The 90% Legacy Reality
Plant managers and OT engineers confirm from direct experience: ninety percent of OT (Operational Technology) systems run legacy operating systems. NIST manufacturing research documents the challenge: production equipment runs software that can’t be patched, can’t be replaced, and can’t be secured by modern standards.
The MSP that excels at IT infrastructure may have zero OT capability. The gap creates exposure in manufacturing environments.
The OT-IT Convergence Problem
Manufacturing increasingly connects OT to IT networks:
| Driver | Benefit | Risk |
|---|---|---|
| Data collection | Production visibility | Attack surface expansion |
| Remote monitoring | Efficiency | Unauthorized access |
| Predictive maintenance | Uptime improvement | Connectivity exposure |
| Supply chain integration | Coordination | Third-party risk |
| Cloud analytics | Advanced insights | Data exposure |
Each connection adds value. Each connection adds vulnerability.
The Air Gap Myth
“Our OT is air-gapped” is usually false. Air gaps erode through:
USB transfers. Data moves via removable media.
Vendor connections. Equipment vendors require remote access.
Monitoring connections. Sensors report to IT systems.
Temporary connections. “Just for this update” becomes permanent.
Wireless proliferation. WiFi devices bridge intended isolation.
True air gaps are rare. Assumed air gaps are dangerous.
The Downtime Economics
Manufacturing downtime costs dwarf IT system downtime:
| Environment | Hourly Downtime Cost | Priority Level |
|---|---|---|
| Office IT | $1,000-10,000 | Standard |
| Warehouse | $5,000-50,000 | Elevated |
| Production line | $50,000-500,000 | Critical |
| Continuous process | $100,000-1,000,000+ | Extreme |
These economics explain why OT patches don’t get applied. The risk of patching exceeds the perceived risk of not patching.
The Patching Paradox
OT patching faces barriers IT doesn’t experience:
Vendor certification. Equipment vendor must certify patches.
Production scheduling. Downtime windows are scarce and valuable.
Testing constraints. No test environment mirrors production.
Rollback risk. Failed patch may not be reversible.
Age limitations. Legacy systems may not have patches available.
Result: OT systems remain unpatched for years while IT systems update monthly.
The Skill Gap
IT skills and OT skills differ significantly:
| Domain | IT Expertise | OT Expertise |
|---|---|---|
| Operating systems | Windows, Linux | Windows XP, proprietary RTOS |
| Protocols | TCP/IP, HTTP | Modbus, OPC, BACnet |
| Security model | Defense in depth | Availability first |
| Change process | Agile, frequent | Rigid, infrequent |
| Failure impact | Productivity loss | Safety risk, production stop |
Expecting IT-focused MSPs to manage OT without additional expertise creates gaps.
The Safety-Security Balance
OT security must balance with safety:
Safety instrumented systems (SIS). Security controls must not interfere with safety functions.
Emergency stop capability. Security cannot prevent legitimate emergency actions.
Fail-safe behavior. Security failures must fail to safe states.
Human factors. Security controls must not create unsafe operator behaviors.
IT security practices applied without OT awareness can compromise safety.
The Vendor Access Problem
OT equipment vendors require access for support:
Remote access connections. Often always-on, minimally secured.
Credential management. Shared passwords, rarely changed.
Activity logging. Minimal visibility into vendor actions.
Scope creep. Access for one system extends to others.
Supply chain risk. Vendor compromise creates client compromise.
Vendor access is necessary and dangerous. Managing it requires explicit controls.
The Network Segmentation Imperative
OT-IT segmentation is foundational defense:
| Segmentation Level | Protection | Implementation Complexity |
|---|---|---|
| None (flat network) | None | N/A |
| VLAN separation | Basic | Low |
| Firewall between zones | Moderate | Medium |
| DMZ for data exchange | Strong | High |
| Complete air gap | Maximum | Very high |
Most manufacturing environments need at least firewall-based segmentation. Many lack it.
The Monitoring Gap
OT monitoring differs from IT monitoring:
Asset visibility. Many OT assets are unknown to IT systems.
Protocol support. Standard IT tools don’t understand OT protocols.
Baseline differences. Normal OT traffic patterns differ from IT.
Detection rules. IT-focused detection misses OT-specific attacks.
Response constraints. Automated response that works in IT may be dangerous in OT.
OT-specific monitoring tools exist. Integration with IT monitoring is challenging.
The Incident Response Complication
OT incidents require different response:
Containment constraints. Can’t isolate production systems without production impact.
Investigation access. OT systems may not support forensic tools.
Recovery priorities. Production restoration may override evidence preservation.
Safety considerations. Response actions must not create safety hazards.
Vendor involvement. Equipment vendors may be required for recovery.
Incident response plans must address OT specifically, not assume IT procedures apply.
The MSP OT Capability Assessment
Evaluating MSP OT capability:
Experience questions:
- What manufacturing clients do you serve?
- What OT protocols do you understand?
- What OT security certifications do your staff hold?
- What OT security tools do you use?
- What OT incidents have you responded to?
Capability indicators:
- Specific OT service offerings
- Industrial control system expertise
- Safety-critical system experience
- Vendor relationship management experience
MSPs strong in IT may need partnerships for OT capability.
The Regulatory Landscape
Manufacturing faces increasing OT security regulation:
| Framework | Focus | Applicability |
|---|---|---|
| NIST CSF | General cybersecurity | Broad |
| IEC 62443 | Industrial control systems | Manufacturing |
| NERC CIP | Power generation | Energy sector |
| CFATS | Chemical facilities | Chemical manufacturing |
| FDA 21 CFR Part 11 | Pharmaceutical | Life sciences |
Compliance requirements may mandate OT security controls that current capabilities don’t support.
Building OT Security
Effective OT security with MSP partnership:
Asset inventory. Know what exists before securing it.
Network architecture. Segment OT from IT appropriately.
Monitoring capability. OT-aware detection and response.
Patch management strategy. Realistic approach given OT constraints.
Vendor access controls. Managed third-party access.
Incident response planning. OT-specific procedures.
Skill development. OT security training for relevant staff.
The MSP relationship must acknowledge OT requirements explicitly. Assumptions create gaps.
Sources
- OT legacy system prevalence: NIST manufacturing research
- OT-IT convergence trends: Industrial cybersecurity research
- Manufacturing downtime costs: Operational technology industry analysis