictive maintenance models or hide early warning signs of equipment issues. Studies have shown that even as little as 0.001% of poisoned data can cause a model to behave incorrectly.

Another concern we’re seeing is the growing integration between IT analytics platforms and OT platforms. As AI pipelines connect more deeply into production environments, the boundary between IT and OT becomes more complex. If these integrations are not secured properly, they can become entry points for threat actors into critical systems.

Once AI starts influencing operational decisions, attackers can target the model itself through poisoning, evasion, prompt injection, or abuse of retraining workflows. In manufacturing, that is serious because the output is not just a dashboard insight. It may influence maintenance timing, process tuning or even operator response. NIST’s AI Risk Management Framework highlights that AI risks are not limited to confidentiality; more attributes such as integrity, validity, and reliability are now becoming crucial. If AI can influence uptime, quality, safety, or maintenance decisions, it is already part of your critical environment. The industry must take these risks seriously and move quickly to mitigate them to survive the AI wave.