Security for the Manufacturing Industry: containing the ransomware that halts your production line
IT/OT convergence has turned every factory into a target. See how Decripte responds to ransomware that jumps from the corporate network to the shop floor, restores production, and rebuilds security with IT/OT segmentation, industrial monitoring, and a rehearsed response plan.
Direct answer
To protect a manufacturing operation you have to treat the plant as two worlds that talk to each other but cannot contaminate one another: the IT network (ERP, email, engineering, Active Directory) and the OT network (PLCs, HMIs, SCADA, historians, robots). The ransomware that halts production lines almost never originates in OT — it enters through IT, moves laterally, and jumps to the shop floor. The defense combines real IT/OT segmentation in the Purdue model, 24x7 monitoring with visibility into OT traffic, vulnerability management that respects PLC maintenance windows, and a rehearsed response plan. Decripte delivers this with a 24x7 SOC, Incident Response with containment within 1 hour, OT-aware Pentest, and continuous Vulnerability Management — start with a free assessment at decripte.com.br/intelligence-center.
24/7
SOC monitoring the IT/OT boundary, SCADA, and remote access
<=1h
Containment SLA to stop the IT→OT jump before it halts the line
ISO 27001
Management framework required by OEMs and automotive supply chains
LGPD
IP, designs, and employee data under the ANPD even in industry
In summary
- ›Industrial ransomware rarely originates in OT: it enters through IT (phishing, exposed VPN, leaked credential) and jumps to the shop floor through the connection between the networks — it is that jump that must be contained within minutes.
- ›IT/OT segmentation in the Purdue model, with an industrial firewall and a DMZ between the levels, is the barrier that decides whether an IT incident becomes a production stoppage or not.
- ›Visibility cannot stop at IT logs: the SOC needs to see OT traffic (Modbus, OPC-UA, EtherNet/IP, S7) to detect anomalous commands to PLCs and SCADA.
- ›Patching in OT is different: PLCs and SCADA have rare windows and vendor dependencies — vulnerability management uses compensating controls when patching is not possible.
- ›A rehearsed incident response plan that knows the difference between shutting down email and stopping a press mid-cycle prevents containment from causing more damage than the attack.
- ›Offline, immutable backups of SCADA, historians, and process recipes are what determine whether recovery takes hours or weeks.
Cibersegurança para Manufacturing
IT/OT convergence has turned every factory into a target. See how Decripte responds to ransomware that jumps from the corporate network to the shop floor, restores production, and rebuilds security with IT/OT segmentation, industrial monitoring, and a rehearsed response plan.
Why manufacturing became a priority target for ransomware
For decades, the shop floor was an isolated world. PLCs, HMIs, and SCADA systems ran on proprietary networks, physically separated from corporate IT, speaking protocols that no one outside of automation understood. That obscurity worked as a crude form of security. The problem is that it is gone. Industry 4.0, the demand for real-time production data, predictive maintenance, ERP-MES-SCADA integration, and remote vendor access tore down the wall between IT and OT. Today, the process historian talks to the data lake in the cloud, the engineer accesses the HMI over VPN from home, and the robot receives production orders that came from the same Active Directory that authenticates email. Convergence brought efficiency — and opened a direct path from an operator's inbox to the hydraulic press.
For the attacker, manufacturing is an extremely high-value target for a simple reason: tolerance for downtime is nearly zero. An automotive line, a food plant with perishable products, a steel mill with a furnace that cannot cool down, or a pharmaceutical company with a batch in process do not have the luxury of sitting offline for a week analyzing logs. Every hour of downtime costs tens or hundreds of thousands of reais in lost production, contractual penalties with automakers, spoilage of raw materials, and SLA penalties with customers. Ransomware groups know this. They time attacks for the weekend or for peak production, encrypt precisely the servers that control the line, and calibrate the ransom knowing that every day of downtime is a negotiating lever in their favor.
What makes manufacturing different from a bank or a hospital
In corporate IT, the worst case is usually data loss. In OT, the worst case is physical: an overpressure event, a robot movement outside its envelope, a contaminated pharmaceutical batch, a damaged furnace. That is why industrial security does not protect only the confidentiality and integrity of information — it protects the availability of production and the safety of the people on the shop floor. Availability and human safety rise to the top of the priority pyramid, inverting the classic ordering of IT.
