Adapting IT Cybersecurity Policies to the Manufacturing Plant Floor

As food and beverage companies expand digital initiatives to meet growing consumer expectations, automation, remote monitoring and connected operations are now necessities —not nice-to-haves — on the plant floor.

With more connectivity comes greater cybersecurity risk. PLCs, HMIs, servers and other critical systems that were once isolated are now becoming increasingly vulnerable to sophisticated attacks that could disrupt production, compromise product or employee safety, or expose sensitive data.

Since IT teams are at the forefront of protecting digital systems from cybersecurity threats for many food and beverage manufacturers, leveraging the organization’s corporate IT cybersecurity policies to protect their OT environments has historically been the chosen method for mitigating these types of risks. However, attempting to apply IT standards to OT assets as-is often fails to account for critical differences between enterprise and manufacturing environments. 

To help avoid the pitfalls of failing to take these differences into account, manufacturers can strategically align their IT and OT approaches for practical, plant-specific protection.

EXPLORE MORE

Why IT Cybersecurity Needs to be Adapted to the Plant Floor

IT systems are typically centrally managed, patched often and replaced every few years. Conversely, the automation and control systems used in many food and beverage plants often include legacy components with lifespans measured in decades, don’t support modern authentication protocols like SAML or OAuth, or require high uptime that security updates or reboots can be highly disruptive to if not coordinated with operations.

Therefore, practices that are standard in IT such as modern identity and access management (IAM) frameworks may not be technically supported by OT systems. To rectify this type of issue, manufacturers must design compensating controls to ensure the same level of desired protection can be achieved in a manner that is feasible for the shop floor. For instance, integrating legacy systems with active directory for basic access control while isolating unsupported devices behind segmented firewalls.

Prioritize What Matters Most with a Cybersecurity Gap Assessment

With so many assets spread across the plant floor, and often across multiple facilities, it can be difficult for manufacturers to know where to start cybersecurity efforts. To help determine where to begin, it’s best to perform a comprehensive OT cybersecurity gap assessment either in-house or with the assistance of a third-party expert with deep knowledge of both IT and OT domains. This assessment should map your current security posture against internal and industry standards, such as the National Institute for Standards and Technology’s (NIST) Cybersecurity Framework (CSF), to identify and prioritize critical vulnerabilities.

Let’s look at a real-world example by reviewing how Applied Control Engineering (ACE) recently helped a global food and beverage company prepare to roll out an OT cybersecurity initiative across 10 diverse sites. At the beginning of this process, all sites had their existing OT networks assessed for vulnerabilities and created network architecture drawings detailing every asset. 

The sites then divided the networks into systems under consideration (SUCs) to identify groups of assets that could be addressed in similar ways. As the owner’s representative for the sites, ACE also reviewed the work prepared by both the company’s own personnel and their chosen system integrators. This review involved assessing if the systems in place would comply with the company’s new OT cybersecurity program requirements and with industry best practices for implementing security controls.

Identifying Solutions and Building a Strategic Implementation Plan

Once cybersecurity gaps are identified, solutions that utilize existing tools as much as possible must be selected. You should also try to integrate new security controls with existing IT governance systems. One way to do this is to conduct a cybersecurity workshop with key plant stakeholders where you:

• Introduce the goals and requirements for cybersecurity in the OT environment
• Identify areas of concern and needs of OT that must be met
• Socialize solutions designed to specifically help OT assets adapt to the organization’s target posture 

Then, to implement the selected solutions, you should develop a strategic implementation plan that balances the urgency of addressing identified gaps with operational risks. For food and beverage plants specifically, since even small changes can disrupt critical processes, it’s essential to validate changes first. This should include performing testing in a simulated production environment to ensure changes are validated without introducing risk to operations.

Unifying IT and OT Teams to Secure the Plant Floor

Securing legacy technology isn’t the only challenge for most manufacturers who need to enhance cybersecurity on the plant floor. For many organizations, IT and OT team alignment is equally challenging and equally critical to address. This is because these teams are often using different tools, speaking different languages and fulfilling different needs in the organization. But successful cybersecurity implementation requires creating shared objectives and accountability, which typically means:

• Defining roles for cybersecurity at both the corporate and plant level
• Forming cross-functional working groups
• Performing tabletop exercises to evaluate incident response readiness
• Using common frameworks like NIST CSF to guide alignment between teams

In the food and beverage manufacturer example previously mentioned, ACE’s ability to serve as a liaison between the corporate IT team and site OT teams and leadership helped accelerate this alignment. Having a third-party serve in this type of owner’s representative role across the company’s many sites also helped ensure cybersecurity didn’t continuously take a back seat to production priorities.

Secure Food Production Without Slowing It Down

Cybersecurity in food and beverage environments isn’t just about avoiding attacks; it’s also about ensuring operational resilience, regulatory compliance, and product and employee safety. For this reason, companies that strengthen OT security often see additional benefits, including:

• Reduced insurance premiums
• Faster recovery from incidents
• Fewer compliance audits
• Greater confidence from customers and partners

Also, keep in mind that rather than enforcing rigid top-down mandates, the most successful food manufacturers take a collaborative, risk-based approach to meet the intent of security requirements while minimizing friction for operations and maintaining reliability. This can range from making sure a replacement remote access solution is in place before DMZ firewall changes block the previous solution being used to creating a managed engineering laptop so that maintenance vendors can continue to maintain equipment without being forced to connect their own external laptops to your OT network.

Implementing OT Cybersecurity Practices that Work for the Whole Organization

For today’s connected plant floor, cybersecurity is no longer optional. While determining what assets need to be protected and how may seem overwhelming, it doesn’t have to be. With the right processes, frameworks and partners in place, food and beverage manufacturers can protect their OT environments without compromising efficiency or production. In the end, IT cybersecurity policies that are effectively brought to the OT environment are cybersecurity policies that will work for everyone, from the C-suite to the line operator to the end consumer.