Key Takeaways
- Air gap is mostly a myth in 2026. Engineering workstations, planned maintenance systems, ERP integration and remote vendor access all cross the boundary.
- The Purdue model (Levels 0 to 5) is the universal reference. Testing methodology and acceptable risk change dramatically per level.
- Legacy OT cannot be patched on the IT cadence. Compensating controls (segmentation, monitoring, allowlisting) carry the load while the vendor catches up.
- Remote access for engineers and vendors is the dominant ingress route. A hardened jump host with session recording is the baseline control.
- IEC 62443 is the international OT standard. NCIIPC guidelines apply to designated critical infrastructure operators in India.
Why Manufacturing Became A Cyber Target
Two structural changes turned Indian manufacturing into a cyber target. First, IT/OT convergence: shop-floor data now flows into corporate ERP, supply chain planning, predictive maintenance, customer dashboards and increasingly cloud analytics. The boundary that used to be physical is now a firewall configuration. Second, attacker economics: ransomware affiliates targeting manufacturing get strong leverage because every hour of plant downtime has measurable cost, which pressures payment decisions.
Indian manufacturing incidents in 2023 to 2025 include auto OEMs and component suppliers, pharmaceutical manufacturers, food and beverage operators, and chemical processing facilities. Most followed the same pattern: phishing or exposed VPN initial access, lateral movement through corporate IT, then encryption of office and ERP systems with the OT either incidentally affected or intentionally avoided by the attacker. The interruption to operations was felt regardless of whether the OT itself was encrypted.
The Air Gap Myth and IT/OT Convergence
Most Indian plants claim air-gapped OT. Almost none have it in 2026. The places the air gap leaks include: engineering workstations that connect to both corporate and OT networks for programme uploads, vendor laptops plugged into the PLC during commissioning and service visits, USB drives used to move programmes and updates, planned maintenance systems integrated with PLC data, MES integrated with both ERP and shop-floor PLCs, OPC UA servers exposing OT data to historian and analytics, and remote-access channels (firewall rules, jump hosts, sometimes outright internet exposure) set up for vendor support.
The result is that the OT zone is reachable from the IT zone through at least one path on most days. The defensive question is not whether the path exists but how well it is controlled. Documented, monitored, narrow paths through a jump host beat undocumented broad paths every time, even though the marketing material still calls it an air gap.
Need a Sector-Specific Cyber Programme?
Codesecure delivers ISO/IEC 27001:2022 certified VAPT, compliance and managed security for healthcare, fintech, manufacturing, e-commerce, education, legal and insurance customers across India. Named consultants, fixed-price proposals, free retest within 90 days.
See Industry Services →Purdue Model and Network Segmentation
The Purdue Enterprise Reference Architecture organises a plant into six levels: Level 0 physical process (sensors, actuators), Level 1 basic control (PLCs, RTUs, IEDs), Level 2 supervisory control (HMIs, SCADA), Level 3 site operations (historians, MES, batch servers), Level 3.5 the IT/OT DMZ, Levels 4 and 5 enterprise IT.
The pragmatic segmentation goal: traffic between Level 3 and Level 3.5 (and downward) is allowed only through documented allow-listed paths with logging. Traffic between Level 4/5 and OT levels never bypasses the DMZ. Engineering workstations at Level 2 do not also sit on Level 4. Vendor remote access enters through Level 3.5 only, with session recording. Most Indian plants we assess have partial implementation; bringing the architecture to a documented, enforced state is typically a 6 to 12 month programme.
Patch Management for Legacy OT
Most OT cannot be patched on the IT cadence. PLC firmware updates require plant downtime, often vendor coordination, sometimes recommissioning. HMI Windows hosts may be supported only on older OS versions that have themselves reached end of support. Industrial control software vendors release patches on a slow cadence and customer adoption is even slower because the change window is small.
The realistic approach: compensating controls do most of the work. Strict segmentation so the unpatched system cannot be reached by the attacker, monitoring so unexpected behaviour is detected, allowlisting on Level 2 and Level 3 Windows hosts so untrusted code cannot execute, and an explicit patch programme tied to plant maintenance windows (quarterly or semi-annual). For legacy systems where the vendor will not patch at all, formal risk acceptance and a documented replacement roadmap is the right governance.
Remote Access for Engineers and Vendors
Vendor remote access is the dominant ingress route into Indian plant OT. ABB, Siemens, Rockwell, Honeywell, Schneider, Yokogawa and others all expect remote diagnostic access to maintain SLAs. Without a controlled approach, this means a permanent VPN tunnel, often with shared credentials, sometimes routed to an internal jump host that is itself part of the corporate IT.