Add to this the silent asset that every factory carries: intellectual property. Process recipes, machine parameters fine-tuned over years, product designs, tooling, chemical formulas, and manufacturing know-how. Industrial espionage — by competitors or by state actors — targets exactly these files, and it rarely makes noise. IP theft can go unnoticed for months because, unlike ransomware, there is no red screen demanding bitcoin; there is only data slowly leaving through a channel that no one was monitoring.
The anatomy of the attack: how ransomware jumps from IT to OT
Understanding the attack path is what makes it possible to cut it off. In nearly every industrial incident that halts production, the sequence is the same and it does not start on the shop floor. It starts in a mundane place: an email. An operator, a production planning analyst, or a process engineer receives a message with an attachment or a link. The endpoint is compromised. From there, the attacker is inside the IT network, at Level 4/5 of the Purdue model — the world of the ERP, email, and Active Directory.
Phase 1 — Foothold and reconnaissance in IT
With the first endpoint under control, the attacker does not go straight to OT. They establish themselves. They harvest credentials with memory-dumping tools, map Active Directory looking for service accounts and administrators, identify the file servers, and find where the backups are — because destroying the backups is part of the plan. This reconnaissance period can last days or weeks, and it is precisely the window in which a 24x7 SOC with behavioral detection can catch the intruder before irreversible damage is done.
Phase 2 — Lateral movement and discovery of the bridge to OT
The critical point of the industrial attack is the discovery of the connection between IT and OT. In poorly segmented factories, that bridge is trivial: the engineering workstation that controls the PLCs is in the same domain as corporate Active Directory; the SCADA server has the email agent installed; the operator uses the same password on the ERP and on the HMI. The attacker finds an engineering workstation, a misconfigured jump box, or an account with dual access, and uses that bridge to cross from Level 4 (IT) to Levels 3, 2, and 1 (supervision, control, and field devices). In a well-segmented network, they hit an industrial firewall and a DMZ that do not let that traffic through — and the attack dies at the boundary.
The IT→OT jump is the point of no return
While the attacker is only in IT, you have a costly but manageable incident: you restore servers, change passwords, and move on. The instant they reach the SCADA server, the process historians, and the engineering workstations, production is held hostage. Encrypting SCADA means operators lose visibility and control over the line — and stopping a line without visibility is the only safe option. That is why Decripte treats containment of IT→OT lateral movement as the number one priority of any manufacturing response, with an SLA of up to 1 hour to isolate the bridge.
Phase 3 — Detonation on the shop floor
Once in OT, the ransomware encrypts what makes the line run and be visible: SCADA servers and historians, operator stations (Windows-based HMIs), MES and recipe servers, and often also the backups that were accessible over the network. The PLCs themselves are frequently not encrypted — they do not run Windows — but they are orphaned: without the HMI and without SCADA, the operator no longer has any way to supervise the process, read alarms, or command it safely. The practical result is a total stoppage, not because each machine was attacked, but because the nervous system that coordinates them was blinded. And that is exactly when the attacker sends the ransom note, timed for the worst possible moment.
Is manufacturing data already exposed or up for sale? Find out now — for free.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
The five threats that define a factory's risk
The manufacturing threat map
- ✓Ransomware halting production lines: encryption of SCADA, historians, and HMIs that blinds the operation and forces a total stoppage, with a ransom timed for peak production.
- ✓Attacks on ICS/SCADA and OT: unauthorized commands to PLCs, setpoint manipulation, disabling of safety interlocks, and exploitation of industrial protocols without authentication (Modbus, S7, EtherNet/IP).
- ✓Industrial espionage and IP theft: silent exfiltration of process recipes, machine parameters, designs, and formulas — with no ransom screen, potentially going unnoticed for months.
- ✓Supply chain compromise: an attack that arrives through a vendor's software update, through the remote access of an automation integrator, or through an already-compromised OEM component.
- ✓IT→OT lateral movement: the vector that connects all the others — the absence of segmentation that lets an email incident become a shop-floor stoppage.
