A greenfield plant gets one chance to be secure by design instead of secured after the fact. Once a facility is producing, every patch, every segmentation change, and every credential rotation fights against uptime — which is exactly why so many plants run for years with flat networks and default passwords. Manufacturing is now the most-attacked sector on the planet, and an attack that reaches the control system stops production, not just paperwork. The fix is to bake the right controls into the build. Here are the fifteen cybersecurity controls every greenfield manufacturing plant should have live on day one, grouped into five layers of defense.
Building a new plant and want it secure from day one? Book a 30-minute OT security consultation to design these controls into your project before commissioning.
Five Layers, Fifteen Controls
Why Day-1 Security Is a Greenfield Advantage
Retrofitting security onto a running plant is slow, expensive, and risky — you cannot easily re-architect a network or rotate credentials on a line that cannot stop. A greenfield project removes that constraint entirely. You can segment the network before it is energized, harden every device before it ships data, and align the whole design to IEC 62443 from the first drawing. With manufacturing ransomware rising sharply and a single incident capable of halting production for weeks, designing security in is the cheapest insurance a new plant will ever buy. If you want these controls scoped against your architecture, you can map them with an OT security specialist.
most-attacked sector for ransomware, four years running
average daily cost of downtime from a manufacturing attack
of all industrial ransomware victims are manufacturers
The 15 Controls, Layer by Layer
Each layer addresses a different way attackers move, from breaching the perimeter to reaching the core. Work them as a set — defense in depth means no single failure exposes the plant.
Network Security
Layer 1Separate IT and OT into Purdue-model zones with a Level 3.5 DMZ. Segmentation is the single most effective defense against lateral movement from IT into production.
Apply the IEC 62443 zones-and-conduits model so every communication path between zones is explicit, filtered, and monitored.
Broker all remote and vendor access through a gateway with MFA and least privilege — no flat VPNs, no open inbound ports. Third-party access is the highest-risk door.
Identity & Access
Layer 2Eliminate implicit trust. In OT this is enforced at the zone and system level — defined zones of trust with strict access controls on every crossing, applied in a risk-informed, phased way.
Require multi-factor authentication and role-based access on every admin, engineering, and vendor account, and ban shared or default credentials outright.
Vault credentials and grant just-in-time access for engineering workstations and OT admins, with every privileged session recorded for the audit trail.
Asset Hardening
Layer 3Build a complete inventory of every PLC, HMI, switch, and device using passive discovery. You cannot protect what you cannot see, and visibility underpins every other control.
Disable unused ports and services, apply configuration baselines, and require a software bill of materials so you know what is running before it goes live.
Deploy endpoint detection on engineering workstations, HMIs, and servers — the Windows systems where most intrusions first land before reaching OT.
Detection & Response
Layer 4Monitor OT traffic passively for protocol anomalies and lateral movement, without touching the control systems themselves.
Baseline normal behavior and flag deviations automatically. As attackers use AI to compress reconnaissance from weeks to minutes, defenders need machine-speed detection too.
Feed an OT-aware SIEM and a security operations center that understands industrial protocols and puts safety and continuity first.
Resilience & Governance
Layer 5Prioritize patching by real exploitability and schedule it into OT-safe maintenance windows. More than a third of breaches begin with an unpatched vulnerability.
Keep tested, offline backups and an OT-specific incident-response plan that prioritizes production safety and continuity, not just data recovery.
Vet vendors, run security testing at factory acceptance, change every default before go-live, and target IEC 62443 certification for the systems you install.
Not sure which layer is weakest in your design? Book an OT security review and we will pressure-test your architecture control by control.
Securing the Build: Commissioning Without Opening Doors
The riskiest window in a plant's life is commissioning, when networks are flat, defaults are unchanged, and dozens of vendors plug in. A few disciplines keep that window from becoming the breach.
Approaching commissioning on a new build? Book a secure-commissioning session and lock down the build before the doors open.
Bake Security Into the Plant, Not Onto It
iFactory helps greenfield teams design segmentation, Zero Trust access, asset visibility, and AI-driven detection into the build — aligned to IEC 62443 and live with the plant, with OT data kept inside your security perimeter.
Expert Perspective
Most of the manufacturing breaches we see never touch industrial malware at all. An attacker phishes an engineer, lands on a Windows workstation, finds a flat network with default credentials, and walks straight into the control layer — and the line stops. None of that requires a sophisticated ICS exploit; it requires that segmentation, identity, and visibility were never built in. A greenfield plant is the one moment you can close all three doors at once, before production pressure makes every change a fight. Build the layers in during construction and you have removed the easy paths that almost every real attack actually uses.
— OT Security Practice, iFactory Engineering Team
rise in manufacturing ransomware attacks in 2025
of manufacturing breaches begin with a vulnerability exploit
average cost of a combined IT and OT attack
The Bottom Line
Industrial attackers rarely need exotic tools — they need a flat network, a default password, and no one watching. The fifteen controls here close those gaps across five layers: segment the network, lock down identity, harden and inventory every asset, watch for trouble continuously, and stay resilient through patching, backups, and secure commissioning. A greenfield plant is the rare chance to build all of it in before the line ever runs, aligned to IEC 62443 from day one. Do that, and your plant launches with the easy attack paths already closed.
Launch Secure on Day One
From network segmentation and Zero Trust access to AI threat detection and IEC 62443-aligned commissioning, iFactory helps greenfield teams stand up all fifteen controls as part of the build — secure with the plant, not bolted on after the first incident.
Frequently Asked Questions
What is the single most important OT cybersecurity control?
Network segmentation. Every major framework — IEC 62443, NIST 800-82, and the Purdue model — centers on dividing the network into zones with controlled conduits between them. It is the most effective defense against an attacker pivoting from compromised IT systems into production, which is how the majority of industrial incidents actually unfold.
What is IEC 62443 and why does it matter?
IEC 62443 is the international standard for industrial automation and control system security. It defines the zones-and-conduits model for segmentation and a set of security levels from SL-1 to SL-4 that systems can be designed and certified against. For a greenfield plant it provides an auditable baseline that also helps satisfy regulations like NIS2 and customer security audits.
Does Zero Trust really work in an OT environment?
Yes, but it is applied differently than in IT. Rather than enforcing identity at every individual device, OT Zero Trust defines zones of trust and applies strict access controls whenever communication crosses a zone boundary — which aligns closely with the IEC 62443 zones-and-conduits model. The key is a risk-informed, phased rollout that respects safety and uptime constraints.
Why is a greenfield plant easier to secure?
Because nothing is producing yet, so there is no uptime to protect while you build. You can architect segmentation, deploy Zero Trust access, harden every device, and change all default credentials before the plant goes live — work that is slow, costly, and disruptive to retrofit onto a running facility under production pressure.
How does iFactory help secure a greenfield plant?
iFactory helps design the fifteen controls into the build — segmentation and conduits, Zero Trust and privileged access, asset visibility, AI-driven detection, and secure commissioning — aligned to IEC 62443 and integrated so OT data stays inside your perimeter. You can book an OT security consultation to plan it for your facility.