The recommended pattern: every external party accesses OT through a single hardened jump host (typically built on Citrix, Microsoft RDS, Apache Guacamole, Teleport or commercial OT-specific products like Cyolo, Claroty SRA, Dispel, or BeyondTrust Privileged Remote Access). Sessions are recorded for after-the-fact review, credentials are vaulted and rotated, multi-factor authentication is enforced, and the jump host itself sits in the Level 3.5 DMZ with no other purpose. Vendors do not get persistent VPN; they request a session each time.
Regulator Pressure or Customer Audit?
Whether you need RBI, IRDAI, DPDP, HIPAA, PCI DSS or NCIIPC evidence, our compliance and VAPT lead is available for a 30-minute free scoping call. Audit-ready, board-ready, no slideware.
Talk to a Specialist →Incident Response for OT Environments
OT IR is constrained in similar ways to maritime IR (see our maritime IR blog for the full discussion). The default IR plan must be adapted: pre-defined safe isolation procedures (which network segment can be cut without endangering process control), pre-positioned communication channels with plant operations leadership (who is authorised to halt production, who is authorised to bring production back), evidence preservation that does not destroy plant data critical to safety investigation, and recovery procedures that include vendor coordination for any system rebuild.
Tabletop exercises with both IT and OT leadership are essential. The first time a plant runs a joint cyber tabletop, the most common surprise is realising that the IT IR plan assumes shutting things down is safe and the OT side knows shutting things down may not be safe at all. Reconciling the two ahead of an incident is the whole point of the exercise.
IEC 62443 and NCIIPC for Indian Critical Manufacturing
IEC 62443 is the dominant international OT cybersecurity standard. It structures requirements into zones and conduits, technical security capabilities, secure development, and product certification levels. Indian manufacturers adopting IEC 62443 typically focus on 62443-2-1 (security programme for asset owners), 62443-3-2 (security risk assessment for system design), and 62443-3-3 (system security requirements and security levels).
Manufacturers designated as critical information infrastructure under NCIIPC face additional sector-specific guidance. Even where NCIIPC designation does not apply, large Indian manufacturers serving regulated downstream sectors (pharmaceuticals, defence, energy) increasingly face customer audit expectations that mirror IEC 62443 controls. Codesecure delivers IEC 62443 gap assessments and remediation programmes for Indian manufacturers, with reports that satisfy customer audit, insurance and (where applicable) NCIIPC expectations.
Frequently Asked Questions
How long does it take to secure a manufacturing plant?
For a typical Indian single-site plant starting from a low base, 9 to 18 months to reach a defensible OT posture aligned with IEC 62443 principles. The pace is constrained by plant maintenance windows for any change touching OT. Codesecure delivers phased programmes with a representative-class approach for multi-site customers.
Is the air gap really gone?
In 2026, for almost every Indian plant, yes. The practical question is whether the IT/OT paths that exist are documented, narrow, monitored and authenticated, or undocumented, broad and unmonitored. Most Indian plants land somewhere in the middle and benefit from the segmentation programme described above.
Can we test our OT without stopping the plant?
Yes. Codesecure OT engagements default to passive observation (packet capture, configuration review, vendor coordination) at sea, with active testing reserved for planned outage windows or vendor labs. We do not run active disruptive tests on live OT in production unless explicitly scoped and authorised in writing.
What about IIoT and the cloud telemetry our vendor wants?
Each cloud telemetry channel is a new path out of the OT zone, into the vendor's cloud. The vendor's cloud security posture, the data transmitted, and the inbound path the channel enables all need assessment. Common pattern: telemetry is OK, inbound control is not. Codesecure helps customers assess vendor IIoT offerings before signing.
How does this map to DPDP Act?
DPDP applies wherever personal data is processed. Most manufacturing OT does not process personal data directly, so DPDP applies primarily to HR, CRM, sales and the rest of the manufacturer's IT estate. Where IIoT involves personal data (worker tracking, biometric access), DPDP becomes relevant in OT too.
Does Codesecure work with our automation vendor?
Yes. Most OT engagements involve coordination with Siemens, ABB, Rockwell, Honeywell, Schneider, Yokogawa or another OEM. We work alongside the vendor's local team and respect vendor warranty constraints. Where vendor cooperation is limited, we adapt scope and methodology accordingly.
Secure The Shop Floor Without Stopping Production
Codesecure delivers OT cybersecurity, IEC 62443 gap assessments, SCADA pentest and IR readiness for Indian manufacturers across auto, pharma, food, chemicals and process industries. ISO/IEC 27001:2022 certified delivery, named consultants with OT credentials.
