Consider a mid-sized automotive parts supplier in Bursa: the SCADA system manages the production line, PLCs control press machines, and these systems are now linked to the corporate network. The accounting department issues e-invoices, warehouse staff log stock movements into the ERP, and the plant manager monitors production data from an office workstation. Connectivity is increasing, efficiency is improving — but that same connectivity is exposing production infrastructure, once kept deliberately isolated, to external threats. Whether this reality is being discussed at the board level remains unclear in most companies.
The distinction between operational technology (OT) and information technology (IT) becomes critical when cybersecurity enters the picture. IT security focuses on protecting servers, databases, email systems, and corporate networks. When an attack occurs, the worst case is typically data loss or service disruption — serious, but usually recoverable. OT security operates on a different plane entirely: SCADA systems, PLCs, and industrial control systems manage physical machinery. A security breach here does not merely mean lost data; it can mean production stoppage, equipment damage, and in some scenarios, workplace safety risks. Rebooting a server is straightforward; bringing a halted production line back online can take hours, sometimes days.
The problem is structural, not merely technical. IT departments apply software patches quickly to close vulnerabilities — this is the basic reflex of IT operations. In production environments, however, updating a PLC’s firmware may require halting production, obtaining manufacturer approval, and running validation tests that can take weeks. The priority of production continuity and the necessity of security updates are in direct conflict. Resolving this conflict requires IT and production engineering to sit at the same table — yet in most SMEs, these two functions continue to operate independently of each other.
Network segmentation emerges as a foundational countermeasure in this context. Separating the corporate network from the production network — logically or physically — limits how far an attack can spread. When there is no direct path from an accounting workstation to the production SCADA system, a vulnerability in the e-invoice platform cannot be leveraged to issue commands to press machines. Implementing this segmentation requires dedicated hardware and careful configuration, but its cost looks reasonable when measured against the financial impact of a production stoppage. Including this protective layer in a total cost of ownership (TCO) analysis puts the investment decision on firmer ground.
Remote access points constitute a separate risk category. A maintenance engineer connecting via VPN, a vendor providing remote support, a manager checking production figures from outside the office — each of these is a potential entry point. Strengthening authentication mechanisms, enforcing minimum necessary access privileges, and regularly reviewing remote connection logs make these risks manageable. But establishing these controls first requires answering a basic question: who has access to which systems, and through what paths? In many companies, this inventory has not yet been completed.
The most immediate practical challenge is the awareness gap. Production engineers treat cybersecurity as an IT problem; IT specialists are unfamiliar with SCADA or PLC architecture. This knowledge gap creates a grey zone where responsibility belongs to no one. Furthermore, the number of specialists capable of auditing industrial control system vulnerabilities is quite limited in Turkey at this stage. A company seeking an independent security assessment faces difficulty finding a qualified consultant and must plan the audit carefully to avoid disrupting production. Software licensing costs and hardware investments find their way into budgets; security audits tend to wait on the ‘when necessary’ list.
For management, the concrete decision criteria should be these: if your production infrastructure is connected to the corporate network, is that connection’s security architecture documented? Which systems have access to the internet or the corporate network, are those access points monitored, and in a breach scenario, how many hours would it take to restore production? Answering these three questions makes the scale of the risk tangible and enables prioritization. Deferring a security investment is not a cost saving — it is an uncalculated risk assumption, and management must consciously own that choice.
This article was originally written in Turkish by Gökhan MERCANOĞLU on June 18, 2012 and has been automatically translated into English and other languages using machine translation.