Beacon Security
Product ManufacturingSecurity Maturity Program

OT Security Maturity Journey from ML-1 to ML-3 for a Product Manufacturer

March 20, 2025

Background

A product manufacturer supplying precision components to automotive and industrial OEMs received a cybersecurity audit finding from their largest customer — a Tier 1 automotive OEM representing 34% of annual revenue. The customer required demonstrable IEC 62443 Maturity Level 3 within 12 months, or the supply relationship would be formally reviewed.

A self-assessment placed the facility at Maturity Level 1 across every domain. Security practices were ad hoc, undocumented, and dependent on individual engineers. The gap to ML-3 was not incremental — it required building an entire security program from foundations that did not exist.

Beacon Security was engaged to design and execute the maturity journey with a target of 9 months, leaving 3 months as buffer against the customer's deadline.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

No Asset Visibility No OT asset inventory existed. When asked how many devices were on the production network, senior engineers estimated between 150 and 250. The last network diagram was from the original plant commissioning seven years earlier and had not been updated through three production line additions.

Flat Network with No Boundaries Four production lines, CNC machining centers, robotic cells, quality inspection systems, engineering workstations, and the MES all operated on a single flat network segment. The production network connected directly to the enterprise network through a single router with no firewall and no access controls.

Zero Documented Policies No access control policy, no change management procedure, no incident response plan, no backup procedure, no remote access policy. When a PLC program needed modification, the engineer made the change directly — no approval, no documentation, no backup of the previous version.

Shared Credentials as Standard Practice A single "engineer" login was used by all four control system engineers. A single "operator" login was shared across all shift operators. The MES administrator password was known to at least 12 people including two former employees. USB ports were unrestricted across all workstations.

No Governance Structure No person, role, or department was responsible for OT cybersecurity. IT considered the production network outside their scope. Operations considered cybersecurity an IT concern. There was no escalation path and no authority to make decisions about production impact versus security risk.

Our Approach

The engagement was structured in three phases aligned with maturity transitions, with a dedicated Beacon project lead assigned full-time for the duration.

Phase 1: Foundation — Discovery and Strategy (Months 1-3)

Asset Discovery Passive monitoring at 6 collection points ran for three weeks covering all shifts and product changeovers:

  • 341 communicating devices identified — far exceeding the engineering team's estimates
  • 89 devices (26%) were unknown to the team — including legacy test equipment, personal laptops, two unauthorized wireless access points installed by a contractor, and a consumer-grade switch added by a maintenance technician
  • 217 cross-boundary communication flows identified, of which only 34 were confirmed operationally necessary

Quick Wins Executed Immediately:

  • 31 unnecessary devices disconnected after review with engineering
  • Two rogue wireless access points removed — the highest immediate risk
  • Default credentials changed on 23 devices
  • USB restrictions applied to all engineering workstations and HMIs as interim measure

Risk Assessment and Roadmap

  • 47 risk entries scored across safety, operational, financial, and reputational impact
  • Phased roadmap developed with ML-2 target at Month 6 and ML-3 at Month 9
  • Presented to CEO to secure executive sponsorship for cross-departmental changes

Phase 2: Structure — Building ML-2 (Months 4-6)

Network Segmentation — 6 Security Zones:

  • Safety Systems: Emergency stop circuits and safety PLCs on dedicated infrastructure
  • Production Control: PLCs, drives, and HMIs organized into sub-zones per production line
  • Supervisory: MES, historian, and quality management with one-way data conduits from control
  • Engineering: Hardened workstations with per-session authenticated access to production zones
  • Enterprise DMZ: Single controlled path between OT and IT environments
  • Remote Access: Centralized gateway with MFA and session recording for all remote connections

Segmentation was implemented progressively — one zone at a time with 72-hour observation periods. Firewall rules were deployed in monitoring-only mode for one week before enforcement. Zero production impacts occurred.

Policy Framework — 8 Domains: Access control, change management, incident response, backup and recovery, remote access, portable media, vendor management, and governance — all developed from scratch and tailored to the facility's operations.

Technical Controls:

  • 67 individual credentials issued eliminating all shared accounts
  • MFA deployed for engineering and administrative access
  • Automated backup covering 247 PLC programs and all critical configurations
  • Patch management process with risk-based evaluation and maintenance window alignment

Phase 3: Maturity — Achieving ML-3 (Months 7-9)

Process Formalization Every policy expanded into detailed SOPs. Change management SOP covering every step from request through post-implementation review. Incident response procedures with specific commands, checklists, and escalation criteria.

Configuration Baseline Management Golden baselines established for all network devices and critical OT systems. Automated daily comparison against live configurations — any deviation generates an alert.

Workforce Training

  • Operations teams (42 staff): Security awareness with scenario-based competency assessment
  • Engineering team (8 staff): Secure configuration management and change management procedures
  • IT team (4 staff): Firewall management, log review, and incident response coordination
  • Management (6 staff): Governance responsibilities and security metrics interpretation

Governance Activation

  • OT Security Steering Committee constituted with quarterly review cycle
  • Security metrics dashboard with 12 KPIs deployed
  • First quarterly review conducted in Month 8; second in Month 9 — demonstrating sustained governance before the customer audit

Key Findings During Execution

Rogue Wireless Access Points Two unauthorized wireless access points discovered during asset discovery provided completely unmonitored entry into the production network. Neither appeared in any documentation.

Action: Both removed immediately in Phase 1 as the highest-priority risk item.

Change Management Preventing Unauthorized Changes Within the first quarter of operation, the new change management process caught and prevented three configuration changes that would have been made without documentation or approval under the old way of working.

Impact: Demonstrated that the process was actively protecting the environment, not just a compliance checkbox.

Outcome

The facility achieved IEC 62443 Maturity Level 3 across all assessed domains within 9 months. The customer's audit confirmed compliance, and approved supplier status was maintained.

Deliverables Provided:

  • Complete OT asset inventory: 341 devices with full attribute profiles
  • 6 security zones with controlled conduits per IEC 62443
  • 8 policy domains with detailed SOPs
  • Risk register with 47 entries and treatment plans
  • 4 incident response playbooks validated through tabletop exercises
  • Automated backup covering 247 PLC programs
  • Governance framework with Steering Committee charter and 12-KPI dashboard
  • Training delivered to 60+ staff with competency verification

Transformation Results:

  • Maturity Level: ML-1 to ML-3 across all domains
  • Asset inventory: from 0 to 341 fully profiled devices
  • Security zones: from flat network to 6 enforced zones
  • Policies: from 0 to 8 domains with operational SOPs
  • Shared credentials: eliminated — 67 individual accounts with role-based access
  • Governance: quarterly Steering Committee with metrics-driven decision making
  • Production disruptions during the 9-month program: zero

The manufacturer adopted the maturity program as their corporate standard for remaining facilities.

Beacon Security designs and executes OT security maturity programs for manufacturing organizations. Contact us to discuss your maturity improvement requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

Generic IT security tools fail in industrial environments. Talk to our OT security team and get a clear picture of your exposure within days, not months.

Book a Free Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption