Cybersecurity Best Practices for Industrial Automation

Why culture, architecture, and control must anchor the next phase of OT security.

Industrial automation has always carried risk. What’s changed over the past decade is the scale, speed, and consequence of that risk.

Where control systems were once isolated, proprietary, and difficult to access, today they are connected, standardized, and increasingly integrated with enterprise and cloud platforms. The same Ethernet connectivity and open protocols that enable digital transformation also expand the attack surface.

For manufacturers, there’s no question that cybersecurity needs to be applied diligently and proactively to operations. Questions instead revolve around how to build an approach that protects uptime, safety, and intellectual property without crippling productivity.

Cybersecurity in OT is no longer optional, and it’s no longer just an IT problem.

From Air Gaps to Always Connected

Ken Crawford, senior director of automation at Weidmuller USA, has watched the evolution firsthand. With some 35 years in the business, he remembers a time when the control systems and PLCs were essentially impossible to access remotely.

“Even if you had access, it was next to impossible to understand how to hack a system because most of the systems were heavily closed-architected,” he says. “The communication wasn’t based on standards.”

That world no longer exists.

“The biggest change has been the proliferation of Ethernet connectivity going down the distributed line of control — HMIs, PLCs, drives, servers,” Crawford says. “The drive for digital transformation, where we’re pushing to have access all the way down to the sensor, makes these cyber vulnerabilities really consequential and deep.”

At the same time, the motivation of attackers has shifted. It’s not just about stealing personal data anymore.

Ransomware could shut down an entire production floor. And if a plant is losing millions of dollars an hour, it doesn’t take long before a ransom demand looks small by comparison, Crawford notes.

In manufacturing, anything that interferes with safety systems, production IP, or sensitive data is going to be a top concern, notes Lauren Blocker, cybersecurity services sales executive at Rockwell Automation. “The statistics show that manufacturing is the number one target for cybercrime for three years running,” she says. “Ransomware is the most well-known incident type.”

Connectivity brings operational benefits. But it also brings exposure.

The “It Can’t Happen to Me” Problem

Despite growing awareness, misconceptions persist. Blocker identifies three recurring themes:

• “It can’t happen to me.”
• “Other teams are responsible for this.”
• “The tooling/policies/expertise we have for IT will also protect OT assets.”

Crawford sees a similar complacency, especially among smaller operations. “A lot of companies say, ‘Nobody really cares about what we’re doing here.’”

But the reality is, the amount of malicious traffic on the internet is enormous, and it’s not necessarily targeted.

To illustrate the point, Crawford describes a simple test his team ran. They connected a system to the cloud and did nothing but monitor traffic. “We thought we might catch one or two hits throughout the week,” he says. “We were automatically inundated within the first hour with over 200 hits.”

Those weren’t targeted attackers — they were bots scanning for vulnerabilities. The volume alone underscores the reality: Exposure is constant. And they don’t care who they hit.

Foundational Practices: What’s Non-Negotiable?

Cybersecurity can feel overwhelming. The frameworks are complex, the terminology dense, and the stakes high. But experts consistently return to a handful of foundational practices.

Know What You Have

“Think about this as table stakes,” Blocker says. “Know and contextualize your OT assets down to the asset layer, obtain timely insights into vulnerabilities, deploy a defensible architecture, and develop and test OT-centric incident response plans.”

Asset inventory isn’t glamorous, but you can’t protect what you don’t understand.

Replace Unmanaged Infrastructure

Jeff Smith, CTO of Dynics, takes a pragmatic view: “Cybersecurity is a large animal to eat. Start with smaller bites, as budget and production allow,” he says. “The easiest place to start is get rid of unmanaged switches and move to managed switches.”

Unmanaged switches provide no visibility or control. Managed switches are the gateway to segmentation, policy enforcement, and disciplined network design.

Segment Intelligently

Segmentation is widely recommended, but how it’s implemented matters. The traditional Purdue Model has long guided OT network architecture, but Smith argues that modern connectivity challenges its assumptions.

“The Purdue Model was really designed for physical segmentation. It wasn’t designed for the levels of interconnectivity we have today,” he explains. “Cyber attacks don’t respect layer boundaries. A lot of attacks are lateral.”

Instead, Smith advocates micro-segmentation: tightly controlled conduits between clearly defined zones. “It’s easier to put a cap on the bottle if your bottle has a very tight pipe in and out,” he says. “You could compromise one assembly system, but you can’t get to anything else.”

He summarizes his philosophy succinctly:

• IT philosophy: Allow everything but that which you know or suspect to be bad.
• OT philosophy: Allow nothing but that which you explicitly know to be good.

That deny-by-default posture aligns with the IEC 62443 zones-and-conduits approach, which focuses on defining what must be protected and strictly controlling traffic between security zones.

Prevention Before Monitoring

Visibility is important, but it is not a silver bullet. “Monitoring and visibility as a solution is a bill of goods that is being sold to folks as the end-all-do-all,” Smith says. “It is important. But visibility without control is not cybersecurity. Prevention should be first and foremost. Adopt a deny-by-default posture.”

Monitoring tells you when you’ve been infected. Architecture and policy help prevent infection in the first place.

Access and Authentication: The Weakest Link

If there’s one area where risk continues to outpace discipline, it’s access control.

Blocker notes that default passwords still appear in critical infrastructure. “Or worse, the password on a sticky note.”

Crawford emphasizes role-based access and time-bound permissions, especially for remote connections. “You shouldn’t have an always-on VPN,” he says. “You should have access that is timed. Grant access for an hour or two, and then it automatically shuts down.”

Multi-factor authentication, elimination of shared credentials, forced password changes, and role-based permissions are no longer advanced practices — they are baseline expectations.

Smith highlights another challenge: complex authentication chains across PLCs, middleware, MES, ERP, maintenance systems, etc. “All of that has to be managed and maintained,” he says. “I see countless examples of this failing across OT organizations and systems.”

ROI Calculator

Discover the potential cost savings of robotic automation over a 20-year system life

This calculator compares your current manual labor costs against the total cost of owning and operating a robotic system over its 20-year lifespan.

EXPLORE TODAY

In short, authentication cannot be an afterthought. It must be designed and enforced deliberately.

Secure Remote Access: Standardize or Suffer

Remote access is unavoidable. The pandemic accelerated its adoption, and operational efficiency ensures it will remain. The question is whether it’s controlled.

“Lots of methods are typically being deployed with little to no visibility from an enterprise perspective,” Blocker says. 

A best practice, she says, looks like this: “An organization leverages a single enterprise-wide and OT-centric platform to enable remote access to systems in the environment, while ensuring real-time visibility and records of changes made.”

Smith warns against ad hoc tools such as unmanaged remote desktop utilities. Shortcuts taken to solve immediate problems often create disproportionate risk.

Least privilege and dynamic, policy-based authentication should govern every remote session.

Culture Beats Technology

Technology alone cannot secure a plant floor. “The most basic thing manufacturers need to focus on is training,” Crawford says. “Cybersecurity training. Building up a culture of awareness.”

But training must be practical and role-based. Crawford describes tailoring guidance to specific roles. An operator might be trained to recognize abnormal HMI behavior — sluggish screens or unusual responses — as potential indicators of compromise. An escalation team, by contrast, must know exactly how to isolate systems, review logs, and initiate restoration procedures.

Smith cautions against unrealistic expectations. “It’s very difficult to train a controls engineer for a what if that might be a never,” he says. “How does one expect a controls engineer to recall what to do in the event of a cyber incident when they had the class two years ago?”

Instead, organizations should identify trained specialists and document remediation procedures. “It’s more important to have identified, trained staff who those people can go to in the event of a breach or issue,” Smith says.

