Your Factory Floor Is A Risk at Industrial Scale: When the £5 Million CNC Machine Has the Same Problem as Your Office Printer

Remember Episode 30? The one where we talked about how your office printer was probably the biggest cybersecurity risk in your building?

That £300 device sitting in the corner, storing every contract and payslip you've printed this year on a hard drive nobody ever wipes, with a password an attacker could guess in three tries, having full access to your entire network?

The episode that made a lot of people very uncomfortable when they realised they'd spent £15,000 on firewalls and endpoint protection but never changed the printer password?

Well, I've got some news that's going to make that discomfort feel quaint.

The UK government just published a 56-page study confirming that everything we said in Episode 30 about your printer? It applies to your entire factory floor. Except when your CNC machine gets compromised, it doesn't cost you a GDPR breach and some embarrassment. It costs you £2.2 million per hour in lost production.

And unlike the printer that just stored documents, these systems control physical processes. When they fail, production stops. When they're deliberately compromised, people can get hurt.

What the Government Report Actually Says

In April 2025, the UK Department for Science, Innovation and Technology (DSIT) commissioned Arcanum to conduct a comprehensive study on operational technology (OT) cybersecurity vulnerabilities in both critical national infrastructure and manufacturing. The resulting 56-page report represents 30 interviews across sectors, analysis of over 160 sources, and months of research into the state of OT security in the UK.

The headline finding? 90% of attacks on operational technology systems originate from IT network vulnerabilities.

That's the same attack pattern we described in Episode 30. Attacker compromises IT network, moves laterally through inadequate segmentation, gains access to the "other devices" that nobody treats as computers.

In Episode 30, the "other device" was an office printer. In the government report, it's CNC machines running Windows XP. SCADA systems control water treatment. Production line controllers have been operating since 1995. Valve automation systems were installed before most of your staff were born.

The report found systematic problems across UK manufacturing and critical infrastructure:

Legacy equipment everywhere. The report documents OT systems 20, 30, and even 50 years old still in active production use. Not because manufacturers are stupid or negligent, but because replacing a £5 million furnace requires months of downtime they literally cannot afford. One consultant interviewed for the study described a food and beverage producer with equipment ranging from brand new to half a century old, all connected to the same corporate network.

Asset management is catastrophically bad. Many manufacturers don't have accurate inventories of what's connected to their networks. Equipment gets installed by vendors and is never documented. Companies acquire other businesses and inherit production facilities without fully understanding what's there. In Episode 30, we said you can't protect what you don't know exists. The government found that the principle was being violated systematically in OT environments.

The "IT don't speak to OT" cultural divide. This is the industrial version of Episode 30's "nobody owns the printer" problem. IT security teams want to patch everything weekly. Production managers want zero downtime. Neither understands the other's world. The result is that OT security becomes nobody's responsibility, falling into the gap between departments.

Default credentials everywhere. Just like the printer that shipped with "admin/admin" and nobody changed it, the report found SCADA systems, control interfaces, and production equipment still using factory default credentials. Some because changing them would require production downtime to test. Some because nobody even thought to check.

Network segmentation is either absent or inadequate. The South Staffordshire Water breach (which we'll discuss in detail on Friday) happened because credentials from IT systems worked on SCADA systems. That's a segmentation failure. The report found this pattern repeatedly: office networks connected to production networks with inadequate isolation.

The government study quotes one passage that perfectly captures the problem:

"OT systems were originally conceived as separate and segregated from other systems... However, OT systems are increasingly being connected to other systems for monitoring, control, data analysis, or data collection."

Sound familiar? That's exactly what happened with office IoT. Printers used to be standalone devices. Then they got network connectivity for efficiency and convenience. Then they became attack vectors.

The OT-IT Convergence Disaster

Let's be clear about what we mean by OT, because not everyone reading this works in manufacturing.

In Episode 30, we talked about IoT - Internet of Things. Office equipment that's actually computers: printers, CCTV cameras, smart thermostats, networked door locks. That's IoT.

OT - operational technology - is the industrial version:

• CNC machines and industrial controllers

• SCADA systems (Supervisory Control and Data Acquisition)

• Production line automation

• Industrial control systems

• Factory automation equipment

• Anything that monitors or controls physical industrial processes

These systems were historically never connected to anything. They were "air-gapped" - completely isolated from other networks. That was their security model: can't hack what you can't reach.

Except now they're all connected. Industry 4.0, smart manufacturing, remote monitoring, efficiency gains. The same drivers that got your printer onto the network are getting production equipment onto the network.

And that's created the exact same vulnerability pattern, except the stakes are catastrophically different.

