Manufacturers are paying more attention to AI, cloud connectivity, and advanced cyber threats, but one of the most common OT security gaps is still very practical: what gets carried into the plant.
Vendor laptops, USB drives, phones, and other portable devices move in and out of manufacturing environments every day. They support maintenance, troubleshooting, software updates, machine configuration, file transfer, and contractor work. They are part of normal plant operations.
That is exactly why they deserve more attention.
A manufacturer can invest in network monitoring, endpoint tools, and AI-enabled detection, but still leave risk open if unmanaged devices are allowed to connect to production assets. In OT, a single file, laptop, or USB device can create exposure if it bypasses the controls designed to protect the environment. During a session at IIoT World’s AI Manufacturing Day 2026, James Turner Jr., Itay Glick, and Mark Toussaint of OPSWAT described the practical controls manufacturers need for devices entering the plant floor.
The Plant Floor Still Depends on Portable Devices
Manufacturing environments are not clean-room digital systems where every action happens through a controlled cloud portal or centralized platform. Plants still depend on people walking in with tools, laptops, files, and devices.
During the session, panelists described a familiar plant-floor scenario: contractors arriving with multiple USB drives used for different purposes. Manufacturers need policies for how USBs are moved into the environment and how contractors are allowed to bring media or devices into OT.
That example is simple, but it captures a real issue. Many plants have policies on paper, but enforcement can be inconsistent when production pressure is high, a machine is down, or a contractor is waiting.
A Vendor Laptop Should Not Be Trusted by Default
Vendor laptops create a different kind of problem. A contractor may have legitimate access, good intentions, and endpoint protection installed. That still does not mean the device should be trusted inside the OT environment.
Manufacturers cannot rely on the operating system or the vendor’s security tools alone. Even if a laptop has antivirus or endpoint protection installed and was scanned recently, the manufacturer still needs to evaluate the device with its own security stack before allowing it to connect.
This point is important because vendor devices often move between customer sites, hotels, airports, home networks, and other environments. They may be used by multiple people or connected to networks the manufacturer does not control.
For manufacturers, the question is not whether the vendor is trusted as a business partner. The question is whether the device is safe enough to connect to OT.
USB Drives Can Act as Malicious Devices
USB drives are often discussed as a file-transfer issue, but the risk is broader. A USB device can carry malware in files, but it can also behave as a malicious device through BadUSB-style attacks, where the device acts in ways the system does not expect.
That means scanning files is necessary, but not always sufficient. Manufacturers also need to control which USB devices are allowed, why they are needed, and how they are introduced into the environment.
A practical policy should not simply ask, “Was the file scanned?” It should ask, “Why does this device need to enter OT at all?” and “Is there a safer way to move the required information?”
Controls Need to Be Fast, Clear, and Enforced
The best OT security process is the one people follow when production is under pressure.
Controls for contractor devices and USBs need to be fast, thorough, and easy to use. If a contractor is waiting while a machine is down, a slow or confusing process creates pressure to bypass security.
One practical approach discussed in the session is using a dedicated kiosk for file transfer. A contractor’s USB can be inserted into the kiosk, files can be scanned and checked, and only approved files are moved to a clean device controlled by the manufacturer. From there, the clean device can be taken into the facility.
This kind of process works because it separates the contractor’s device from the OT environment. It also gives plant teams a clear and repeatable method for moving files without relying on informal judgment.
The Policy Has to Match the Plant Reality
Manufacturers should not write removable-media policies as if the plant floor operates like an office. OT environments have different constraints. Machines may be old. Downtime may be expensive. Vendor support may be urgent. Maintenance teams may need files quickly. Engineers may be working under time pressure.
That does not mean security should be relaxed. It means the policy has to be designed for the environment where it will be used.
A strong plant-floor device policy should define:
- Which USB devices are allowed
- Whether vendor USB drives can be used directly
- How files are scanned before entering OT
- How vendor laptops are evaluated before connection
- Whether phones can transfer files into the facility
- Who approves exceptions
- Where scanning or transfer takes place
- What happens when a file or device fails inspection
- How the process is documented
The goal is to reduce judgment calls at the worst possible moment. When a production issue is active, people should not be debating whether a device is acceptable. The process should already be clear.
Security Should Reinforce Safety
Safety is the top priority in OT, followed by reliability. Manufacturers make a stronger impact when engineers understand cybersecurity as part of safety.
That framing matters. Plant teams already understand the importance of lockout/tagout, protective equipment, machine guarding, and safety procedures. Cybersecurity controls for USBs, files, and vendor laptops should be presented in the same practical language: they protect people, production, and equipment.
A simple message can help. During the session, panelists described placing a cybersecurity awareness poster near first-aid kits or eyewash stations, reinforcing the idea that only approved “clean” USB devices should be used.
That kind of communication works because it fits the plant environment. It is visible, direct, and tied to daily behavior.
The Plant Entrance Is Part of the OT Boundary
Manufacturers often think of the OT boundary as a network boundary. That is only part of the picture. The boundary also exists at the plant entrance, the maintenance bench, the engineering workstation, the USB port, and the vendor support process.
AI and cloud connectivity may be changing the OT threat model, but removable media and unmanaged devices remain practical entry points that deserve the same level of attention as network-level controls.
Related from IIoT World
- Removable Media Is Still OT’s Biggest Blind Spot
- The Shop Floor Is Still the Weakest Link in Industrial Cybersecurity
- OT Cybersecurity: First 90 Days Made Simple
This article is based on a session at IIoT World’s AI Manufacturing Day 2026, sponsored by OPSWAT. Panelists: James Turner Jr., Senior Solutions Engineer OT Cybersecurity; Itay Glick, GM Hardware and OT Security; and Mark Toussaint, Principal Product Manager, OPSWAT. Moderated by Tim Chase, Program Director, MFG-ISAC. AI tools were used to help summarize and organize the content. Reviewed and edited by the IIoT World editorial team.
Sponsored by OPSWAT. Editorially Independent.
FAQ
1. How should manufacturers handle vendor laptops in OT environments?
Manufacturers should not trust vendor laptops by default, even if the device has antivirus or endpoint protection installed. The device should be evaluated using the manufacturer’s own security stack before connecting to OT. Options include booting the device on a fresh OS for a full scan or running a quick scan directly on the device. Vendor devices move between customer sites, hotels, airports, and other networks the manufacturer does not control, which makes independent validation necessary.
2. What are the risks of USB drives in manufacturing OT?
USB drives carry risks beyond file-based malware. They can also act as malicious devices through attacks like BadUSB, where the device behaves in unexpected ways. Manufacturers need to control which USB devices are allowed, validate why a USB needs to enter OT, and use dedicated scanning kiosks to transfer files to clean, manufacturer-controlled devices before entering the production environment.
3. How can manufacturers enforce removable media policies on the plant floor?
Effective policies must be fast, thorough, and easy to use under production pressure. A practical approach is dedicating a kiosk where contractor USBs are scanned and approved files are transferred to clean devices owned by the manufacturer. Policies should define which devices are allowed, how they are scanned, who approves exceptions, and what happens when a device fails inspection. Tying cybersecurity messaging to the safety culture, such as placing awareness posters near first-aid stations, reinforces compliance.