OT Security Automotive Manufacturing IEC 62443

Securing a Tier-1 Auto Manufacturer's Plant Floor

Identified 47 unmanaged OT assets and 3 active lateral movement paths in a global manufacturing facility operating 24/7 — without a single minute of production downtime.

47 Shadow OT Assets Found
0 Production Downtime
12wk Full Remediation

The Challenge

A Tier-1 automotive supplier operating 14 production facilities across North America and Europe needed to understand their OT security posture ahead of a major ERP integration project. The integration would create new connectivity between corporate IT systems and plant-floor OT networks — a significant risk if not properly secured first.

The constraint: assessments could not disrupt production lines running 24/7 to meet OEM delivery schedules.

Our Approach

We deployed passive OT network monitoring sensors at each facility over a two-week period, capturing all OT network traffic without generating a single active probe or packet.

Using industrial-protocol-aware analysis, we:

  • Identified all OT assets communicating on the network (including undocumented legacy equipment)
  • Mapped communication flows between Purdue model levels
  • Identified anomalous connections and policy violations
  • Analyzed firmware versions against known vulnerability databases

Key Findings

47 Unmanaged Assets

Nearly a third of all OT assets on the network were not in the client's asset inventory. These included:

  • Legacy PLCs running firmware from 2009-2014 with known critical vulnerabilities
  • HMIs connected directly to both the OT network and corporate WiFi
  • An engineering workstation with an active VPN client to an external vendor

3 Lateral Movement Paths

We identified three distinct paths by which an attacker with access to the corporate IT network could reach the OT process control level:

  1. A misconfigured historian server acting as a bridge between Level 3 and Level 1
  2. An undocumented remote access channel established by a maintenance vendor
  3. A flat network segment in one facility with no Purdue model enforcement

Critical Protocol Findings

Modbus TCP traffic was observed traveling from Level 1 (process control) to Level 4 (business planning) — a clear violation of the Purdue model that would allow direct PLC commands from the corporate network.

Remediation

Over 12 weeks, working in coordination with operations teams during scheduled maintenance windows, we:

  • Removed or isolated all unmanaged legacy assets
  • Implemented industrial DMZ architecture at each facility
  • Deployed next-generation industrial firewalls with Modbus/DNP3 deep packet inspection
  • Closed all unauthorized remote access channels
  • Documented and formalized approved vendor access with time-limited, audited sessions

Results

The client completed their ERP integration project on schedule with full confidence in their OT security posture. A follow-up assessment 6 months later confirmed full remediation of all critical and high findings.

"ExoSec's passive assessment approach was exactly what we needed. They gave us a complete picture of our OT risk without ever touching a production system." — VP of Operations

Facing a similar challenge? Contact our OT security team to discuss a passive assessment for your environment.

← Back to Case Studies