The government report documents a UK food and beverage producer that'd acquired another company. At one end of their facility, nothing is over three years old - modern, automated, state-of-the-art. At the other end, they have the production plant from the acquired company, where most of the equipment is at least 30 years old, and some bits are 50 years old.

All of it's connected to the corporate network. Because efficiency. Because of remote monitoring. Because integrating legacy systems with modern inventory management seemed sensible. Because Industry 4.0.

Here's where it gets terrifying: some of that 50-year-old equipment has outlasted the people who understood how it worked. They don't have complete documentation. They're not entirely sure what some of it does. But they know if they turn it off, part of the production line stops.

The £5 million furnace problem: you can't afford to replace it (months of downtime at £195,000 to £2.2 million per hour), can't afford to operate it in isolation (lose monitoring and management capabilities), can't afford to test changes (might break production). So you connect it to the modern network and hope nothing bad happens.

The government report found manufacturers are making entirely rational business decisions given impossible constraints. But those rational decisions are creating security vulnerabilities at an industrial scale.

How Attackers Actually Get In

The report's case studies demonstrate the attack pattern we warned about in Episode 30, playing out at an industrial scale.

Case Study: Clorox - When Half a Billion in Security Isn't Enough

Clorox, the American consumer goods manufacturer, had invested $500 million in IT upgrades. They made Forbes magazine's "Most Cybersecure Companies" list in 2023. They had everything: advanced firewalls, endpoint detection and response, a security operations centre, and hardware authentication.

In late 2023, they got absolutely hammered by ransomware. $356 million in lost revenue. A 25% drop in sales. Their products literally disappeared from store shelves because production systems were encrypted.

Remember the marketing agency from Episode 30 that spent £15,000 on proper security and got breached through the printer? Same pattern, bigger numbers.

The Scattered Spider group (mostly teenagers and young adults in the US and UK) got in through operational systems, not the heavily protected IT infrastructure. All that investment in IT security didn't matter because the OT was exposed.

Case Study: South Staffordshire Water - When SCADA Screenshots End Up on the Dark Web

This one hits closer to home. August 2022, South Staffordshire Water, part of the UK's critical national infrastructure.

The Clop ransomware group (Russia-based professional criminals) didn't just breach the IT systems. They spent months inside the network undetected. Extracted 5 terabytes of data, including screenshots of their SCADA systems - the actual control interfaces for water treatment.

These weren't customer billing records. These were the control systems for making sure your tap water is safe to drink. And Clop published some of it on the dark web as proof: screenshots of the OPUS Software control panels for Seedy Mill Water Treatment Works. Control system credentials. Usernames and passwords that were present multiple times in the SCADA environment.

Just sitting there on the dark web for anyone to use.

The government report notes that while there was no immediate impact on water supply to customers, that was down to the attackers' choice, not any security measures preventing them. Clop is financially motivated. They want money, not mass casualties. Disrupting water treatment brings law enforcement heat that's bad for business.

But they had access. They had the credentials. They had detailed knowledge of how the water treatment processes worked. They could have altered chemical dosing. They could have disrupted treatment processes.

The report actually models this out, referencing a case from Nokia, Finland in 2007 where accidental wastewater contamination of drinking water led to an epidemic affecting over 25,000 people. That was accidental. South Staffs was a deliberate breach where attackers had access to do the same thing intentionally, but chose not to.

Here's the Episode 30 parallel: your printer stored documents on its hard drive, and attackers published them. South Staffs' SCADA systems stored operational data, and attackers published that. Same pattern of "forgotten device has sensitive data," different scale of consequences.

How they got in: Standard Clop methodology suggests a phishing email in the IT environment. IT network compromise. Then lateral movement to OT because the networks weren't properly segmented, and credentials from IT systems also worked on SCADA systems. Password reuse between environments.

Nobody detected 5 terabytes of data leaving the network over several months because OT network monitoring was inadequate or non-existent.

Why This Is Harder Than Printers (But Same Principles Apply)

In Episode 30, we gave you straightforward solutions:

• Change the printer password

• Update firmware

• Segment the network

• Monitor and maintain

For OT, those same principles apply, but the implementation is harder.

"Change the password" sounds simple. Except that the 30-year-old system might not support changing the password. Or changing it requires shutting down production to test whether anything breaks. At £2.2 million per hour, "let's just try changing this and see what happens" isn't an option.

"Update firmware" is the same problem, worse. You can't patch systems that are 30 years old because patches don't exist. Even if newer systems have patches available, applying them requires production downtime and risks breaking compatibility with other systems in the production chain.