These five threats are not independent. They chain together. IT→OT lateral movement is the axis: it is what turns an ordinary phishing email into a production disaster, what gives the spy access to the IP files, and what allows a vendor compromise to propagate all the way to the PLCs. That is why Decripte's defense strategy does not treat each threat in isolation — it attacks the structure that enables the chaining, closing the IT/OT boundary, instrumenting both sides, and rehearsing the response for when one layer fails.
The vendor as a vector: the most overlooked link
Every modern factory depends on third parties with deep access: the automation integrator that maintains the PLCs, the machine manufacturer (OEM) that performs remote maintenance, the MES vendor, the telemetry company. Each of these access paths is a door. When an integrator uses the same VPN credential for ten customers, the compromise of one becomes the compromise of all. When an OEM keeps a maintenance connection permanently open, it becomes a tunnel waiting to be abused. Supply chain security in manufacturing means inventorying all of these remote access paths, giving each one least privilege, logging everything, and monitoring behavior — because the attack that comes through a trusted vendor does not trip the obvious alarms.
OT ages differently from IT
An IT server lives 3 to 5 years. A PLC or a SCADA system lives 15 to 25 years. It is common to find on the shop floor operating systems that are out of support, controllers that have not received new firmware since installation, and protocols designed in an era when no one imagined that the industrial network would be one jump away from the internet. This is not negligence — it is the reality of physical assets with a long life cycle. The defense is not to replace everything; it is to wrap these legacy assets in layers of protection that compensate for what they cannot do on their own.
Containment under pressure: what Decripte does in the first hour
When a factory calls us in with the line going down, there is no time for deliberation. The first hour determines whether the incident stays contained in IT or consumes all of OT. Decripte's Incident Response operates with a containment SLA of up to 1 hour precisely because, in manufacturing, that clock competes directly with the attacker's clock encrypting servers. But containing in industry is not simply shutting down machines — shutting down the wrong thing at the wrong time can damage equipment, ruin a batch, or create a safety risk for those on the shop floor.
Containing in OT requires knowing what NOT to shut down
In IT, isolating an infected machine is trivial: you take it off the network and move on. In OT, isolating the SCADA server in the middle of a process cycle can leave a chemical plant without pressure supervision, or stop a furnace that needs controlled cooling. Industrial containment is surgical: the IT/OT bridge is cut first — the attacker's route — preserving local control of the line whenever possible, and each action is coordinated with the automation team and the plant's safety engineer. Decripte works side by side with the client's OT team, never over the top of it.
In practice, the containment sequence prioritizes isolating the boundary above all else: blocking traffic between the IT and OT levels, tearing down vendor remote access connections, disabling compromised accounts in Active Directory, and cutting the command-and-control channels the attacker uses to communicate with external infrastructure. These four moves, executed in parallel, make the attacker lose their grip on the environment. Only then does the team move on to assessing the damage already done in OT and to the decision — always jointly with operations — about which systems need to be shut down in a controlled way and which can keep operating in safe manual mode.
Industrial monitoring: seeing what IT logs do not show
Most factories that suffer an OT attack find out too late because their monitoring stopped at IT. They collected logs from the corporate firewall, the antivirus, and Active Directory — and were completely blind to what was happening in industrial traffic. An anomalous command to a PLC, an engineering workstation communicating with a destination it has never used, a setpoint being changed outside the operating window: none of this shows up in IT logs. Decripte's 24x7 SOC for manufacturing is built to see both sides.
OT-aware visibility, without touching the process
Decripte's industrial monitoring uses passive collection of OT network traffic — port mirroring, without injecting packets, without agents on the PLCs, without risk to the process. From that traffic, we decode the industrial protocols (Modbus, OPC-UA, EtherNet/IP, S7comm, DNP3 depending on the installed base), build an automatic inventory of all OT assets — often revealing devices the factory itself did not know existed — and establish a baseline of what normal behavior looks like. Any deviation from that baseline becomes an alert in the SOC, 24 hours a day.
