Most UK manufacturers have invested meaningfully in IT security over the last five years. Firewalls, endpoint protection, email filtering, multi-factor authentication — the IT side of the business is, in many cases, reasonably well protected. But there is a second network running through almost every manufacturing plant that is frequently left wide open: the operational technology network, where PLCs, SCADA systems, HMIs, and industrial control systems run the production process.
The gap between IT security and OT security is one of the most serious and least-addressed risks in UK manufacturing today. In this post, we explain what the IT/OT security gap is, why it exists, what it costs when things go wrong, and how manufacturers can close it without disrupting production.
What is the IT/OT security gap?
Information technology (IT) covers the systems used to run the business: ERP, email, file storage, finance systems, CRM, and the network infrastructure that connects them. Operational technology (OT) covers the systems used to run the plant: programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, human-machine interfaces (HMIs), distributed control systems (DCS), and the industrial network that connects them to sensors, actuators, and physical machinery.
Historically, these two worlds were physically separate. The office network and the plant network did not connect, which meant that a breach of the IT network could not reach the OT network. This air gap provided a degree of natural security.
That separation no longer exists in most modern factories. The drive for real-time production data, remote monitoring, predictive maintenance, and ERP integration has connected IT and OT networks in ways that were not designed with security in mind. The result is that many plants now have an OT network that is directly or indirectly connected to the internet, with industrial control systems running software that has not been patched in years, on hardware that was never designed to be network-connected, protected by security controls that are years behind the IT environment.
Why OT security lags so far behind IT security
The OT security gap exists for reasons that are specific to manufacturing environments, and understanding them is essential to closing it.
Legacy equipment designed before cybersecurity was a consideration
Many PLCs and SCADA systems running in UK factories today were installed 10, 15, or 20 years ago. They were designed and specified at a time when industrial control systems were not connected to corporate networks or the internet. They have no concept of authentication, encryption, or access control built in. Some run on embedded operating systems that are no longer supported and cannot be patched. You cannot simply install an endpoint agent on a PLC the way you would on a laptop.
Production uptime requirements prevent patching
In IT environments, patching a server typically requires a maintenance window of a few hours. In OT environments, patching a SCADA system that controls an active production line might require stopping production entirely — at a cost of tens or hundreds of thousands of pounds per day. The result is that patching OT systems is routinely deferred, sometimes indefinitely, creating a growing backlog of unpatched vulnerabilities that attackers can and do exploit.
Ownership and accountability are unclear
In most manufacturing businesses, IT is responsible for the corporate network and OT is the responsibility of engineering or operations. The boundary between these two domains is rarely clearly defined, which means that the security of the space between them — where they connect — often falls through the gap. IT assumes engineering has secured the OT network. Engineering assumes IT has secured the connectivity. Neither has.
Security tools designed for IT do not work in OT
Standard IT security tools — vulnerability scanners, endpoint agents, active network probing — can cause serious problems in OT environments. Sending a vulnerability scan to an industrial controller that was not designed to handle arbitrary network traffic can crash it, or cause unintended changes to the process it controls. This means that OT security requires specialist tools and approaches that are fundamentally different from IT security.
What the IT/OT security gap costs when things go wrong
The consequences of an OT security breach in a manufacturing environment are categorically more serious than a typical IT breach, for one reason: the OT network controls physical processes. A breach that encrypts your finance server is disruptive and expensive. A breach that disrupts a continuous production process, contaminates a batch, damages physical equipment, or — in the most serious cases — creates a safety incident, is in a different category of impact entirely.
The ransomware attacks that have hit UK manufacturers in recent years have overwhelmingly entered through the IT/OT boundary. Attackers compromise the corporate IT network first — often through a phishing email or a compromised remote access tool — then move laterally into the OT environment because there is no meaningful barrier between the two. The impact is immediate and severe: production stops, orders cannot be fulfilled, and the cost clock starts running from the moment the attack is detected.
For a manufacturer doing £20m of revenue, a production shutdown of five days represents approximately £275k of lost output. Add remediation costs, forensic investigation, staff overtime, and reputational damage with customers, and the total impact of a single OT security incident can easily reach £500k–£1m or more.
