When Factory Floors Meet the Internet
Manufacturing has undergone a quiet revolution. Programmable logic controllers (PLCs), SCADA systems, and industrial IoT sensors that once operated on isolated networks are now connected to corporate IT infrastructure for real-time monitoring, predictive maintenance, and supply chain integration. This convergence delivers enormous operational value — McKinsey estimates that Industry 4.0 technologies could create $3.7 trillion in value by 2025. But it has also connected systems designed in the 1980s with zero security considerations to networks that face millions of attacks per day. Dragos's 2024 OT Cybersecurity Report found that 72% of OT vulnerabilities discovered in 2023 were deep within industrial networks, and 80% of attacks that reached OT systems entered through the IT network.
Norsk Hydro: The $75 Million Warning
In March 2019, Norwegian aluminium giant Norsk Hydro was hit by LockerGoga ransomware that spread from IT systems into operational technology networks across 170 locations in 40 countries. The company was forced to switch to manual operations at its smelting plants — a process that risks equipment damage when aluminium solidifies in pots. Norsk Hydro refused to pay the ransom and spent months recovering, reporting losses of NOK 800 million (approximately $75 million). The attack demonstrated that in manufacturing, a cyber incident is not just a data problem — it is a physical safety and operational continuity crisis. Production lines that take hours to restart, furnaces that cannot be safely shut down, and chemical processes that require continuous monitoring all create consequences that pure-IT organisations never face.
The Colonial Pipeline Effect
The May 2021 Colonial Pipeline attack was technically an IT-side ransomware incident — the OT systems controlling the pipeline were not directly compromised. However, Colonial shut down the pipeline for six days because they could not verify the integrity of their OT environment or bill customers without IT systems. This is the reality of OT/IT convergence: even when OT systems are not directly targeted, the interdependence means an IT compromise can halt physical operations. The attack caused fuel shortages across the US East Coast, triggered emergency declarations in 17 states, and led to a $4.4 million ransom payment. For UK manufacturers, the lesson is stark: your production line's uptime now depends on your IT security posture.
NIS2 and What It Means for UK Manufacturers
The EU's NIS2 Directive, effective from October 2024, significantly expands the scope of cybersecurity regulation for manufacturers. Any medium or large enterprise in the manufacturing sector is now classified as an "important entity" with obligations including risk management measures, incident reporting within 24 hours, supply chain security assessments, and board-level accountability for cybersecurity. While NIS2 is an EU directive, UK manufacturers selling into or operating within the EU must comply. The UK's own Network and Information Systems Regulations are expected to align closely with NIS2 provisions. For manufacturers that have historically treated cybersecurity as an IT department concern, NIS2 elevates it to a board-level governance requirement with meaningful enforcement penalties of up to 1.4% of global turnover.
- NIS2 classifies manufacturing as "important entity" sector
- 24-hour initial incident notification requirement
- Supply chain security assessments mandatory
- Board-level accountability for cybersecurity governance
- Penalties up to 1.4% of global annual turnover
Securing the Converged Environment
Securing OT/IT convergence requires a fundamentally different approach from pure IT security. Network segmentation between IT and OT zones is the foundation — the Purdue Model provides a reference architecture, but implementation must account for the legitimate data flows that convergence requires. Continuous attack surface monitoring with tools like Hadrian identifies exposed OT management interfaces before attackers do. On the IT side, anti data exfiltration technology ensures that even if attackers compromise IT systems, they cannot extract operational data, engineering drawings, or process control parameters. Most critically, incident response plans must account for OT-specific scenarios including safe shutdown procedures, manual operation fallbacks, and the physical safety implications of system failures.