One manufacturer interviewed for the report has equipment so old that they're not entirely sure what operating system it's running. How do you patch something when you don't know what's on it, don't have the original installation media, and the manufacturer went out of business 20 years ago?

"Replace it" is the obvious solution with eye-watering costs. The report documents a glass furnace replacement at £5 million. That's not just the equipment - that's installation, testing, and lost production during changeover. Full production line replacements can take weeks or months. At the higher end of downtime costs (£2.2 million per hour), a month-long replacement costs £1.58 billion in lost production.

So manufacturers do what seems rational: connect the old equipment to the network for monitoring and remote management. The same thing we criticised in Episode 30. The alternative is even worse from a business perspective.

But here's what the government report emphasises: even though you can't replace the equipment, you can still apply defensive principles from Episode 30. You just do it differently.

Defence in depth. The report uses that exact phrase repeatedly. If you can't secure the device itself, you secure around it. Multiple layers of protection so when one fails - and it will - others remain.

Network segmentation. Can't change the 30-year-old device? Absolutely, can isolate it on its own network segment. Put it behind a firewall with strict rules about what can talk to it. The South Staffs breach happened because credentials from IT systems worked on SCADA systems. Proper segmentation would have stopped that dead.

The report found that good segmentation usually came from regulatory requirements. The Health and Safety Executive's OG-86 guidance requires specific network segmentation for organisations under their regulatory remit (chemicals, oil and gas sectors). Organisations following OG-86 had substantially better security because it's explicitly required rather than suggested.

Access controls. Not everyone needs admin access to production systems. Operators need to run equipment, not configure it. Maintenance engineers need diagnostic access, not system-level changes. IT needs to monitor the network, not touch production systems. Vendors definitely don't need permanent admin accounts.

The report recommends role-based access, temporary credentials for vendors, monitored access, and quarantine networks for any vendor equipment (because those USB sticks might have malware, just like we warned in Episode 30).

Monitoring. You can't install traditional security tools on 30-year-old SCADA systems, but passive network monitoring works. Mirror production network traffic to a monitoring system without touching the devices. Learn what "normal" looks like. Alert on anomalies.

The South Staffs breach would have been caught by this: 5 terabytes of data leaving the network over months is definitely an anomaly. But only if you're monitoring.

The report found OT network monitoring either inadequate or completely absent in many organisations, partly due to cost, partly due to lack of expertise, and partly due to the "IT don't speak to OT" cultural divide.

The IT-OT Cultural Disaster

That phrase - "IT don't speak to OT" - appears throughout the government report. It's the industrial version of Episode 30's "nobody owns the printer" problem.

IT security teams prioritise confidentiality and integrity of data. OT operations teams prioritise the availability and safety of physical systems. Those priorities can conflict.

IT says "patch immediately." OT says "we can't shut down production, we'll patch during planned maintenance in three months." By then there are new patches to apply. OT is always behind, but from their perspective, availability is more important than being current on patches.

Is that wrong? Not given their constraints. Shutting down to patch costs £2.2 million per hour.

The solution requires both sides to understand the other's world and finding a compromise. The report found this basically never happens without executive-level intervention.

One positive example: a chemical sector company with a committee including IT security, OT operations, production management, and executive representation. When there's a security concern, the committee assesses risk and agrees on an approach. IT can't mandate patching without OT input. OT can't dismiss security concerns without explaining operational constraints.

When that coordination doesn't happen? The report describes "abysmal risk management." Security controls that get circumvented because they make operations difficult. Operational procedures that create massive security holes because nobody consulted IT.

The Supply Chain Targeting Reality

Episode 30 mentioned third-party risks briefly. The government report makes it explicit: attackers target small manufacturers as entry points to larger customers.

You're not making products in isolation. You're in a supply chain. And your larger customers are starting to implement supply chain security requirements. Not because they're being difficult, but because they've been breached through suppliers.

Within 18 months, if you supply to larger manufacturers, you will face security audits. Not might. Will. Can you demonstrate network segmentation? Can you prove access controls? Can you show monitoring? Can you document vendor management?

If not, you either lose the customer or face an expensive emergency scramble.

But here's the opportunity: most manufacturers aren't ready. When customers start requiring security documentation, competitors will scramble. If you're ready now - network segmentation implemented, access controls documented, monitoring in place - you hand them documentation and win the contract.

"We're a secure supplier" becomes a brand differentiator in an industry with terrible security. You can charge a premium for it. Especially as the Cyber Security and Resilience Bill progresses through Parliament, expanding NIS Regulations to cover approximately 1,000 additional managed service providers, plus supply chain requirements that will flow down to manufacturers.

