What is OT or ICS security and how does it differ from IT security?

Operational technology and industrial control systems are the computing estate that runs physical processes — PLCs, SCADA, historians, engineering workstations and the network that connects them. Security objectives prioritise availability and safety over confidentiality, and many OT assets cannot be patched on conventional IT cadences. Assessment methodology and rules of engagement therefore differ materially from a standard IT pentest.

Will an OT pentest disrupt production?

Not when scoped correctly. nCrypt's OT engagements separate passive reconnaissance and configuration review, which are safe to run live, from any active testing, which is run against representative test rigs or in scheduled maintenance windows. The case study described here completed without a single production disruption.

Is the Purdue model still relevant for ASEAN manufacturing?

Yes. The Purdue Enterprise Reference Architecture remains the standard reference for IT and OT segmentation, including under the IEC 62443 family. nCrypt assesses against Purdue zone-and-conduit models alongside IEC 62443 control objectives, adjusted for the realities of Malaysian plant estates.

How long does a multi-site OT assessment take in Malaysia?

A three-plant engagement with full IT, OT and IT/OT-boundary scope typically runs over six to ten weeks of field activity, with two consultants on the ground per site for several days each. Full programmes including incident-response planning extend to twelve to sixteen weeks.

Does this engagement help with cyber insurance renewals?

Materially. Insurers increasingly require evidence of IT/OT segmentation, privileged-access hygiene and incident-response readiness for manufacturing risks. The deliverable pack from this engagement was used directly in a renewal cycle that produced a roughly twenty-five per cent premium reduction.

Back to Case Studies

ManufacturingOT / ICSIEC 62443

Bursa-Listed Manufacturer Hardened OT & IT/OT Boundary After Sector Ransomware

How nCrypt delivered an integrated IT, OT and IT/OT-boundary assessment across three plants for a Bursa-listed Malaysian manufacturer following a high-profile ransomware event at a regional peer. Client identifying details have been anonymised under the engagement non-disclosure agreement.

3 plants

Sites in Engagement Scope

OT-Side High-Severity Findings

67%

Attack-Surface Reduction

≤RM 5M/day

Downtime Risk Quantified for Board

25%

Cyber Insurance Premium Reduction

Production Disruptions During Testing

The Client

A Bursa-Listed Manufacturer With Three Plants Across Peninsular Malaysia

The client is a Bursa-listed Malaysian manufacturer operating three plants across Peninsular Malaysia, supplying tier-one customers in the automotive and consumer electronics sectors. Combined annual revenue sits in the higher nine-figure range in Malaysian Ringgit, and a single day of unplanned plant downtime carries a quantifiable revenue and contract-penalty impact in the low millions.

The technology estate is split between a central enterprise IT function based at the corporate headquarters and three plant-side technology teams, each focused on operational continuity rather than cybersecurity. The plant networks combine modern PLC and SCADA equipment with a long tail of legacy controllers and engineering workstations accumulated over more than two decades of plant operation.

The engagement was triggered by a ransomware event at a regional manufacturing peer that had taken plant operations offline for several weeks. The board moved quickly to commission an independent assessment of the group's own exposure to a similar event, with explicit emphasis on the IT/OT boundary that had historically received limited security attention.

Engagement Summary

Sector: Manufacturing (Auto / Electronics)
Standards: IEC 62443, NIST CSF, Purdue Model
Sites: 3 plants
Field Window: 10 weeks
Methodology: Passive recon, config review, scheduled active testing

The Challenge

A Plant Estate That Had Never Been Tested by an External Adversary Lens

Until the board commissioned this engagement, the plant networks had never been systematically assessed under an adversary model. Cybersecurity attention had been concentrated on the corporate IT estate at headquarters, with the plants treated as operational silos under the responsibility of the manufacturing function.

The IT/OT boundary was the immediate concern. Each plant had been integrated into the corporate network at a different point over the previous decade, leaving inconsistent segmentation, mixed Active Directory trust models and a number of vendor remote-access arrangements that had been put in place for short-term support engagements and never withdrawn.

