OT Security Maturity Journey from ML-1 to ML-3 for a Product Manufacturer

Background

A product manufacturer operating four production lines with CNC machining centers, robotic welding cells, stamping presses, quality inspection stations, and an MES integration layer received a cybersecurity audit finding from their largest customer. The customer, a Tier 1 automotive OEM representing 34% of annual revenue, required the facility to demonstrate IEC 62443 Maturity Level 3 within 12 months or face a formal review of the supply relationship.

A self-assessment scored the facility at ML-1 (Initial) across every domain. There were no documented security policies, no OT asset inventory, no network segmentation, no governance structure, and no incident response capability of any kind.

Beacon Security was engaged to design and execute the full maturity journey with a target of 9 months, leaving a 3-month buffer against the customer deadline.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

No Asset Visibility The facility had no OT asset inventory. Senior engineers estimated between 150 and 250 devices on the production network. The last network diagram was from the original commissioning seven years earlier and had not been updated through three production line additions. Firmware versions, patch states, and communication patterns were unknown for most devices.

Flat Network Connecting Everything All four production lines, PLCs, HMIs, engineering workstations, the MES server, historian, and quality systems ran on a single flat network. This network connected directly to the enterprise environment through a single router with no firewall and no access controls. The ERP server, corporate email, and employee laptops shared a routable path to every PLC on the floor.

Zero Security Policies or Procedures No access control policy, no change management, no incident response plan, no backup procedures, no remote access rules. When a PLC program needed modification, the engineer simply made the change. No approval, no backup, no documentation.

Shared Credentials Everywhere One "engineer" login was used by all four control system engineers. One "operator" login served all shift operators across all lines. The MES admin password had not changed in five years and was known to at least 12 people, including two who had left the company. USB ports on every workstation were completely unrestricted.

No Governance or Ownership Nobody owned OT cybersecurity. IT saw the production network as outside their scope. Operations considered security an IT problem. There was no reporting structure, no risk tracking, and no authority to make security-related decisions about the production environment.

Our Approach

The program was structured in three phases, each building on the previous, with a full-time Beacon project lead assigned for the entire duration.

Phase 1: Discovery, Quick Wins, and Strategy (Months 1-3)

Asset Discovery Passive monitoring deployed at 6 collection points captured all network traffic over three full weeks, covering every shift pattern, product changeover, and maintenance window.

The discovery phase revealed the scale of the problem:

• 341 communicating devices identified on the production network
• 89 of those (26%) were completely unknown to the engineering team, including legacy test rigs, personal laptops, two unauthorized wireless access points left by a contractor, and a consumer-grade network switch added by a maintenance technician
• 14 devices running firmware with known critical vulnerabilities and publicly available exploit code

Immediate Actions:

• 31 unnecessary devices disconnected after validation with engineering
• Both rogue wireless access points removed as the highest-priority finding
• Default credentials changed on 23 devices
• USB restrictions applied to all HMIs and engineering workstations as an interim control

Risk Assessment and Roadmap A structured risk assessment produced 47 risk entries scored across safety, operational, financial, and reputational impact. The roadmap set ML-2 as the Month 6 milestone and ML-3 at Month 9, with specific deliverables at each stage. The CEO approved the roadmap in a dedicated leadership session, securing executive sponsorship for the cross-departmental work ahead.

Phase 2: Building ML-2 Capability (Months 4-6)

Network Segmentation: 6 Security Zones The flat network was restructured into a zone and conduit architecture:

Zone 1 - Safety Systems: Emergency stop circuits and safety PLCs isolated onto dedicated infrastructure with a single tightly controlled conduit.

Zone 2 - Production Control: PLCs, VFDs, servo drives, and line-dedicated HMIs. Organized into sub-zones per production line to limit blast radius.

Zone 3 - Supervisory: MES, historian, quality management, and operator displays. Data flows from the Control Zone through one-way conduits.

Zone 4 - Engineering: Hardened programming workstations with per-session authenticated access to production systems. All sessions logged.

Zone 5 - Enterprise DMZ: Single controlled boundary between OT and IT. ERP data exchanges and historian replication routed exclusively through the DMZ.

Zone 6 - Remote Access: Dedicated zone for all vendor and off-site connections with a hardened jump server, MFA, and session recording.

Implementation was progressive. One zone at a time, with a 72-hour observation period after each change. Firewall rules were first deployed in monitoring-only mode for one week before enforcement to catch any false positives. Zero production disruptions occurred.

8 Policy Domains Built from Scratch:

1. Access Control
2. Change Management
3. Incident Response
4. Backup and Recovery
5. Remote Access
6. Portable Media
7. Vendor Management
8. Governance

Technical Controls:

• 67 individual credentials issued, eliminating every shared account
• MFA deployed for all engineering and administrative access
• Automated backup system covering 247 PLC programs and all critical configurations
• Patch management process with risk-based evaluation and maintenance window scheduling

Phase 3: Achieving ML-3 (Months 7-9)

The jump from ML-2 to ML-3 is about formalization and measurement. It is not enough to have processes. They need to be documented with step-by-step procedures, supported by trained people, measured through metrics, and reviewed by management.

Process Formalization Every policy was expanded into a detailed SOP with decision trees, checklists, and escalation criteria. The change management SOP alone covered the full lifecycle from request submission through post-implementation review.

Configuration Baselines Golden baselines captured for all firewalls, switches, and critical OT systems. Automated daily comparison against live configurations with alerts on any drift.

Workforce Training

• Operations staff (42 people across 4 shifts): security awareness with scenario-based competency testing
• Engineering team (8 people): secure configuration practices, change management procedures, vulnerability assessment participation
• IT team (4 people): firewall and switch management, log review, incident coordination
• Management (6 people): governance responsibilities, risk acceptance criteria, metrics interpretation

Governance Activation

• OT Security Steering Committee established with a quarterly review cycle
• Security metrics dashboard deployed with 12 KPIs covering risk, compliance, incidents, patching, and training
• First quarterly review held in Month 8, second in Month 9. Both documented with decisions, actions, and evidence. This proved the governance was sustained and not a one-time event.

Key Findings

Rogue Wireless Access Points Two unauthorized wireless access points discovered during asset discovery were providing completely unmonitored wireless access into the production network. Neither appeared in any documentation.

Action: Removed immediately as the single highest-risk item.

Change Management Catching Real Issues Within the first quarter of the new change management process, three configuration changes that would have previously been made without documentation or approval were caught and routed through proper review.

Impact: Demonstrated the process was actively protecting the environment.

Outcome

The facility achieved IEC 62443 Maturity Level 3 across all assessed domains within 9 months. The customer's follow-up audit confirmed compliance, and the supply relationship continued without interruption.

Deliverables Provided:

• Complete OT asset inventory: 341 devices with full profiles
• 6 security zones with controlled conduits per IEC 62443
• 8 policy domains with detailed SOPs
• Risk register with 47 entries and treatment plans
• 4 incident response playbooks validated through tabletop exercises
• Automated backup covering 247 PLC programs
• Governance framework with Steering Committee charter and 12-KPI dashboard
• Role-specific training delivered to 60+ staff with competency verification

Results:

• Maturity advanced from ML-1 to ML-3 across all domains
• 341 assets inventoried from a baseline of zero
• Network transformed from flat to 6 enforced security zones
• 8 policy domains operational where none existed before
• All shared credentials eliminated; 67 individual accounts with role-based access
• 31 unnecessary devices removed, 2 rogue access points eliminated
• Quarterly governance reviews active and documented
• Zero production disruptions during the entire 9-month program

The program framework was adopted as the corporate standard for the manufacturer's second facility.

Beacon Security designs and executes OT security maturity programs for manufacturing organizations. Contact us to discuss your maturity improvement requirements.