Every Friday afternoon when I was running IT for a mid-sized manufacturer, I walked the floor before I left for the weekend.
Not because it was on a checklist. Because I wanted to see what people were actually doing, versus what I thought they were doing.
There was always something. A workstation that had been rebooted to fix a problem nobody reported. A network cable run by hand along a wall to “make the printer work in that corner.” A USB drive doing a job nobody upstream knew existed, moving data between two systems that were never designed to talk to each other. None of it was malicious. Every one of those was somebody solving a real problem, on their own, because nobody from IT was going to solve it for them.
That walk taught me more about the actual state of the business than any ticket queue ever did.
It’s not a discipline problem.
The instinct, when you see that kind of thing, is to read it as a compliance failure. People not following procedure. People taking shortcuts.
That’s the wrong read. The real issue is structural: nobody was watching that part of the floor in the first place. Not because they were careless, but because it was never in scope.
Most IT audits and security frameworks are built around the corporate estate: laptops, servers, email, the network that runs the office. SOC 2, ISO 27001, NIST 800-53 — all of them are thorough about that world. What they routinely leave alone is the equipment actually running production: the PLCs, the HMIs, the SCADA systems, the machine controllers, the sensors bolted onto forty-year-old equipment because someone needed data off it.
That’s OT — operational technology — and in a lot of companies, it’s a blind spot by design, not by accident. IT owns the network. Operations owns the floor. Neither one owns the seam between them, and the audit stops at the office door because that’s where the audit was scoped to stop.
In most of these midsize and smaller production environments, nobody is watching that part of the floor. Not the plant manager, who has a production schedule to hit and reasonably assumes IT has the network covered. Not IT, who was never asked to look past the office door and often doesn’t have the budget, headcount, or mandate to do it. Both sides are doing their job well. The job itself just has a hole in the middle of it.
The plant floor is often the most exposed part of the company, and the people running it are the only ones who know what’s actually plugged in.
Why this stopped being a theoretical problem.
This used to be a minor gap. It isn’t anymore.
Ransomware crews have figured out that OT is a softer target than the corporate network, and that a halted production line is a much faster way to get a company to pay than an encrypted file share.
Norsk Hydro, one of the world’s largest aluminum producers, is worth knowing in detail. Just a few years ago, an employee opened an email attachment from what looked like a routine business contact. The infection sat quietly for about three months before it was activated, and the resulting incident eventually cost the company somewhere near $71 million. The malware behind it, known as LockerGoga, never had to touch a single PLC or controller directly. It disabled logins and knocked out IT systems so thoroughly that several of Hydro’s plants had to switch to manual operation, with some retired staff coming back in because they still remembered how the old paper-based process worked. The attack only had to knock out the IT layer underneath the plant floor. The floor went down anyway, because it had never been separated from that layer in the first place.
That’s the pattern worth sitting with: Colonial Pipeline, Norsk Hydro, JBS — different industries, same shape. Someone got into a part of the environment nobody was watching closely, and the business learned exactly how connected everything really was, on the worst possible day, when it was already too late to ask the question calmly.
Insurance carriers are asking harder questions too, and it isn’t just a paperwork exercise anymore. In one widely reported claims dispute, a company had told its insurer that multi-factor authentication covered all administrative access. A forensic review after a ransomware incident turned up one server where it had quietly never been switched on, and the carrier denied the claim on that basis. The company absorbed the full recovery and remediation cost itself, on top of the incident. The lesson isn’t really about MFA specifically. It’s that carriers are now verifying what you told them, and one gap that nobody was watching, IT or OT, can be the line between a covered incident and a bill you pay entirely alone.
Four questions worth asking.
You don’t need a fifty-page OT security framework to close this gap. You need honest answers to four questions, and you need to ask them of whoever is responsible for your IT environment, whether that’s an internal team or an outside provider.
Do you actually have an inventory of what’s running on the floor? Not the ERP-connected equipment everyone already knows about. Every PLC, every HMI, every sensor, every controller — with firmware versions and who’s responsible for them.
Is there a network plan that separates OT from the rest of the environment? Not a shared flat network where a compromised laptop in the office has a direct path to the equipment running your production line.
What happens if something on the floor gets hit? Not a hypothetical answer. An actual, named process: who gets called, what gets isolated, how production keeps moving while it gets sorted out.
And a fourth worth asking alongside the first three, because it usually surprises people: who can remotely access this equipment right now, and how? Most plant floors have vendor connections nobody’s looked at in years, quietly left open for the next service call. If you don’t know which vendors can get in, when, and through what, that’s not a small gap. That’s an open door with no one watching it.
If the honest answer to any of those is “I’m not sure,” that’s not a reason to panic. It’s a reason to find out, on your own timeline, before something else forces the question.
The floor always tells you more than the ticket queue.
I don’t walk floors anymore because I’m chasing an audit finding. I do it because the floor tells the truth in a way that reports don’t. The workarounds, the taped-over labels, the extension cords running somewhere they shouldn’t — that’s the real state of the business, and it’s usually more informative than whatever the last audit said was in scope.
If it’s been a while since anyone walked yours, that’s worth changing. Not because something’s on fire. Because you’d rather find out what’s running out there on your own terms, on a Friday afternoon, than have someone else find it for you first.
If you’re not sure who’s watching the seam between IT and your production floor, that’s the conversation worth having first. Schedule a conversation →