That visibility changes the game for detection. Instead of discovering the attack when the line has already stopped, the SOC sees the signs of the reconnaissance and lateral movement phase: the network scan coming from IT toward OT, the authentication attempt on an engineering workstation at an unusual hour, the first communication of a historian with an external IP. It is these early signals, correlated across IT logs and OT traffic, that let the analyst intervene while the attacker is still on this side of the boundary — before the jump happens.
What Decripte's SOC monitors in an industrial plant
- ✓Traffic at the IT/OT boundary and in the industrial DMZ, looking for lateral movement between Purdue levels.
- ✓Commands to PLCs and setpoint changes, flagging unauthorized or out-of-window writes.
- ✓Remote access from vendors and integrators, with correlation of who, when, and what.
- ✓Behavior of engineering workstations and Windows-based HMIs, which are the attacker's preferred pivots.
- ✓Signs of IP exfiltration: bulk transfers leaving design and process-recipe servers.
- ✓Integrity of SCADA and historian backups, ensuring they are intact and out of reach of the compromised network.
What would an incident in manufacturing cost? See your real risk before it happens.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
IT/OT segmentation: the barrier that stops the jump
If the IT→OT jump is the point of no return, segmentation is the wall that stops it. But segmentation in industry is frequently misunderstood. Many factories believe they are segmented because they created separate VLANs for IT and OT — and a VLAN is not security. A VLAN organizes traffic, but it does not filter it; an attacker with access to the switch crosses VLANs with ease. Real segmentation means controlling the flow between zones with firewalls that inspect and block, organized according to a recognized reference model.
The Purdue model as a map
The Purdue reference model organizes the industrial environment into levels: from Level 0 (sensors and actuators in the field) and Level 1 (PLCs) to Level 2 (supervision/SCADA), Level 3 (manufacturing operations/MES), and Levels 4 and 5 (corporate IT and internet). Between Level 3 and Level 4 sits the most important piece of the defense: the industrial DMZ, a demilitarized zone that mediates all communication between the two worlds. No traffic should cross directly from IT to OT — everything passes through the DMZ, is inspected, and only what is strictly necessary moves forward. It is this architecture that turns a trivial jump into a barrier the attacker has to breach level by level.
Decripte structures segmentation while respecting the reality of the plant: you cannot stop production to reorganize the network all at once. The work is phased. We start by mapping all the communication flows that actually exist between IT and OT — frequently discovering connections that no one had documented. Then we design the zones and conduits according to the Purdue model, implement the industrial DMZ, and migrate the legitimate flows to pass through it in a controlled way, one by one, validating that production is not affected at each step. Vendor remote access is redirected to a secure broker with strong authentication, session recording, and time-limited access — putting an end to permanent tunnels.
Permanent remote access is the forgotten back door
The maintenance connection the OEM left open three years ago, the VPN the integrator uses for all its customers, the remote access software installed on an HMI to "make" support easier: each of these is a tunnel that bypasses all of your segmentation. Decripte inventories and closes these access paths, replacing them with supervised, on-demand, recorded access. A vendor only gets in when they need to, for as long as they need to, doing only what was authorized — and with everything logged for audit.
Vulnerability management in OT: patching without stopping the line
The question every industrial manager asks is: how do you apply security patches to systems that cannot be rebooted? The honest answer is that, in OT, you often cannot patch — at least not at the pace of IT. A critical PLC can only receive an update during a scheduled outage that happens twice a year; a SCADA system may depend on a specific version that the vendor does not certify on a newer operating system; a machine still under warranty loses coverage if you alter its software. Industrial vulnerability management does not ignore this — it works with it.
When you cannot patch, compensate
Decripte's Vulnerability Management for OT prioritizes by real risk, not theoretical severity. A serious flaw in a PLC that is isolated behind a DMZ, with no route to the internet, is less urgent than a medium flaw in an HMI exposed to the IT network. For what cannot be patched, we apply compensating controls: tighter segmentation around the vulnerable asset, firewall rules that block the exploitation vector, reinforced monitoring of that device in the SOC, and disabling of services and protocols that are not used. The vulnerability is still there, but the path to it is closed.
