Starting Smart: The First 90 Days of an OT Cybersecurity Program

Cyber threats targeting manufacturing environments are becoming more sophisticated—and more relentless. But for many industrial organizations, the biggest challenge isn’t dealing with ransomware. It’s knowing where to start.

In the session “From the Concrete to the Carpet: Assessing and Navigating OT Risk” at IIoT World Manufacturing Day 2025, cybersecurity leaders from Armis, Olin, and Fortinet laid out clear, actionable steps for manufacturers taking their first steps toward operational resilience. The consensus: you don’t need to boil the ocean—just start with what you can control.

Step 1: Get Eyes on the Network

Before deploying any controls, you need visibility. That means understanding exactly what’s in your environment, how it’s communicating, and what shouldn’t be there. In OT, that’s not always straightforward—many networks rely on tribal knowledge, outdated spreadsheets, or informal lists stored in someone’s desk drawer.

A modern passive asset discovery tool can map out your environment without disrupting operations. This not only gives security teams a foundational inventory but also provides early detection of unknown or rogue devices.

Step 2: Segment—But Do It Right

Once you can see your environment, the next step is network segmentation. While manufacturers often understand the need to isolate OT from IT, poor segmentation remains common—and dangerous. One critical tip: block initiated traffic from the IT/business network into the OT environment. Let the plant network “talk up,” not the other way around.

Smart segmentation doesn’t require tearing everything down. Start with critical assets or high-value production lines. Isolate where the risk is highest, and build out from there.

Step 3: Recruit an OT Ally

One of the most overlooked success factors in OT security is not technical—it’s human. Identify someone within operations who understands both plant realities and cyber requirements. Make them part of your core security team.

This insider can translate between the cybersecurity and plant operations teams, helping you avoid friction, reduce miscommunication, and implement policies that won’t get ignored or overridden.

Step 4: Plan for Exceptions

In IT, it’s common to patch weekly. In OT, you may only touch a system once every three years. Accept it—and build around it. This means documenting exceptions, setting reminders, and aligning compensating controls like network monitoring or endpoint restrictions.

Also critical: a risk acceptance process. If a system can’t be patched or hardened, document why, when it will be addressed, and who signed off. Without this, security teams may be left holding the blame for something they had no power to change.

Step 5: Think Beyond Compliance

Finally, don’t confuse frameworks with outcomes. Whether you’re using NIST 800-82, IEC 62443, or CIS Controls, these are tools, not finish lines. Use them to guide your architecture and priorities, but adapt them to your environment. OT cyber maturity is a journey, not a checklist.

Start Small. Start Now. But Start.

You don’t need a million-dollar budget to make meaningful progress. You just need the right strategy, the right partners, and internal alignment. Because in cybersecurity, action beats perfection every time.

This article is based on insights from the session “From the Concrete to the Carpet: Assessing and Navigating OT Risk”, part of IIoT World’s Manufacturing Day 2025, sponsored by Fortinet.

Related articles:

• Why OT Cybersecurity Is Moving to the CISO’s Desk—and What That Means for Manufacturers
• Fortinet’s OT Cybersecurity Summit: Tackling Real-World Threats and Building Resilient Infrastructure