Key takeaways
- Attackers can halt industrial production without ever reaching the plant floor, because the systems that run manufacturing often sit on the corporate IT network.
- Many OT environments have no firewall between IT and OT, or one left misconfigured, and most do little to monitor the traffic crossing that boundary.
- Routing operational data one way, from OT up to IT and never back, removes the path an attacker would use to move from a compromised business network into the plant.
- Legacy controllers and interfaces cannot run modern security agents, so compensating controls like network segmentation, secure procurement, and hardening the software itself carry the load.
- RunSafe helps reduce exploitability in embedded and OT software with SBOM generation, vulnerability analysis, binary hardening, runtime protection, and continuous monitoring.
In 2025, a ransomware attack froze production at Jaguar Land Rover for weeks. The carmaker’s plants sit mostly in the UK, and the disruption is now described as one of the costliest cyber incidents in the country’s history. What makes the case worth studying is how little the attackers needed to do to cause it. They never had to reach the factory floor. The systems that scheduled and ran the manufacturing lived on the corporate IT network, and once that network went down, the plant went down with it.
That pattern holds across far more industrial environments than most operators would like to admit. The business network and the plant network are supposed to be separated, yet in practice, they often touch in ways no one has mapped. Many run with little or no monitoring of the traffic between them, which means an intruder can sit inside for months before anyone notices. For a small or mid-sized manufacturer, an outage on that scale is not a bad quarter. Many never reopen.
On a recent episode of Exploited: The Cyber Truth, Mike Holcomb, an OT and ICS security expert who has spent his career securing some of the world’s largest plants, from power generation and rail to refineries and pharmaceutical manufacturing, joined the show to discuss common OT mistakes he has come across and what to do about them. The conversation kept returning to one question.
How do you let the business network and the plant network share what they need to share, without letting an attack on one become an attack on the other? Here is what came out of it.
Firewalls: The Boundary that Often Isn’t There
Holcomb has walked into large environments, single plants the size of a city block, and found no firewall at all between IT and OT. When a firewall is present, it is frequently misconfigured in a way that defeats the purpose. A rule gets opened wide during troubleshooting, fixes whatever appeared to be broken, and is never closed again.
“Permit IP any, that maybe somebody put in for troubleshooting when something appeared to break,” Holcomb said. “But the attackers come in and go right through that firewall.” The firewall exists on the network diagram and satisfies an auditor, but it stops nothing.
The monitoring gap makes it worse. By Holcomb’s estimate, around 95 percent of the OT environments he sees are doing nothing to watch their networks for malicious or suspicious activity. “I’m still amazed how many people have firewalls, and they’re not watching the traffic, and then they have a compromise,” he said. “If you were watching it, you would have seen the attacker in the environment three months ago.”
Let the Data Flow One Way
While walling two networks off from each other completely is not the goal, there is a way to go about it that increases security. Operators want telemetry, remote monitoring, and the visibility that comes from connecting the plant to the business. Holcomb’s approach is to let the data flow in a single direction. The plant sends its operational data to IT, and IT is never allowed to initiate a connection back into OT.
He pointed to a pharmaceutical plant he helped build, at the time the world’s largest insulin injection facility. The business side needed to know how many injections were produced each day to coordinate shipping, storage, and logistics. That data had to flow from OT to IT. Nothing in that requirement required IT to have a path back into the plant. “If an attacker does get into IT, they don’t have a path into OT,” he said.
The strictest version of this is a data diode, a device that uses physics to enforce one-way traffic so return communication is impossible. Diodes are rare in the field. A more common approach is a unidirectional gateway, which uses hardware and software to enforce the same one-way rule. Saunders favored the cleaner option where it is achievable. “I do think one-way diodes are the way to go,” he said, while agreeing with Holcomb that the simpler steps available to most operators already go a long way.
When You Can’t Patch, Wrap
Much of the equipment running critical processes was built two decades ago and will run for two more. A programmable logic controller or human-machine interface from that era cannot support a modern endpoint agent. So the question shifts from patching the device to building protection around it. “It becomes a question of what controls we can wrap around,” Holcomb said, describing the work of figuring out what an attacker could actually do with a given system and then closing off as many of those paths as possible.
That work runs into a cultural gap. Engineers design for safety and reliability, not for an adversary. “I love working with engineers. They don’t think about what an attacker would do,” Holcomb said. “Once you get them to put on their evil thinking cap, it can be a lot of interesting conversations.”
From there, the options open up. Operators can segment the OT network into smaller zones using VLANs, so access to one machine does not grant access to all. And they can keep the safety instrumented system, the failsafe that shuts a plant down before something goes wrong, on its own physically separate network that an attacker elsewhere cannot reach.
Start with the Firewall
None of this requires ripping out working systems or spending without limit. Asked where an operator who has not started should begin, Holcomb did not hesitate. Put a firewall between IT and OT. “Go spend a couple hundred dollars, a couple hundred pounds. Even if it’s wide open at first, at least it’s in place,” he said. From there, you can watch the traffic and tighten what moves in and out over time. “It’s going to be the one control that reduces your risk the most, and it’s going to cost you the least.”
OT teams manage legacy hardware, tight budgets, vendor lock-in, and operational priorities that cannot pause for a security project. The point is that the first step is smaller and cheaper than the problem it addresses.
Saunders added a second move for any team making new investments: Ask the question. Press suppliers on their security posture, request Software Bills of Materials, and use purchasing power to learn what vulnerabilities live in the products going into the plant. Security built in at the point of purchase is a compensating control of its own.
The plant that went dark for weeks did so because no one had drawn a hard line between the network that runs the business and the network that runs the machines. Drawing that line does not take a multi-year program. It takes a firewall and the decision to start.
Listen to the full conversation with Mike Holcomb on Exploited: The Cyber Truth.