The process is continuous and calibrated for industry. We maintain a live inventory of OT assets — fed by passive monitoring, without aggressive scans that could take down a fragile controller. We cross-reference that inventory with known vulnerabilities and advisories from vendors and sector bodies. We prioritize by the combination of severity, real exposure, and the asset's criticality to production. And, fundamentally, we plan the patching in sync with the plant's maintenance windows — because the best patch in the world is useless if it is applied when the line is running a critical batch.
OT-aware Pentest: testing the boundary without taking down production
Testing the security of an industrial environment is different from testing a web application. An aggressive scan that would be harmless on an IT network can freeze an old PLC and stop production. That is why Decripte's Pentest for manufacturing is designed with extreme care and with rules of engagement built together with the client's OT team. On sensitive OT assets, we favor the passive approach and architecture analysis; active, intrusive tests are concentrated in IT, at the IT/OT boundary, and in test environments that mirror production, never in critical production without explicit approval and supervision.
The goal of the industrial pentest is not only to find technical vulnerabilities — it is to validate the central hypothesis of the defense: can the attacker, in fact, jump from IT to OT? We simulate the complete path of a realistic adversary, from the initial phishing to lateral movement, and we test whether the segmentation holds, whether the industrial DMZ filters what it should, whether the engineering workstations are protected, whether vendor remote access is exploitable. The result is an assessment that shows exactly where the wall has gaps — and a remediation plan prioritized by impact on production.
The pentest that proves the case to the board
Often the greatest value of the industrial pentest is translating the risk into the language of the business. When the report shows, in concrete steps, how a phishing email reaches the SCADA server and how long it would take for the line to stop, the conversation about security investment stops being abstract. Decripte delivers the pentest with both an executive and a technical narrative: the board understands the financial and operational impact, and the OT team receives the technical details and the remediation roadmap. It is the ideal starting point for structuring the defense — and you can begin with a free exposure assessment at decripte.com.br/intelligence-center even before a full pentest.
Compliance and continuity: what industry needs to demonstrate
Industrial security is increasingly a contractual requirement, not a choice. Automakers impose cybersecurity requirements on their automotive supply chain vendors; multinationals audit the security maturity of anyone entering their supply chain; certifications such as ISO/IEC 27001 become a prerequisite for winning a contract. And although the factory may not look like a "data" company, it is subject to the LGPD: employee data, contractor data, corporate customer data, and the intellectual property that, if leaked, causes material and regulatory harm. The ANPD is the competent authority, and a breach affecting personal data may require notification to the agency and to the data subjects.
What is typically required of an industrial vendor
An information security management system aligned with ISO/IEC 27001; proven capability for incident detection and response; segmentation and access control for the OT network; a tested business continuity and disaster recovery plan; and, for those handling personal data, compliance with the LGPD under ANPD oversight. For components that touch payment methods or card data in specific operations, PCI-DSS may enter the scope. Decripte helps the factory meet and demonstrate each of these requirements.
But compliance without continuity is just paper. What actually protects production is the ability to recover. That means offline, immutable backups of the systems that control the line — SCADA, historians, recipes, PLC configurations — kept in a way that ransomware cannot reach them over the network. It means recovery procedures that are tested, not merely documented: the factory needs to know, with confidence, how long it takes to restore SCADA and get back to producing. And it means having an incident response plan rehearsed with the participation of operations, because the first time the OT team coordinates with the security team cannot be during the real crisis.
Anatomy of a real case: the ransomware that jumped from the corporate network to the shop floor
Real, de-identified example
This is a real, anonymized example, built from real patterns of attacks on manufacturing — it does not identify the client. Imagine a mid-sized auto parts manufacturer, with three automated production lines, a SCADA system supervising the process, an MES integrated with the ERP, and remote access for two automation integrators. IT and OT shared the same Active Directory domain, separated only by VLANs. On a Friday night, ahead of a weekend of continuous production to fulfill an automaker's order, a production planning analyst opened an attachment that looked like a revised purchase order. It was the beginning.
Initial compromise (Friday, 7:00 PM)
The attachment executed a malware loader on the production planning analyst's endpoint, on the IT network. The attacker gained access and immediately began dumping credentials from the machine's memory, finding among them a service account with elevated privileges. No traditional alarm went off — the antivirus did not recognize the loader. The 24x7 SOC, however, recorded anomalous behavior: a production planning workstation starting a network scan outside business hours.
