Secure OT Data Flows Before Scaling AI

Manufacturers are investing in AI to improve maintenance, quality, production visibility, asset performance, and decision-making. Most of these use cases pull data from sensors, historians, machines, SCADA systems, MES platforms, engineering workstations, and other operational sources. Some of that data moves to enterprise systems, some to cloud platforms, some to analytics tools or AI models. In many plants, these data paths were added over time to solve specific business problems, but the full picture is not always clear. During a session at IIoT World’s AI Manufacturing Day 2026, Itay Glick, Mark Toussaint, and James Turner Jr. of OPSWAT explained why manufacturers need to map and secure those data paths before scaling AI.

Most Manufacturers Do Not Know What Is Connected

In one industrial environment, 139 connections in and out of OT were identified, many of them previously unknown to the organization. That is not unusual. As AI use cases expand, they require more parameters and sensor data from OT, much of which needs to reach cloud environments. Each new AI initiative can add connections that were not part of the original OT architecture.

A connection originally created for reporting, vendor support, or data collection may later become part of a larger AI data pipeline. If no one owns it, monitors it, or understands its direction, it can create exposure without anyone intending to open a new attack path.

For each connection tied to a current or planned AI use case, manufacturers should be able to answer:

• What OT data is leaving the plant?
• Which systems are sending it?
• Where is the data going?
• Is the flow one-way or two-way?
• Who owns the connection?
• What happens if the connection is misconfigured, compromised, or unavailable?
• Does the data path create a route back into OT?

Firewalls Are Bidirectional. Data Diodes Are Not.

Many manufacturers use firewalls between OT and IT. Firewalls have a role, but they are bidirectional by nature and depend on rules. Large rule sets can be prone to human error, especially when hundreds of connections are involved.

For critical outbound OT data, some manufacturers use hardware-enforced one-way movement, such as data diodes. A diode lets production data reach IT, cloud systems, analytics platforms, or AI tools, while physically preventing traffic from moving back into OT through the same path.

This approach is especially relevant for predictive maintenance, remote monitoring, and historian replication, where external systems need OT data but should not have direct access back into the production environment.

Historian Data Is Usually the First Priority

Historian data can hold years of production, process, equipment, and performance data. Many manufacturers focus first on protecting AVEVA PI historian environments because they hold the operational data used to run the business.

If AI systems depend on historian data, that connection should be treated as critical infrastructure. A poorly controlled historian pathway can influence maintenance decisions, production analysis, operational planning, and the quality of AI outputs.

Related from IIoT World

• 6 ICS/OT Cybersecurity Solutions for 2026: Securing the Air Gap
• How Do You Secure OT When AI Writes the Malware?
• Achieving Regulatory Compliance for Connected Devices in Smart Manufacturing

This article is based on a panel discussion at IIoT World’s AI Manufacturing Day 2026, sponsored by OPSWAT. Panelists: Mark Toussaint, Principal Product Manager, OPSWAT; Itay Glick, GM Hardware and OT Security, OPSWAT; and James Turner Jr., Senior Solutions Engineer OT Cybersecurity, OPSWAT. Moderated by Tim Chase, Program Director, MFG-ISAC. AI tools were used to help summarize and organize the content. Reviewed and edited by the IIoT World editorial team. Sponsored by OPSWAT. Editorially Independent.