This isn't optional. It's just whether you get ahead of it and create a competitive advantage, or wait until you're forced and it becomes an emergency.

How to Turn This Into Competitive Advantage

While your competitors are scrambling to meet customer security requirements they didn't see coming, you can be ready.

Win larger contracts. "We can prove our production systems are segmented and monitored" differentiates you in procurement. Bigger customers will pay a premium for secure suppliers when security becomes a requirement, and most can't demonstrate it.

Retain existing customers. When they start auditing supply chains (and they will), you demonstrate compliance immediately while competitors scramble. Customer confidence through transparency and readiness.

Premium pricing justification. "We're a secure supplier" becomes valuable when customers require it and competitors can't prove it. Risk reduction commands a premium, especially in regulated industries.

Insurance benefits. Cyber insurance increasingly requires demonstrable OT security controls. Better rates for proven controls. May become requirement for coverage at all.

How to demonstrate it:

• Document network architecture

• Maintain current asset inventory

• Evidence access controls

• Regular security reviews

• Turn it into marketing material

Your larger customers aren't requiring this yet. But the government report makes clear they will. Being ready first creates competitive advantage.

How to Sell This to Your Board

The board conversation most manufacturers need to have:

Opening: "Our three largest customers will require supply chain security audits within 18 months. We need to be ready."

Risk quantification:

Our downtime cost: £[X] per hour 

Average ransomware attack duration: 504 hours 

Total exposure: £[X] X 504 = £[massive number] 

Security investment: £40,000-£80,000 

ROI if prevents ONE attack: [ridiculous multiple] 

Not IF we'll be attacked, but WHEN.

Regulatory driver:

• Cyber Security & Resilience Bill expanding requirements

• NIS Regulations extension to supply chains

• Customer contractual requirements

• Insurance coverage requirements

• Not optional, just a timing question

Competitive positioning: "While competitors scramble when audits start, we'll demonstrate compliance immediately."

Use the government report as credibility:

• 56 pages, 160 sources, 30 expert interviews

• Not IT paranoia, documented systemic problem

• 90% of attacks start in IT networks we already have

• The board can't dismiss it as "IT being cautious"

The question that forces action: "What's our plan when a customer requires a security audit, and we can't demonstrate controls? Lose the customer or emergency scramble at three times the cost?"

What You Should Do This Week

Episode 30 made you check your printer password. This should make you audit your production floor.

Immediate actions:

1. Walk your production floor. List every device with network connectivity. Not just obvious computers - controllers, sensors, monitoring systems, anything with an IP address. You can't protect what you don't know exists.

2. Map communication flows. Ask operators: what systems talk to what? Ask engineers: what are the dependencies? Document on whiteboard, formalise later.

3. Calculate actual downtime cost. Lost revenue, committed customer orders, and staff costs. This number justifies investment to your board.

4. Find one control system. Locate one production system's admin interface. Can you log in? What's the password? (Don't change anything yet, just assess the current state.)

5. Identify stakeholders. Who from IT needs to be involved? Who from production? Who has budget authority? Breaking the "IT don't speak to OT" barrier starts here.

Preparing for what's coming:

Thursday's episode: Complete how-to guide. Network segmentation without killing production, access controls, monitoring approaches, and vendor management. Step-by-step implementation.

Friday's episode: Detailed case study breakdown of South Staffordshire Water attack. Shows exactly what happens when these controls aren't in place.

The Bottom Line

Episode 30 was about office IoT being a forgotten security risk. The government study confirms the same problem exists on factory floors at an industrial scale.

Printers, CCTV, thermostats = CNC machines, SCADA, production controllers.

Same attack pattern: IT compromise lateral movement, operational impact.

Different stakes: not document theft, production shutdown at £195,000 to £2.2 million per hour.

Manufacturers who get ahead of this create a competitive advantage through supply chain security differentiation. Those who ignore it become case studies in next year's government report.

The principles from Episode 30 work here. Asset discovery. Network segmentation. Access controls. Monitoring. Defence in depth. They're just harder to implement and necessary given the stakes.

If Episode 30 made you uncomfortable about your printer, this should terrify you about your production floor.

Thursday's episode gives you the playbook to fix it.

Listen to the full podcast episode: [Link to podcast]

Related content:

• Episode 30: The Printer Is Watching - How Your Office Gear Is the Biggest Cyber Threat

• Thursday: Practical implementation guide for securing OT without killing production

• Friday: South Staffordshire Water case study deep-dive

Need help securing your production systems? Contact us at hello@thesmallbusinesscybersecurityguy.co.uk