Detection and escalation (Friday, 7:40 PM)
The SOC's behavioral analysis correlated the nighttime scan with authentication attempts against file servers and with the use of the compromised service account on machines it had never touched. The on-duty analyst classified it as active lateral movement and engaged Decripte's Incident Response team, starting the containment SLA clock. In parallel, they contacted the factory's OT lead — because the scan's destination pointed toward the boundary with the shop floor.
Containment of the IT→OT jump (Friday, 8:25 PM)
Within the first hour, the priority was to cut the bridge. The team blocked all traffic between the IT and OT VLANs at the edge firewall, tore down the remote access connections of both integrators, disabled the compromised service account and the associated administrator accounts in Active Directory, and cut off the initial endpoint's communication with the external command-and-control infrastructure. The attacker, who had already reached an engineering workstation but had not yet detonated the ransomware in OT, lost access to the industrial environment. The line kept producing all weekend long.
Eradication in IT (Saturday and Sunday)
With OT preserved, the team worked on IT. It identified all the endpoints and accounts touched by the attacker through the collected telemetry, isolated and rebuilt the compromised machines from clean images, forced a credential reset across the entire domain, and removed the persistence mechanisms the attacker had installed to ensure they could return. The forensic analysis confirmed the initial vector — the phishing attachment — and the exact path taken to the engineering workstation.
Recovery and verification (Monday)
Before reopening any connection, the team validated the integrity of the OT systems — SCADA, historians, and engineering workstations — confirming that none had been encrypted or altered, since the early containment prevented detonation. The integrators' remote access was restored only through a newly implemented secure broker, with strong authentication and session recording. Production continued without ever having stopped.
Post-incident structuring (the following weeks)
The incident became the trigger to rebuild the architecture. Decripte implemented real IT/OT segmentation according to the Purdue model, with an industrial firewall and a DMZ between the levels, separated the OT domain from corporate Active Directory, extended SOC monitoring to industrial traffic, and instituted a rehearsed response plan with the operations team.
Lessons learned
The attack proved three things that hold for any factory: early detection in IT is what saves OT, because the jump was contained before detonation; a VLAN is not segmentation, and the absence of a real boundary nearly cost the weekend's production; and vendor remote access, previously a permanent tunnel, was the back door that needed to be closed. The cost of the incident was a fraction of what a production stoppage with ransom would have been.
Outcome with Decripte
Because the IT→OT jump was contained in the first hour, the production line never stopped and the automaker's order was fulfilled on time. What could have been an entire weekend of lost production, contractual penalties, and a ransom negotiation became a managed IT incident and, more importantly, the turning point toward a mature industrial security architecture. The factory came out of the incident with real Purdue segmentation, OT-aware monitoring in the 24x7 SOC, vendor access under control, and a rehearsed response plan — prepared for the next attacker, who always comes.
Don’t wait for the incident. Start hardening manufacturing today.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
How Decripte responds to an incident in a manufacturing operation
Incident response in manufacturing is different because the clock competes with the attacker and with the cost of every hour of downtime, and because containing in OT requires knowing what not to shut down. These are the steps Decripte follows, always side by side with the client's operations team:
- Immediate engagement and triage: we classify the severity and identify whether the attacker has already reached the IT/OT boundary or is still contained in the corporate network — that is the first question that changes the entire response strategy.
- Containment of the IT→OT jump within 1 hour: we block traffic between the networks, tear down vendor remote access, disable compromised accounts, and cut off command-and-control channels, closing the attacker's route before it reaches the shop floor.
- Coordination with operations for physical decisions: no OT system is shut down without the automation team and the plant's safety engineer — containment is surgical, preserves local control when possible, and never creates a risk for those on the shop floor.
- Eradication in IT: we identify all compromised endpoints and accounts, isolate and rebuild the machines from clean images, reset credentials, and remove the attacker's persistence mechanisms.
- Forensic analysis of the vector and the path: we reconstruct how the attack got in and where it moved, confirming the exact point at which it was contained and preserving the evidence for any regulatory obligation or legal action.
