Why IT Security Rules Don't Work on Your Factory Floor

A cyberattack hits your pharmaceutical plant. The IT team jumps in with the usual playbook: isolate the affected systems, patch everything, update the antivirus. Problem is, half the equipment on the floor is running Windows XP. Some of it hasn't been touched in fifteen years. You can't patch it. You can't update it. And you definitely can't take it offline, because the moment you do, production stops.

This is the reality of OT cybersecurity in pharma. And it's why applying IT security rules to an OT environment doesn't just fail. It can make things worse.

IT and OT speak different languages

In IT security, there's a well-known framework called the CIA triad: Confidentiality, Integrity, and Availability. The priority order matters. In IT, confidentiality comes first. Keeping data private is the core concern.

In OT, that triad is flipped.

On a pharmaceutical production floor, availability is everything. If a system goes down, production stops. Batches are lost. Regulatory timelines are missed. Integrity comes second: data and process commands need to be accurate and trustworthy. Confidentiality matters too, but it's not the top priority.

This isn't a minor nuance. Most IT security solutions are built around protecting confidentiality. When you deploy them in an OT environment without adapting the approach, you're solving the wrong problem and potentially creating new ones.

The legacy problem nobody wants to talk about

In the IT world, a five-year-old server is already heading toward end-of-life. In OT, a fifteen or twenty-year lifecycle is completely normal. That's not negligence. That's the nature of industrial equipment. A PLC or a control system embedded in a production line gets validated, qualified, and certified. Replacing it isn't a software update. It's a major project.

So pharma plants end up with a hybrid reality: modern MES, Batch, Historian, and SCADA servers running on current Windows versions, sitting right next to machines that are still on Windows 2000 or XP, operating systems that Microsoft stopped supporting years ago.

IT security teams have one answer for this: throw it out. That answer doesn't work in a regulated manufacturing environment.

What does work is an approach built specifically for OT, one that accepts legacy equipment as a constraint and protects around it, not through it.

Virtual patching: protecting what you can't update

If you can't patch the device itself, you protect what's in front of it.

Virtual patching means placing a security layer between the vulnerable legacy device and the rest of the network. The device still has its open ports and known vulnerabilities, but nothing can reach them. The layer intercepts and blocks any attempt to exploit them, without touching the device itself.

It's not a perfect solution. But it's a practical one. And in OT, practical beats perfect every time.

This fits into a broader approach called defense in depth, layered security where the most critical data sits at the center, protected by multiple rings. If one layer is weak or missing (say, a legacy device that can't be hardened), the layers around it compensate. The plant keeps running. Nobody loses fingers, data, or batches.

The regulatory shortcut most pharma companies don't know about

Here's something that surprises most plant managers when we bring it up: if your facility already complies with GAMP, you're roughly 80% of the way to NIS2 compliance.

NIS2, the European directive on cybersecurity for critical infrastructure, has been making headlines. Pharma companies are scrambling to figure out what it demands. But GAMP already requires most of the same controls: risk assessments, change management, documented security measures, validation evidence.

The gap isn't as wide as it looks. And IEC 62443 is what bridges it.

IEC 62443 is a family of sixteen standards covering every dimension of OT cybersecurity, from system architecture to component requirements to security management processes. It's the practical "how" behind the regulatory "what" of both NIS2 and GAMP. If you implement cybersecurity according to IEC 62443, you're not just protecting your plant. You're generating the documented evidence you need to satisfy both frameworks at once.

That's not just efficient. In an industry where audit readiness is a constant pressure, it's a genuine competitive advantage.

When cybersecurity and functional safety collide

The line between functional safety and OT cybersecurity is getting blurry, and that matters.

Modern safety functions like emergency stops, pressure relief, and interlock systems run on safety PLCs. They process algorithms, handle digital data, and communicate over safety fieldbuses. They're software-driven. And that means a cyberattack can, in theory, compromise a safety function.

The good news is that safety fieldbuses were already designed with integrity at the core. They prevent message corruption, reordering, and delays. Those objectives overlap significantly with security objectives, which means a well-designed safety system already has some inherent cybersecurity properties built in.

IEC 62443 formalizes this relationship. It requires that any zone containing safety functions be assigned a higher security level than the rest of the network. Safety systems and standard control systems must be logically separated and can only communicate through regulated, controlled channels.

In practice: if your functional safety architecture is properly designed, it's not as exposed as you might think. But that only holds if cybersecurity requirements are considered during the safety design phase, not bolted on afterward.

What to take away

OT cybersecurity in pharmaceutical manufacturing isn't a variation of IT security. It's a different discipline with different constraints, different priorities, and different tools.

The plants that get it right start from that premise. They don't force IT frameworks onto OT environments. They work with the legacy reality instead of against it. They use IEC 62443 as a practical implementation guide, not just a compliance checkbox. And they think about safety and security as two sides of the same coin from day one.

If you're not sure where your plant stands, that's actually the right starting point: an honest assessment of what you have, what's exposed, and what a realistic protection strategy looks like given your specific environment.

That's where we start every engagement at Adasoft.