TL;DR: The FDA’s June 2025 white paper on securing operational technology used for medical product manufacturing reframes pharmaceutical cybersecurity around connected production systems, asset visibility, zone-based segmentation, and security by design, while the article cites a 46% surge in ransomware against OT and $10 billion in NotPetya damage. Compliance now depends on controlling manufacturing trust boundaries, not just hardening endpoints.
NHIMG editorial — based on content published by Elisity: FDA's New OT Cybersecurity Guidance for pharmaceutical and biotech manufacturing security
By the numbers:
- As ransomware attacks against operational technology surge 46 percent, the FDA’s focus on securing connected production systems has become a compliance issue for manufacturers.
- The NotPetya attack caused $10 billion in global damages and affected pharmaceutical manufacturer Merck & Co., showing how OT disruption can cascade beyond one site.
Questions worth separating out
Q: What breaks when OT systems are not segmented in manufacturing environments?
A: When OT systems remain broadly connected, one compromised device or vendor path can create lateral movement into production-critical equipment.
Q: Why do connected manufacturing systems complicate least-privilege access?
A: Connected manufacturing systems complicate least privilege because many devices were built for reliability and interoperability, not narrow authentication or granular authorization.
Q: How do teams know if OT segmentation is still working?
A: OT segmentation is working only if access decisions remain accurate when systems move, scale, or connect to new platforms.
Practitioner guidance
- Map every OT asset and dependency Create a complete inventory of production devices, embedded modules, vendor components, and communication flows before redesigning segmentation or access policy.
- Enforce zone-to-zone communication approval Treat each cross-zone path as an explicit business-approved exception, with documented purpose, owner, and expiry tied to production need.
- Bake security into procurement and commissioning Require authentication, logging, encryption, and reconfiguration requirements in OT purchasing and acceptance workflows so controls exist before assets enter production.
What's in the full article
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step identity-based microsegmentation deployment patterns for pharmaceutical and biotech manufacturing environments.
- Specific IEC 62443 control mappings and how they translate into policy enforcement across OT zones.
- Case study detail on how global manufacturers reduced segmentation rollout time and cost across multi-site environments.
- Practical examples of asset discovery and classification for hidden modules, PLCs, and vendor-managed systems.
👉 Read Elisity’s analysis of FDA OT cybersecurity guidance for pharmaceutical manufacturing →
FDA OT cybersecurity guidance: what it means for pharma security teams?
Explore further
Identity-based segmentation is now an OT governance requirement, not a niche network design choice. The article shows that flat connectivity and post hoc firewalling do not scale in pharmaceutical manufacturing, where production continuity and patient safety depend on precise communication boundaries. The identity bridge here is real: devices, service-like processes, and vendor systems all behave like non-human participants that need explicit control. Practitioners should treat zone design as identity governance for machines, not just as topology management.
A question worth separating out:
Q: Who is accountable for cybersecurity failures in hospital environments?
A: Hospital leadership is accountable when cybersecurity controls fail, especially under regulations such as NIS2 and sector-specific security rules. Responsibility is no longer limited to the IT function because access control, recovery planning, and operational continuity affect patient safety. Boards and executives need evidence that identity controls are managed as part of enterprise risk.
👉 Read our full editorial: FDA OT cybersecurity guidance reshapes pharmaceutical manufacturing security