On the OT side, the legacy challenge was substantial. Several engineering workstations ran end-of-support operating systems with no realistic patching path, several PLC programming environments had been left logged in to support faster shift handover, and removable-media use on the plant floor was widespread and untracked.

The binding operational constraint was that no testing could risk a production stop. A halted production line carried a quantifiable cost in the low millions per day, and even brief unplanned downtime would have triggered contract penalties from tier-one customers. The engagement had to produce adversary-quality evidence without ever interacting with a live production process in a way that could affect output.

Our Approach

Passive First, Active Only Where Safe

nCrypt structured the engagement around a three-layer methodology. The passive layer ran throughout the field window and combined network capture, configuration review, asset-inventory reconciliation and walkdown observation. This produced the bulk of the engagement's evidence base without ever touching a production process actively.

The active IT-side layer covered the corporate estate and the IT/OT boundary using standard internal pentest techniques, including Active Directory privilege-graph analysis, segmentation testing from the user VLAN inwards, and adversary-emulation of ransomware-relevant tradecraft against a representative slice of the office estate. All active testing was scoped to stop at the plant boundary unless the plant team had explicitly authorised crossing it.

The active OT-side layer was constrained to representative test rigs and to scheduled maintenance windows agreed with the plant operations leads. Where active testing against live OT was unavoidable, it was conducted on a single device at a time, with an immediate rollback procedure rehearsed in advance and a plant engineer on the comms channel throughout.

The deliverable pack was structured for two audiences. The board pack quantified downtime risk in commercial language and supported the cyber-insurance renewal cycle that was running in parallel. The technical pack provided the central IT function and the three plant teams with prioritised remediation guidance mapped to IEC 62443 zone-and-conduit objectives, with explicit guidance on where compensating controls could be substituted for patching on legacy systems.

Findings

Five Categories That Mattered to the Board

Critical

Flat Network Between Enterprise IT and Plant Floor

Two of three plants had effectively flat layer-three connectivity between the corporate user VLAN and the plant-floor PLC network, with no firewall enforcement at the IT/OT boundary. A compromised office workstation could reach engineering workstations and PLC programming interfaces directly.

Critical

Engineering Workstations Sharing Domain Credentials with Office Estate

Plant engineering workstations were joined to the same Active Directory forest as the office estate, with no tier-zero separation. Standard office-admin credentials could log on interactively to engineering workstations, including those running PLC programming software.

High

Legacy SCADA Server on Unsupported Operating System

The historian and SCADA application server at the largest plant ran on an end-of-support Windows Server build with no compensating segmentation. Patch management was constrained by the application vendor's support matrix rather than by genuine technical limitation.

High

Vendor Remote Access Through Always-On Modem

An equipment vendor maintained an always-on cellular modem connection into the plant network for remote support, with no bastion, no logging and no credential rotation. The modem was discovered through external attack-surface enumeration rather than from the plant's own asset inventory.

Medium

USB Removable Media Untracked on Plant Floor

Removable media use on the plant floor was technically permitted on engineering workstations and was not centrally tracked. Initial access via removable media has been a recurring vector in ransomware events affecting regional manufacturing peers.

Outcomes

A Quantified Risk Picture and a Materially Smaller Attack Surface

The engagement produced a quantified attack-surface reduction of roughly two thirds across the three plants, measured against a defined baseline of exposed services, reachable assets and privileged credentials inventoried at the start of the field window. The IT/OT boundary at each plant was rebuilt around firewalled zones aligned to the Purdue model, with vendor remote access consolidated through a logged bastion and quarterly access review.

The board pack quantified daily downtime risk for each plant and was used directly in the cyber-insurance renewal cycle that closed shortly after the engagement, producing a roughly twenty-five per cent reduction in the group's premium against comparable cover. The CFO has cited this outcome as a worked example of cybersecurity spend with a measurable balance-sheet return.

Eighteen months after the original engagement, none of the three plants has experienced a material security event. nCrypt is engaged on an annual reassessment cycle and provides incident-response retainer cover at all three sites, with quarterly tabletop exercises rotating across the leadership team and the plant operations leads.

Related Work