- Verified recovery of production: we validate the integrity of SCADA, historians, and engineering workstations before reconnecting anything, restore from intact backups when necessary, and confirm that the line returns to safe operation.
- Assessment of impact to personal data and IP: we check whether there was exfiltration of data under the LGPD or of intellectual property, advising on any notification to the ANPD and to the data subjects when applicable.
- Executive and technical report with a hardening plan: we deliver the complete timeline, the lessons learned, and the prioritized roadmap to close the gaps the incident revealed, turning the crisis into the starting point for maturity.
How Decripte structures a factory's security
Responding well to an incident is necessary, but the goal is for it not to stop production. Decripte's industrial security structuring rests on pillars that, together, close the attack's route and give the factory the ability to detect, contain, and recover:
IT/OT segmentation in the Purdue model
The boundary that stops the jump. We implement an industrial firewall and a DMZ between the IT and OT levels, separate the OT domain from corporate Active Directory, and migrate the legitimate flows in a phased way so that production never stops during the transition. The VLAN becomes real flow control, inspected and blocked.
OT-aware visibility and monitoring 24x7
Decripte's SOC sees both worlds. Passive collection of industrial traffic, decoding of OT protocols, automatic asset inventory, and a baseline of normal behavior feed detection 24 hours a day — catching reconnaissance and lateral movement before the jump happens.
Vulnerability management calibrated for OT
Prioritization by real risk and exposure, not by theoretical severity. A live inventory without aggressive scans, synchronization of patches with the plant's maintenance windows, and compensating controls for what cannot be patched — because a PLC that is out of support can still be protected by what surrounds it.
Vendor remote access control
The permanent tunnels of integrators and OEMs become supervised, on-demand access, with strong authentication and session recording. Each vendor gets in only when they need to, for as long as they need to, doing only what was authorized — closing the most overlooked back door in industry.
Tested continuity and recovery
Offline, immutable backups of SCADA, historians, recipes, and PLC configurations, out of reach of the compromised network, with rehearsed restore procedures — so the factory knows, with confidence, how long it takes to get back to producing after a disaster.
Response plan rehearsed with operations
The first time the OT team coordinates with the security team cannot be in the real crisis. We build and rehearse the response plan with the participation of operations, defining roles, shutdown decisions, and communication — so that, when the incident comes, the response is muscle memory, not improvisation.
Recommended plans for Manufacturing
24x7 SOC
Continuous monitoring that sees the IT/OT boundary and industrial traffic (Modbus, OPC-UA, EtherNet/IP, S7), detecting reconnaissance and lateral movement before the attack jumps to the shop floor and stops the line.
See plan →Incident Response
Containment of the IT→OT jump within 1 hour, with a team that knows what not to shut down in OT and coordinates every physical action with operations — the difference between a managed IT incident and a weekend of lost production.
See plan →Pentest
OT-aware Pentest that validates in practice whether the attacker can jump from IT to OT, testing the segmentation and the industrial DMZ without taking down production, and translating the risk into executive language to justify the investment.
See plan →Vulnerability Management
Prioritization by real risk and compensating controls for OT assets that cannot be patched at the pace of IT, synchronizing patches with the plant's maintenance windows so production is never interrupted.
See plan →Frequently asked questions
How can ransomware stop my production line if the PLCs don't even run Windows?
In most cases, ransomware does not encrypt the PLCs directly — it encrypts the systems that provide visibility and control over them: the SCADA servers, the process historians, and the operator stations (HMIs), which normally run Windows. Without SCADA and the HMIs, operators are blind: they cannot supervise the process, read alarms, or command it safely. The only responsible option becomes stopping the line. That is why the defense focuses on preventing the attack from reaching those supervisory systems, by containing the IT→OT jump.
We already have VLANs separating IT and OT. Isn't that enough segmentation?
No. A VLAN organizes traffic, but it does not filter it — an attacker with access to the switch crosses VLANs with ease, and accounts or workstations that belong to both worlds create direct bridges. Real segmentation means firewalls that inspect and block the flow between zones, organized according to the Purdue model, with an industrial DMZ mediating all communication between IT and OT. Decripte assesses your current segmentation in a diagnostic and, if needed, implements the phased architecture without stopping production.
