TL;DR: The FDA’s June 2025 white paper on securing operational technology used for medical product manufacturing reframes pharmaceutical cybersecurity around connected production systems, asset visibility, zone-based segmentation, and security by design, while the article cites a 46% surge in ransomware against OT and $10 billion in NotPetya damage. Compliance now depends on controlling manufacturing trust boundaries, not just hardening endpoints.
At a glance
What this is: This analysis shows how the FDA’s new OT cybersecurity guidance turns pharmaceutical and biotech manufacturing security into a governance problem around connected systems, segmentation, and patient safety.
Why it matters: It matters because IAM, PAM, and NHI teams increasingly have to account for machine and process identities inside manufacturing zones, where access control and segmentation directly affect operational continuity.
By the numbers:
- As ransomware attacks against operational technology surge 46 percent, the FDA’s focus on securing connected production systems has become a compliance issue for manufacturers.
- The NotPetya attack caused $10 billion in global damages and affected pharmaceutical manufacturer Merck & Co., showing how OT disruption can cascade beyond one site.
👉 Read Elisity’s analysis of FDA OT cybersecurity guidance for pharmaceutical manufacturing
Context
The core problem is not just malware on a plant network. It is the growing number of connected production systems, IIoT devices, and smart technologies that expand the attack surface inside environments where availability and integrity matter as much as confidentiality. In pharmaceutical manufacturing, that risk becomes an identity and access problem as much as a network one, because every machine, application, and automated process needs tightly bounded communication rights.
The FDA’s guidance matters because it pushes manufacturers away from flat trust assumptions and toward zone and conduit design, asset inventories, and security by design. For IAM, PAM, and NHI teams, the lesson is direct: operational technology now contains service-like identities and control relationships that must be governed with the same discipline used for human access, but under far stricter safety constraints.
Key questions
Q: What breaks when OT systems are not segmented in manufacturing environments?
A: When OT systems remain broadly connected, one compromised device or vendor path can create lateral movement into production-critical equipment. In pharmaceutical manufacturing, that breaks containment, increases safety and quality risk, and makes incident response much harder because the attacker can move between lines and support systems with little friction.
Q: Why do connected manufacturing systems complicate least-privilege access?
A: Connected manufacturing systems complicate least privilege because many devices were built for reliability and interoperability, not narrow authentication or granular authorization. As a result, access decisions often rely on implicit trust, which is unsafe once IIoT, embedded modules, and cross-vendor integrations become part of the production stack.
Q: How do teams know if OT segmentation is still working?
A: OT segmentation is working only if access decisions remain accurate when systems move, scale, or connect to new platforms. If the programme depends on frequent manual rule edits, exceptions, or subnet assumptions to keep traffic flowing, the control is already drifting away from the operational reality it is meant to protect.
Q: Who is accountable for cybersecurity failures in hospital environments?
A: Hospital leadership is accountable when cybersecurity controls fail, especially under regulations such as NIS2 and sector-specific security rules. Responsibility is no longer limited to the IT function because access control, recovery planning, and operational continuity affect patient safety. Boards and executives need evidence that identity controls are managed as part of enterprise risk.
Technical breakdown
Technical information exchange and asset visibility in OT
Modern manufacturing environments rarely have a complete, stable inventory of what is connected. Embedded modules, vendor equipment, and supervisory systems often hide behind abstractions that traditional discovery tools miss. The FDA’s emphasis on technical information exchange reflects this reality: manufacturers need enough detail about devices, software components, and communication paths to understand where trust is being granted. In identity terms, that means knowing which systems can speak, authenticate, or delegate to each other before security policy can be made enforceable.
Practical implication: build a living inventory of manufacturing assets and communication paths before attempting to segment production traffic.
Zone and conduit architecture as a least-privilege model
Zone and conduit architecture applies least privilege to industrial systems. A zone groups assets with similar security needs, while conduits define the controlled paths between them. Instead of allowing broad east-west traffic, security policy should limit communication to the exact systems and protocols that production requires. This is especially important in OT because many devices were designed for reliability first and have weak native authentication or coarse access control. The architecture becomes a containment model for both cyber incidents and operational mistakes.
Practical implication: enforce zone boundaries as policy boundaries, not just network labels, and review every cross-zone dependency.
Security by design for connected manufacturing systems
Security by design means OT security cannot be bolted on after procurement or deployment. Once a production line is commissioned, retrofitting controls is expensive, disruptive, and often incomplete. The article’s discussion of standards alignment shows that manufacturers need to account for encryption, configuration, logging, and identity checks at acquisition time, not just during incident response. For organisations with identity governance programmes, this is where machine identity and device authentication become foundational controls rather than optional enhancements.
Practical implication: require security and identity requirements in OT procurement, commissioning, and change-management workflows.
Threat narrative
Attacker objective: The attacker wants to interrupt manufacturing, damage trust in production integrity, or create patient-safety and supply-chain consequences at scale.
- Entry typically occurs through connected OT systems, vendor-managed modules, or weakly isolated production assets that expose a flat trust boundary.
- Escalation follows when the attacker moves laterally across zones or abuses overly broad communication paths to reach higher-value manufacturing systems.
- Impact is production disruption, safety risk, or regulatory exposure that can affect batches, plants, and downstream patient supply.