How to close the IT/OT security gap
Closing the IT/OT security gap does not require replacing your production systems or accepting significant downtime. It requires a structured approach that addresses the specific risks of OT environments in a way that is compatible with production requirements.
1. Map and understand your OT environment
Many manufacturers do not have a complete, accurate inventory of the devices on their OT network. Closing the security gap starts with knowing what you have: every PLC, HMI, SCADA server, historian, engineering workstation, and network device, along with its software version, patch status, and network connectivity. Passive OT discovery tools — which listen to network traffic without actively probing devices — can build this inventory safely without disrupting production.
2. Segment and isolate
Network segmentation — creating defined boundaries between the IT network, the OT network, and the wider internet — is the single most effective security control for OT environments. A properly segmented network means that even if an attacker compromises the IT environment, they cannot reach the OT systems. This does not require replacing existing infrastructure; in most cases, it requires adding firewall rules, VLANs, and a demilitarised zone (DMZ) that controls the flow of data between IT and OT without eliminating the integration that operations requires.
3. Control remote access to OT systems
Remote access to OT systems is one of the highest-risk attack vectors in manufacturing. Vendor remote access accounts, engineering VPNs, and remote desktop connections to SCADA servers are frequently misconfigured, shared, or left enabled permanently. Every remote access path into the OT environment should be documented, controlled, and monitored, with access granted only when needed and revoked immediately when the need has passed.
4. Monitor OT network traffic
You cannot detect an attack in progress if you cannot see what is happening on your OT network. OT-specific monitoring tools — which analyse network traffic to detect anomalies, unexpected connections, and known attack patterns without disrupting the devices being monitored — provide the visibility needed to detect and respond to threats before they reach production systems.
5. Define clear IT/OT governance
Security controls without governance do not hold. Closing the IT/OT security gap permanently requires clarity on who owns what, what the policies and procedures are for changes to the OT environment, how incidents are detected and responded to, and how the security posture of the OT environment is maintained over time. This governance framework needs to be agreed and owned at senior level — not left to IT and engineering to figure out independently.
The role of a Fractional CIO in OT security
OT security is one of the areas where manufacturers most frequently tell us they do not know where to start. It sits at the boundary of IT and engineering, requires specialist knowledge that most IT teams do not have, and involves risks that most operations teams do not fully understand. It is exactly the kind of complex, cross-functional problem that a Fractional CIO from Bailey and Associates is designed to solve.
We bring together the IT security expertise, the OT knowledge, and the senior leadership capability to assess your current exposure, design a practical remediation programme, and govern its delivery without disrupting production. We also bring independence — the ability to tell both the IT and engineering teams what they need to hear, rather than what either side wants to hear.
FAQs: IT/OT security for UK manufacturers
Are UK manufacturers legally required to secure their OT networks?
Certain sectors — including critical national infrastructure — have specific OT security obligations under the NIS Regulations. More broadly, manufacturers have obligations under UK GDPR if OT systems process personal data, and under general duty of care if OT security failures create safety risks. Cyber Essentials and ISO 27001 both increasingly extend to OT environments for manufacturers seeking these certifications.
How do we assess our current OT security posture?
An OT security assessment combines passive network discovery, architecture review, policy and governance review, and interviews with IT and engineering teams. Bailey and Associates can lead this assessment and produce a prioritised remediation roadmap appropriate to your production environment and risk profile.
Can we run standard IT security tools on our OT network?
Generally not without risk. Active scanning and standard endpoint agents can cause industrial controllers to behave unexpectedly or crash. OT environments require passive monitoring tools and agentless approaches specifically designed for industrial control systems.
How much does it cost to close the IT/OT security gap?
For a mid-sized UK manufacturer, a structured IT/OT security improvement programme typically costs between £50k and £150k over 12–18 months, depending on the complexity of the OT environment and the current state of segmentation. This compares favourably with the cost of a single serious OT security incident, which regularly runs to several hundred thousand pounds or more.
Who should own OT security in a manufacturing business?
OT security should be jointly owned at leadership level, with clear accountability for both the IT and OT components. In practice, a Fractional CIO is often the most effective way to provide this ownership in manufacturers that do not have a full-time CIO, because they bring the cross-domain expertise and the seniority to drive the necessary changes across both functions.
