Visibility is everything in the manufacturing industry. You can spot a defect on the line. Catch errors as they happen. Trace a supply chain issue back to its source. That’s the foundation of quality control: if you can see the problem, you can fix it.
But what happens when the risk doesn’t announce itself? When there’s no alarm, no error code, just a slow, silent drift beneath the surface?
That’s the challenge manufacturers now face in the cyber domain. The biggest threats aren’t necessarily the smash-and-go ransomware adversaries so much as their insidious counterparts, executing slow-moving, deeply embedded operations designed to stay hidden. Instead of breaking things, they gather intelligence, map systems, and quietly establish long-term access.
One of the most high-profile examples is Volt Typhoon, a state-sponsored campaign linked to China and uncovered in 2023. The group infiltrated U.S. critical infrastructure (manufacturing included) using “living off the land” techniques to blend in with normal activity and avoid detection.
These are the kinds of threats that won’t show up in a quality control report. But they demand the same mindset: baseline awareness, constant monitoring, and the ability to spot subtle deviations before they become major failures. In other words, quality control for your network.
Why Industrial Networks Are Prime Targets
Operational technology environments can be particularly attractive to adversaries simply because they’re easier to hide in. Initial access often comes through overlooked entry points: vulnerable network devices, misconfigured edge routers or firewalls, and even unmanaged “bring your own” devices that connect to the network without proper security controls.
Manufacturing systems tend to run on legacy infrastructure. Patching is risky and sometimes impossible without causing expensive downtime, meaning vulnerabilities linger.
At the same time, many industrial environments rely on proprietary protocols that traditional IT security tools can’t interpret, let alone analyze. Flat network architectures make lateral movement simple, and when monitoring exists at all, it’s often minimal or fragmented. Telemetry from these environments rarely paints a complete picture for defenders, creating detrimental blind spots.
According to the U.S. Government Accountability Office, most industrial control systems in critical infrastructure were never designed to withstand cyberattacks. In fact, many were developed in an era when physical access was the only concern. That mismatch between design intent and modern threat reality is exactly what adversaries like Volt Typhoon are exploiting.
Where Traditional Tools Fall Short
Security teams in manufacturing environments often rely on endpoint detection tools, antivirus software, or north-south firewalls (which monitor traffic flowing into and out of the network) as their first, and sometimes only, lines of defense. There’s no question that these tools are important, but it’d be like installing motion-sensor lights on your house but leaving the doors unlocked: it’s an excellent start, but you’re not addressing the full picture.
For starters, endpoint tools can’t be deployed on many industrial systems due to hardware limitations, performance risks, or vendor restrictions. Even when they can be installed, they typically won’t recognize suspicious activity in ICS protocols like Modbus, DNP3, or S7 (languages used by machines on the plant floor to communicate with each other). And while they may detect a compromised workstation, they often miss when the compromise begins outside the host, such as through a vulnerable VPN appliance or unpatched remote access gateway.
More importantly, these tools are designed to look for known threats: malware, file changes, process anomalies. That doesn’t help when the attacker is using valid credentials and legitimate admin tools to move laterally, as was the case in Volt Typhoon.
In that campaign, attackers used native tools like PowerShell and WMI to move through systems unnoticed. Their activity didn’t raise alarms because it looked like normal system administration. What uncovered them wasn’t an endpoint alert, but rather network-layer telemetry that revealed unusual traffic patterns and command usage across systems.
Closing the Visibility Gap
To catch these types of threats, manufacturers need visibility at the network level. Instead of just watching traffic coming in and out of the building (north-south visibility), security teams need to monitor traffic moving between rooms inside the building (east-west visibility). That’s often where attackers move once they’re inside and where most organizations aren’t looking.
Effective network-layer detection starts with passively capturing traffic from critical points in the environment. From there, defenders can inspect protocols, build behavioral baselines, and detect deviations. In more tangible terms, you’re looking for a forklift suddenly taking an unfamiliar route or a machine sending commands outside its shift hours.
Crucially, this approach doesn’t require installing agents on fragile or outdated systems. It works across both IT and OT domains, providing a unified view of activity without compromising safety or uptime.
This kind of observability turns subtle signals into early warning signs. In my own experience, I’ve seen investigations triggered by something as simple as a workstation initiating Industrial Control System (ICS) protocol traffic during an off-shift. That’s the kind of anomaly you only catch if you’re watching the right traffic at the right depth.
The Reality of Hybrid Environments
Modern manufacturing environments are no longer siloed. Cloud platforms, remote access tools, and enterprise systems are deeply integrated with OT infrastructure. While that convergence improves efficiency and responsiveness, it also broadens the attack surface.
Defending these hybrid environments means breaking down visibility silos and adopting a unified approach to detection. That includes correlating events across domains, mapping lateral movement across IT/OT boundaries, and ensuring both teams speak a common security language.
Unfortunately, there’s no silver bullet for stopping covert surveillance operations, but there are proven ways to shrink the blind spots they rely on. Focus on your network as a source of ground truth. Invest in detections built for how your environment actually operates. Monitor internal traffic, not just perimeter access. And apply the same principles you already use in quality control: know what’s normal, flag what isn’t, and respond before a small issue becomes a systemic one. The sooner you can spot an adversary, the sooner you can take back control.
