Your Plant Has Been Online for Years. Nobody Told Security.
For forty years, "the plant floor isn't on the internet" was the implicit security policy. It hasn't been true for a while — and the consequences are starting to arrive at the front desk.
The questions that didn't used to come
Three questions have started showing up in plant manager inboxes over the last eighteen months.
The insurance carrier wants documented evidence of OT network segmentation. The Fortune 500 customer wants a security attestation that names the PLC platforms in the plant. The CIO's office wants to know why the operator HMI workstation runs an operating system that hit end-of-support in 2020.
Each one of these questions has a sensible answer. None of them fits on a single page, and none of them used to be asked at all. Something has shifted.
What shifted, mostly, is that the implicit security model the plant has been running on for forty years quietly stopped being true. The plant floor used to be physically isolated from any network that could be reached from outside the building. That was the defense. Nobody wrote it down because it was so obvious. Today the same plant floor has remote vendor access for the OEMs, a historian feeding the cloud, an MES talking to corporate ERP, edge devices on a cellular modem, and two laptops that get plugged in by integrators that nobody has a record of. The air gap is gone. The implicit policy is gone with it. And the questions arriving at the front desk are asking what replaces both.
What changed (and when nobody told us)
Convergence didn't happen in a meeting. It happened one connector at a time over a fifteen-year period.
The HMI vendor added Ethernet to the panel in 2009 because it was cheaper to manufacture. The historian needed a bridge to a server in 2013 because that's where the dashboards lived. The remote-support port on the drive started getting used by the OEM in 2016 because flying an engineer out was expensive. The cloud connector showed up in 2019 with a software update nobody flagged. The pandemic accelerated five years of remote-access expansion into eighteen months. By 2023, every plant that called itself air-gapped was, in practice, not.
The high-profile attacks that made the headlines — Colonial Pipeline, JBS, the water utility in Florida — didn't cause this problem. They made visible a problem that had been quietly accumulating since the late 2000s. The implicit security model didn't fail at the moment of attack. It had been failing slowly for a decade, and the attacks just removed everyone's ability to pretend otherwise.
Where the OT network actually connects, then and now
Why handing this to IT doesn't quite work
The first instinct, when "OT security" becomes a board-level concern, is to hand the problem to the IT team. They are professionals. They know security. They have the certifications.
This goes badly more often than it succeeds.
The IT security playbook is built around laptops, servers, and people who can log out and go home. None of those assumptions hold on a plant floor. A patch deployed to a PLC during a Patch Tuesday window is a patch deployed during a production run. Authentication friction that's appropriate on a corporate laptop is dangerous on an operator HMI during an emergency response. Network segmentation that defaults to "block by default" will break legitimate plant communications nobody documented because they predate documentation. A vulnerability scanner that politely probes a controller will, in some cases, crash the controller.
The plants that have gotten this right haven't excluded their IT teams — they've engaged them as one half of a partnership, with engineering judgment in the lead. The work is fundamentally an engineering problem with security overlay, not a security problem with engineering inconvenience.
The pattern that works
The plants we see succeeding at this share a recognizable shape.
They start with visibility, not with controls. You cannot defend an asset you don't know about. The first deliverable is a complete inventory of every controller, every HMI, every edge device, every connection in and out — most of it work that hasn't been done since the original commissioning, often decades ago. The inventory alone surfaces 30–40% of the issues that need addressing, because the problem isn't "what should we lock down" but "what's actually on the network."
They segment by the work, not by the org chart. Networks get divided based on what processes need to talk to each other — the cell, the line, the plant, the corporate network. Not based on "what does IT control vs. what does OT control," which is a political division, not a security one.
They monitor at the OT layer, with OT-specific tools. Watching for patterns that an IT system doesn't understand — a controller command that shouldn't be issued at this time of day, an engineering workstation logging in from a country it shouldn't be in, a firmware push that didn't go through change control. The IT monitoring stack is necessary but not sufficient; the OT layer needs its own.
They put an accountable owner on the plant side. Somebody who speaks both languages, who can adjudicate when IT policy and plant operations come into conflict, and who has authority to make the call when they do. Without this role, the program drifts. With it, the work gets done.
Where the OT security budget actually goes
What this changes for your modernization plan
Here's the part most security pitches don't tell you: the right time to do this work is during a modernization you were already going to do.
A PLC migration is a security project. A new data platform is a security project. A SCADA upgrade is a security project. Each one is touching the network architecture, the asset inventory, the access patterns, and the ownership model that OT security depends on. Doing the security work as part of those projects costs a fraction of doing it separately — and produces a much cleaner result, because the security architecture and the operational architecture are designed against each other rather than retrofitted.
The plants treating OT security as a standalone capital project are spending more for a less integrated result. The plants folding it into their modernization rhythm are arriving at the same destination at substantially lower total cost, with the side benefit that the modernized system is finally documented well enough to defend.
TEC take: OT security in 2026 isn't a project. It's a property of the engineering work you're already doing. The integrators who treat it as a separate billing line are usually the ones who do it badly — because their security people don't speak to their controls people, and the plant pays for the gap.
Where this is going
The questions arriving at the front desk are going to keep arriving. The insurance carriers will keep asking harder questions. The Fortune 500 customers will keep requiring attestations. The regulators — federal, state, sector-specific — will keep adding requirements. None of this is going to reverse.
The good news, such as it is, is that the work is knowable. The pattern that succeeds is recognizable. The mistakes are well-documented. The plants that started this conversation in 2022 are quietly compliant in 2026, spending normal operating dollars on security maintenance. The plants that didn't are going to spend 2027 in catch-up mode, paying premium rates for emergency work that should have been planned.
This is one of the more solvable problems on the modern plant manager's desk. It just needs to actually be solved — preferably folded into the modernization that's already in the budget.
If you're staring at an insurance audit, a customer attestation request, or a stalled OT security conversation between IT and engineering, that's the conversation we like having. Talk to us →
Let's build something
that actually works.
Whether you need to modernize legacy controls, build out data infrastructure, or deploy ML models on the factory floor — we're ready when you are.