Blocker reinforces the need to “meet your user community where they are and make their training meaningful to their day to day.” In one case she recalls, cyber training was delivered exclusively by email — yet plant floor operators did not have company email accounts. The entire cohort was missed in the training effort.

Effective training is frequent, visible, and relevant. Crawford puts it bluntly: “If training ignores reality, then the reality is going to ignore the training.”

Above all, culture matters. “Culture beats technology every single time,” Crawford says. “If you’ve got a culture of people that are very security-minded, that is much more valuable than trying to rely only on network segmentation with managed switches.”

Legacy Systems Bring Inherited Risk

Digital transformation rarely happens in a greenfield environment. Legacy equipment often lacks modern security controls and was never designed with cybersecurity in mind.

“When you take a legacy system and put it online, you’re inheriting all of that legacy risk,” Crawford explains. That includes unsecured ports, outdated operating systems, and default behaviors such as booting from USB.

The solution is rarely immediate replacement. Instead, manufacturers must apply compensating controls — segmentation, strict access policies, and monitoring — to contain risk until modernization is feasible.

Blocker advises incorporating cybersecurity requirements directly into specifications for plant expansions and modernization projects. “Think secure by design,” she says.

Cybersecurity should be embedded in procurement, not bolted on after commissioning. Designed for security means that you can update a system remotely. It means that you can back it up easily and it can be put back to a known or previous state.

“It means that there is security built into the very DNA of the device,” Crawford says. “The entire architecture, from the ground up, is built to enable safety, to detect intrusion, to prevent malicious intrusions from making a permanent impact on the operation of that piece of equipment, and to allow visibility and access to that device while maintaining the integrity of the device itself.”

Incident Response Needs to Be Tested

Despite best efforts, incidents happen. What separates organizations that recover quickly from those that struggle? Preparation.

“Having a tried and tested playbook for incident response is a game changer,” Blocker says, “keeping the bad day from becoming the worst day.”

Crawford underscores the importance of validated backups. “Backed-up data that is not proven to restore is just hope,” he says. Restoration drills are essential, not optional.

Organizations with a “control/prevention first methodology” and a defined remediation plan fare far better than those relying solely on detection, Smith adds.

Incident response must be OT-centric, tested regularly, and understood by both engineering and IT teams.

Bridging the IT and OT Gap

For years, tension between IT and OT slowed progress. Crawford acknowledges that mistrust still exists, but he sees improvement.

Newer generations of engineers are more comfortable with networking, wireless connectivity, and cloud integration. At the same time, IT professionals increasingly recognize the operational consequences of downtime in industrial environments.

True resilience requires collaboration. “It becomes a dance between the engineers and IT,” Crawford says. Control engineers must understand cybersecurity implications, and IT teams must appreciate process and safety impacts.

Cybersecurity in automation is no longer about defending layers in isolation. It’s about aligning people, architecture, and operations around shared risk.

A Program, Not a Project

Perhaps the most important takeaway is this: Cybersecurity is not a one-time initiative.

“For leaders, this is not a one-size-fits-all task; there is no quick fix,” Blocker emphasizes. “To gain maturity in OT cybersecurity, start with a programmatic approach in mind.”

That program should:

• Inventory and contextualize assets
• Replace unmanaged infrastructure
• Implement zone-based or micro-segmented architectures
• Enforce least privilege and strong authentication
• Standardize remote access
• Train roles appropriately
• Test backups and incident response plans
• Continuously reassess risk

As Crawford puts it, “Cybersecurity is an operational discipline for an organization, not a project or not just a training moment.”

In a world where cloud analytics can reach directly to a plant-floor sensor, and ransomware can idle a production line in minutes, discipline is not optional.

For manufacturers pursuing automation, digital transformation, and competitive advantage, cybersecurity is not just about protecting data. It is about protecting uptime, safety, and the integrity of the industrial enterprise itself.