I can't reboot my PLCs and SCADA to apply patches. How do I do vulnerability management?
Vulnerability management in OT works with that constraint, not against it. We prioritize by real risk and exposure: a serious flaw in an isolated asset behind a DMZ is less urgent than a medium flaw in an exposed system. For what cannot be patched at the pace of IT, we apply compensating controls — tighter segmentation, firewall rules that block the vector, reinforced monitoring, and disabling of unnecessary services — and we plan the feasible patches in sync with the plant's maintenance windows.
Can't the pentest take down my production?
A poorly planned pentest can, and that is why Decripte's industrial pentest is designed with rules of engagement built together with your OT team. On sensitive assets we favor the passive approach and architecture analysis; active, intrusive tests stay in IT, at the IT/OT boundary, and in test environments, never in critical production without explicit approval and supervision. The goal is to safely validate whether the attacker can jump to OT — without causing the very damage we are trying to prevent.
Is my factory subject to the LGPD even though it isn't a data company?
Yes. The LGPD applies to any organization that processes personal data, and a factory processes plenty: employee, contractor, and corporate customer data, plus intellectual property whose leak causes material harm. The competent authority is the ANPD, and an incident affecting personal data may require notification to the agency and to the data subjects. Decripte assesses the impact to personal data during incident response and advises on the applicable regulatory obligations.
Is the remote access of my automation vendors secure?
It is often the weakest point. Permanently open maintenance tunnels, VPNs that the integrator reuses across several customers, and remote access software installed on HMIs to make support easier are doors that bypass all of your segmentation. Decripte inventories all of these access paths and replaces them with a supervised model: on-demand access, time-limited, with strong authentication and session recording, closing the supply chain vector without preventing legitimate maintenance.
How long does Decripte take to contain an attack that is in progress?
Incident Response operates with a containment SLA of up to 1 hour. In manufacturing, the absolute priority of that first hour is to cut the IT/OT bridge — block traffic between the networks, tear down remote access, disable compromised accounts, and cut off command and control — to prevent the attacker from reaching the shop floor. The earlier we are engaged, the greater the chance of containing the incident while it is still in IT, before it stops production.
Where do I start if I don't yet know the size of my exposure?
Start with the free Threat Management assessment at decripte.com.br/intelligence-center, which maps your organization's external exposure with no commitment. From it, you understand where the most urgent gaps are. To structure the complete defense — IT/OT segmentation, 24x7 SOC, vulnerability management, and a response plan — sign up at decripte.io/start or talk to our team through the form at /contato.
Sector terms
- OT (Operational Technology)
- The set of hardware and software that monitors and controls physical processes on the shop floor: PLCs, HMIs, SCADA systems, process historians, robots, and field devices. It differs from IT by prioritizing availability and physical safety above confidentiality.
- ICS/SCADA
- Industrial Control Systems (ICS) and, within them, the Supervisory Control and Data Acquisition (SCADA) systems, which give operators visibility and command over the production line. Compromising SCADA blinds the operation and forces a stoppage.
- PLC (Programmable Logic Controller)
- A rugged industrial device that runs the control logic for machines and processes on the shop floor. It has a life cycle of 15 to 25 years and rarely runs conventional operating systems, which completely changes the approach to patching and monitoring.
- Purdue Model
- A reference model that organizes the industrial environment into levels, from the field (sensors and actuators) up to corporate IT and the internet, defining where the security boundaries should sit — in particular the industrial DMZ between the IT and OT worlds.
- Industrial DMZ
- A demilitarized zone positioned between the IT network and the OT network that mediates all communication between the two worlds. No traffic crosses directly from one side to the other: everything passes through the DMZ, is inspected, and only what is strictly necessary moves forward.
- IT→OT lateral movement
- A technique by which an attacker who has compromised the corporate network (IT) crosses into the production network (OT), exploiting poorly segmented bridges such as engineering workstations, dual-access accounts, or vendor remote access. It is the vector that turns an IT incident into a factory stoppage.
Decripte protects and responds to incidents in manufacturing.
Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.
