Key Takeaways
- Manufacturing cybersecurity is moving from theoretical frameworks and visibility‑only projects to concrete, operational execution.
- Resilience, recovery, and survivability are now prioritized over perfect prevention or compliance checklists.
- The biggest gaps lie in translating detection into on‑site action, managing legacy and heterogeneous OT environments, and aligning security with production uptime, safety, and quality.
- Hybrid architectures (centralized visibility + decentralized survivability) and pragmatic controls—segmentation, data diodes, removable‑media limits—are emerging as best practices.
- People, process, and training are as critical as technology; workforce development sustains security over time.
- Supply‑chain risk, geopolitical influences, and the economics of attack (ROI‑driven adversaries) demand that OT security be treated as an enterprise‑wide business issue.
- Recovery testing, proven backup restorability, and incident‑response muscle memory are repeatedly highlighted as weak spots that must be exercised regularly.
Shift in Conversation
The tone at Industrial Cyber Days Manufacturing 2026 has shifted from abstract frameworks and ideal architectures to grounded, operational discussions. Attendees repeatedly noted that the industry is not lacking guidance; it is struggling to apply that guidance consistently across plants, under pressure, and through disruption. The consensus is clear: knowing what secure manufacturing should look like is only the first step—sustaining it in real‑world conditions is the true challenge.
Operational Realities Drive the Agenda
Manufacturing plants never stop, and cyber incidents affect more than just downtime. Safety, product quality, financial loss, productivity, reputation, and supply‑chain continuity are all at stake. Sessions therefore focus on practical response: safe shutdowns, recovery after an event, and detecting operational anomalies before they escalate. The emphasis is on what teams actually do on the plant floor when there is no clean answer, not on theoretical playbooks.
From Visibility to Action
Dr. Terence Liu of TXOne Networks highlighted a common pitfall: years spent building asset inventories and network maps while operational risk remains unchanged. Visibility is necessary but insufficient. The real work lies in prioritizing protections, deploying them safely without interrupting production, and moving from “seeing” threats to “acting” on them. This shift from visibility to action is a recurring theme across regions.
Architectural Trade‑offs and Survivability
Richard Springer (Fortinet) argued that modern attacks are multi‑stage, exploiting IT‑OT convergence and supply‑chain links, making architectural containment essential. Segmentation, unified platforms, and edge controls are becoming baseline requirements. Peter Jackson (Dragos/SANS) described APAC manufacturing at an inflection point, where legacy systems and limited OT resources create structural vulnerabilities—but he stressed a pragmatic, non‑fatalistic outlook. Major Sumit Sharma (Tata Chemicals) challenged the assumption that centralized OT architectures automatically improve security, warning that over‑centralization creates shared failure domains. He advocated a hybrid model: decentralized survivability with centralized visibility and governance, encapsulated by an OT DMZ that allows systems to fail gracefully rather than catastrophically.
First 180 Days: Reframing the Objective
John Kingsley of Hitachi Energy proposed abandoning the traditional compliance‑versus‑risk debate. Instead, he frames the first 180 days of an OT security program around achieving and maintaining operational integrity as an ongoing condition, not a one‑time project. This subtle reframing underscores the industry’s move toward treating security as a continuous state of resilience.
Detection‑to‑Action Gap
A recurring pain point is the disconnect between centralized SOC detection and on‑site response. Asad Naeem (Engro Fertilizers) noted that while alerts may be generated quickly, geographically dispersed plants often lack the cyber expertise to translate those alerts into safe operational actions. Training, awareness, and clear escalation paths are required to close this gap, ensuring that technology alerts lead to timely, competent human intervention.
People, Process, and Technology
Several speakers stressed that technical controls alone are insufficient. Sam Mackenzie (ACRNA) moderated a panel on ownership, escalation, and the reality that incident response often exists only as documentation, not muscle memory. Mary Gannon (GuidePoint Security) added that smaller manufacturers must rely on internal capabilities when external retainers are unavailable, making procedural, practiced recovery essential. Durgesh Kalya (Covestro) pointed out that many OT security failures originate in early engineering decisions—poor segmentation, flat networks, unverified remote access—creating design debt that compounds over time.
Supply‑Chain and Geopolitical Dimensions
Shlomi Marco (RubyComm) highlighted the growing cybersecurity gap among small and medium‑sized manufacturers, whose vulnerabilities can cascade upstream through tightly coupled supply chains. He urged organizations to view OT security as an enterprise‑wide risk governance issue, not a siloed technical concern. Danielle Jablanski (STV Inc.) linked geopolitical instability to cyber risk, noting that increased AI, connectivity, and remote management expand the attack surface beyond plant walls, making political and economic disruptions direct threats to industrial safety.
Recovery and Restore Testing
Ari Novikoff (Macrium) warned that having backups does not guarantee rapid restoration. Recovery testing remains inconsistent, restoration dependencies are often poorly understood, and legacy systems complicate rebuilds. Critical recovery knowledge frequently resides with a few experienced engineers nearing retirement, creating a single point of failure under pressure. The session “Backed Up, Can’t Recover” underscored the need for regular, validated restore drills.
Economics of Attack and Cost of Inaction
Anusha Iyer (Corsha) and Sean Tufts (Claroty) framed attackers as economic actors seeking maximum return on investment. Defenders must therefore quantify downtime, model attack paths, and translate risk into financial terms to prioritize defenses effectively. This ROI‑driven lens helps align security investments with business outcomes.
Integrating Maintenance, Reliability, and Security
Symonsen Acorroni (Ero Mining) argued that treating maintenance, reliability, and cybersecurity as separate functions creates blind spots. True resilience requires organizational integration, where security considerations are embedded in maintenance workflows and reliability programs.
OT Professionals as Enterprise Risk Contributors
Teodosio Gutierrez (Altura) described the evolution of OT professionals from isolated technical operators to contributors who speak the language of operational continuity, financial exposure, regulatory impact, and customer trust. This shift is vital because manufacturing executives evaluate cybersecurity through these business lenses, not merely technical severity scores.
Uptime vs. Security: Finding the Right Balance
Mike Holcomb (UtilSec) articulated the persistent tension in the Americas between maintaining high uptime and addressing rising threats. He cautioned against attempting to secure everything at once; instead, organizations should prioritize fundamentals—segmentation, access control, patching where feasible, and robust incident response—that deliver the greatest risk reduction without sacrificing production.
Defensible Architectures and Operational Perception
Saltanat Mashirova (CPX) and Michael Hoffman (Dragos) emphasized that security programs succeed when operational teams view cybersecurity as an enabler of resilience, not a disruptor of production. Defensible architectures—those aligned with uptime, safety, and continuity—are more likely to be embraced and sustained.
Recovery Readiness as the Ultimate Test
Danielle Jablanski closed the discussion by stating that there is no clean separation between cyber risk and operational risk. The true measure of a security program is whether plants can actually restore safely while preserving production, safety, and customer trust—not merely whether recovery plans exist on paper.
Conclusion: From Performative Maturity to Operational Realism
The overarching narrative at Industrial Cyber Days Manufacturing 2026 is a move away from performative maturity metrics toward operational realism. Conversations are less about buying the latest platform and more about making harsh, resource‑constrained environments defensible. While gaps remain—structural, cultural, financial—the industry is asking harder questions: Can operations withstand compromise? Can teams act decisively under pressure? Can plants recover without jeopardizing safety or trust? Answering those questions will define the next phase of manufacturing cybersecurity.