NHI Mgmt Group analysis
Identity-based segmentation is now an OT governance requirement, not a niche network design choice. The article shows that flat connectivity and post hoc firewalling do not scale in pharmaceutical manufacturing, where production continuity and patient safety depend on precise communication boundaries. The identity bridge here is real: devices, service-like processes, and vendor systems all behave like non-human participants that need explicit control. Practitioners should treat zone design as identity governance for machines, not just as topology management.
OT security debt accumulates when security is added after commissioning. The FDA’s guidance underscores that many manufacturing environments inherit weak trust assumptions from legacy equipment, vendor integration, and accelerated automation programmes. That creates long-lived exposure that cannot be fixed with a single control. For identity teams, the lesson is that lifecycle governance must extend into manufacturing procurement, onboarding, and change control.
Patient safety changes the risk calculus for access governance. In this domain, a misrouted connection or over-broad control path is not only a cyber risk, it is a quality and safety issue. That means IAM and PAM decisions for manufacturing systems need tighter business ownership, stronger evidence of necessity, and more conservative exception handling. Practitioners should align access decisions to process criticality, not just operational convenience.
Zone boundary protection is the named failure mode this guidance is trying to eliminate. The article repeatedly returns to the idea that uncontrolled east-west movement inside manufacturing environments is the wrong default. That failure mode is especially dangerous where connected devices, IIoT, and embedded modules create hidden dependencies. Security teams should read this as a mandate to prove, not assume, that every cross-zone path is required.
Compliance pressure is moving OT security toward measurable control evidence. The guidance references standards, logging, inventories, and reconfiguration expectations that can be audited. That shifts the burden from vague readiness claims to demonstrable governance. For practitioners, the field is moving toward evidence-based OT security programmes where inventory quality, policy enforcement, and exception tracking matter as much as architecture diagrams.
What this signals
Zone boundary protection is becoming the operational equivalent of machine identity governance in regulated manufacturing. As OT environments absorb more connected devices and automation, teams will need to treat every cross-zone dependency as an access decision with safety consequences, not a routing convenience.
The practical shift is toward evidence. Security leaders will be expected to show complete inventories, controlled conduits, and enforceable exceptions that survive audit scrutiny, while identity programmes extend governance into production systems that were once treated as outside IAM scope.
For teams building out the control stack, the next step is to connect segmentation policy, device classification, and access review into one operating model. That is where Ultimate Guide to NHIs , Key Challenges and Risks becomes useful as a framing resource for sprawl, over-privilege, and hidden dependencies.
For practitioners
- Map every OT asset and dependency Create a complete inventory of production devices, embedded modules, vendor components, and communication flows before redesigning segmentation or access policy.
- Enforce zone-to-zone communication approval Treat each cross-zone path as an explicit business-approved exception, with documented purpose, owner, and expiry tied to production need.
- Bake security into procurement and commissioning Require authentication, logging, encryption, and reconfiguration requirements in OT purchasing and acceptance workflows so controls exist before assets enter production.
- Align machine identity controls to production criticality Classify equipment, automation services, and vendor-managed systems by operational criticality so privileged paths are narrower for high-risk manufacturing processes.
- Test containment before enforcing segmentation Simulate policy changes in representative production environments to verify that segmentation blocks lateral movement without interrupting validated manufacturing workflows.
Key takeaways
- Pharmaceutical OT security is now an identity and governance problem as much as a network problem, because connected devices and vendor systems create trust relationships that must be explicitly controlled.
- The article’s evidence points to a serious exposure pattern, with a 46 percent rise in OT ransomware and large-scale manufacturing losses showing how quickly safety, supply, and compliance can converge.
- The most effective control shift is to prove zone boundaries, inventory quality, and security-by-design requirements before production systems are commissioned or expanded.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | The article focuses on least-privilege communication in OT zones. |
| NIST SP 800-53 Rev 5 | AC-3 | Access enforcement is central to controlling OT cross-zone traffic. |
| CIS Controls v8 | CIS-4 , Secure Configuration of Enterprise Assets and Software | The guidance depends on hardened OT configurations and controlled baselines. |
| ISO/IEC 27001:2022 | A.8.9 | Configuration management supports secure OT baselines and change control. |
Map manufacturing access paths to PR.AC-4 and restrict each zone to necessary communications only.
Key terms
- Zone And Conduit Architecture: A security model that groups assets with similar requirements into zones and allows communication only through controlled conduits. In OT environments, it limits lateral movement and turns segmentation into an explicit policy decision instead of a flat network assumption.
- Operational Technology: Hardware and software that monitor or control physical processes such as manufacturing, packaging, and industrial automation. OT prioritises availability and deterministic performance, which makes security retrofits harder and raises the importance of design-time controls, visibility, and change governance.
- Identity-based Microsegmentation: A segmentation approach that uses identity, context, and policy to decide whether a connection should be allowed inside a network zone. In OT, it helps reduce lateral movement without relying only on IP addresses or broad subnet rules.
- Secure-by-Design: Secure-by-design means security requirements are built into the development process rather than added after release. The practical aim is to define minimum acceptable controls early, then enforce them consistently so products cannot ship without passing baseline security checks.
What's in the full article
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step identity-based microsegmentation deployment patterns for pharmaceutical and biotech manufacturing environments.
- Specific IEC 62443 control mappings and how they translate into policy enforcement across OT zones.
- Case study detail on how global manufacturers reduced segmentation rollout time and cost across multi-site environments.
- Practical examples of asset discovery and classification for hidden modules, PLCs, and vendor-managed systems.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and identity lifecycle control. It helps practitioners translate identity discipline into programmes that span human and non-human access.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org