OT Security in SMEs: Why Production is the Next Target

1 min Reading Time

Ransomware groups have a new favorite target: production facilities. The logic is simple – shutting down manufacturing forces payment faster than data encryption. Yet, most small and medium-sized manufacturing companies have not yet considered OT security. The separation of IT and OT no longer exists in practice.

TL;DR

Dragos Report 2025: 72 percent increase in OT attacks compared to the previous year
Average downtime costs for OT incidents: 1.2 million EUR/day (Claroty)
NIS2 now includes manufacturing companies with 50 or more employees
60 percent of SMEs lack segmentation between IT and OT

Why OT is Now in the Crosshairs

The convergence of IT and OT has significantly expanded the attack surface of production facilities. Machines that were once air-gapped are now accessible via remote maintenance access, IoT sensors, and cloud connections. A compromised IT network is often just one hop away from production control.

OT is attractive to ransomware groups: the pain threshold is low (every hour of downtime costs six figures), the willingness to pay is high, and security maturity is low. Groups like LockBit and BlackCat specifically target manufacturing companies.

The Segmentation Gap

In theory, IT and OT are separate networks. In practice: flat networks without segmentation, remote desktop access to SCADA systems, and shared Active Directory domains. 60 percent of small and medium-sized manufacturing companies do not have an effective separation between IT and OT.

The Purdue Model (ISA 95) defines clear zones and transitions between IT and OT. Implementation does not require rewiring – software-defined segmentation and industrial firewalls (Fortinet, Palo Alto, Claroty) enable post-implementation zoning.

NIS2 Affects SMEs

With NIS2, manufacturing companies with 50 or more employees are now subject to regulations – if they operate in one of the defined sectors. Typical affected industries include machine building, food production, chemicals, and automotive suppliers.

NIS2 requirements apply to the entire IT infrastructure – including OT. Risk management, incident response, and supply chain security must also cover the production environment. Companies that have previously excluded OT must retrofit.

Quick Wins for OT Security in SMEs

Five immediate measures: First, create an asset inventory of the OT environment – you can’t protect what you don’t know. Second, implement network segmentation between IT and OT. Third, secure remote access (VPN + MFA, no direct RDP connections). Fourth, create a backup strategy for SCADA/HMI configurations. Fifth, expand the incident response plan to include OT scenarios.

These measures are implementable with a manageable budget and address the most common attack vectors. Specialized OT security solutions (Nozomi, Claroty, Dragos) come in phase 2.

Key Facts

Attack Growth: 72 percent more OT attacks in 2025 (Dragos)

Downtime Costs: 1.2 million EUR per day for production-related incidents

Segmentation: Missing in 60 percent of small and medium-sized manufacturing companies

Frequently Asked Questions

Do I need to patch OT systems?

Ideally, yes, but OT patching is complex: availability requirements, manufacturer approvals, and validation processes make frequent updates difficult. Compensatory measures (segmentation, IDS, virtual patching) are often the more practical solution.

Do I need specialized OT security tools?

Yes, for visibility and anomaly detection. IT security tools do not understand industrial protocols (Modbus, S7, OPC-UA). Nozomi Networks, Claroty, and Dragos are the leading OT security platforms.

Does NIS2 also apply to suppliers?

Yes, via the supply chain clause. Even if a supplier falls below the thresholds, contractual requirements from NIS2-compliant customers may apply. In practice, automotive suppliers and machine builders are increasingly being held to OT security standards.

About the author: Tobias Massow

Read article

NIS2