Mind the visibility gap

VISIBILITY GAPS remain a major obstacle in industrial cybersecurity. In its 2026 OT threat reporting, Dragos estimates that "fewer than 10% of OT networks worldwide currently have meaningful network monitoring in place", leaving defenders with limited insight into malicious activity until an incident is already underway.

But simply bolting traditional IT visibility tools designed for servers and endpoints into OT networks can, and often does, create instability or degraded performance. To protect cyber and operational resilience, manufacturers need an engineering-led view of network insight that respects uptime and live production.

The visibility paradox

Traditional IT security tools often rely on active scanning or inline inspection, methods that can create latency in fragile control systems if they are used carelessly.

Take industrial controllers supporting live production processes. These systems rely on real-time communications to keep machinery operating within expected tolerances. Unexpected scans or intrusive network testing can introduce delays or disrupt those communications, which in turn can affect output, quality or availability.

Paradoxically, organisations cannot secure what they cannot see. Yet attempting to observe these networks using conventional IT methods can destabilise the very systems they are trying to protect.

As NIST states in its Guide to Operational Technology (OT) Security, "OT network owners should exercise extreme caution when permitting active scanning on an operational network due to device sensitivity on the target network. Active scans may cause device instability or interfere with the device process state, potentially impacting safety and integrity."

Passive monitoring resolves this. By observing network traffic through engineered SPAN or TAP connections, it gives operators a way to understand communications without interacting directly with sensitive devices. That makes it better suited to fragile environments where active scanning may introduce operational risk.

In live manufacturing environments, these approaches should be designed and validated before they are rolled out. Passive monitoring across plant networks can support continuous asset discovery and exposure analysis without adding traffic to production systems. That helps replace incomplete manual inventories with a clearer picture of operational assets and communications.

Scalable resilience

Visibility alone does not reduce risk unless it informs how networks are structured and governed. In many organisations, OT systems that run machinery are connected to the wider business network without enough planning or separation.

That creates unnecessary exposure. Once a business network is compromised, attackers can move more easily towards critical operational systems. Legacy OT devices often cannot support modern security agents or deep packet inspection, which leaves them particularly exposed when networks are merged without clear boundaries.

The next step is turning visibility into controlled, resilient infrastructure. As the NCSC notes in its secure connectivity principles for OT, connectivity "should be designed with operational resilience in mind, and should not compromise the safety, reliability, or availability of OT systems."

The progression is straightforward. Organisations first need to identify connected assets and communication flows so they understand how systems behave under normal conditions. Segmentation can then be introduced through methods such as VLANs and network isolation to separate domains according to operational importance or trust level. Continuous monitoring then helps ensure those boundaries remain effective over time.

In manufacturing environments, network security should be embedded into the architecture from the outset. Manufacturers looking to strengthen resilience across industrial environments should start by asking not just whether they can see their environments, but whether they can do so safely and continuously.

Carl Henriksen is CEO at OryxAlign

www.oryxalign.com