Building a Manufacturing SOC for IT and OT Security

CISO Circle Tom Harrop Director Manufacturing & IoT Specialization at Splunk

A single compromised sensor on the factory floor can now bring global production to a grinding halt before the security team even clears their morning alert queue. As operational technology and IT become linked, the traditional SOC is no longer equipped to keep the assembly lines moving.

While interconnected IT and OT environments drive innovation and efficiency, this progress introduces increased security challenges. In fact, according to Splunk’s State of Security 2025 report, 77% of manufacturing organizations revealed they’re reevaluating how their SOCs perform to prepare for what’s next.

We know firsthand how challenging this environment can be. From the relentless flood of threats to the adoption of AI and the persistent talent gap, manufacturers face a perfect storm of complexity. Let’s explore the critical challenges, actionable strategies, and technology-driven solutions that can help build a more resilient, future-ready SOC within manufacturing.

A shifting cybersecurity landscape in manufacturing

Historically, manufacturing security relied on perimeter defenses like firewalls to establish a demarcation between corporate IT systems and factory floor operational technology. While the idea of a fully air-gapped environment, one completely isolated from external connections, is often referenced, the reality is that most companies relied on firewalls to separate these two worlds rather than truly air gapping the manufacturing environment from IT.

Today, the drive for real-time data, predictive maintenance, and cloud analytics requires these two worlds to connect even more closely. That firewall-based separation is coming under increasing pressure because business efficiency and modern manufacturing initiatives demand a seamless flow of data from the factory floor to the boardroom.

This integration introduces complex security risks. Legacy industrial control systems were built decades ago to prioritize continuous uptime rather than modern cybersecurity. They often lack basic defenses like encryption, strong authentication, or the ability to receive software patches. As the separation between IT and the factory floor erodes, these vulnerable machines are suddenly exposed to the broader network. A threat actor can now use a simple phishing email to breach the corporate IT network and move laterally into the factory floor. This turns a standard data breach into a physical production shutdown.

This convergence exposes significant inefficiencies in many SOCs. Security teams are too often consumed by manual tasks such as patching and configuring tools. This hinders their ability to focus on proactive threat detection and response.

As Ingrid Jeannot, Business Value Advisor at Splunk, pointed out, “Security is no longer just a necessary cost. It’s about minimizing business risk.”

The status quo leaves organizations vulnerable. Adopting a unified and proactive approach empowers leaders to evolve their SOCs and safeguard their businesses.

Breaking free from alert overload

One of the manufacturing sector’s most pressing challenges is inefficiency within SOC environments. Nearly 60% of manufacturing respondents report being overwhelmed by alerts. False positives and context-lacking notifications clog workflows, leading to delays in incident response and draining analysts’ time and energy.

Disparate tools and siloed systems are major culprits. Many organizations rely on a patchwork of IT and OT systems compounded by legacy tools that were never designed to work together. Analysts often endure swivel chair operations by toggling between multiple dashboards and screens to correlate data. This creates a massive productivity drain.

Consolidating tools and investing in platforms that unify data from across the environment allows teams to reclaim lost time and dramatically improve SOC efficiency.

As Ingrid explains,

It’s about understanding, analyzing, and optimizing your tools, then making bold, strategic consolidation decisions.

Optimizing SOC efficiency begins with auditing the existing toolset to identify overlaps or inefficiencies. From there, leaders can consolidate redundant systems and upgrade to platforms with broader capabilities. Enabling orchestration and automation further reduces manual workloads and streamlines responses, allowing teams to operate with greater agility.

Leveraging AI as a strategic co-pilot

The adoption of AI in manufacturing security has sparked excitement and hesitation in equal measure. Splunk’s research revealed an AI paradox: while 58% of respondents have seen efficiency gains with AI, only 9% fully trust it for mission-critical operations. AI clearly offers potential, but trust in its reliability remains low—particularly when production lines and safety protocols are on the line.

The path forward lies in treating AI as a high-powered co-pilot, not the pilot. AI excels in handling the “heavy lifting” of data analysis, reducing noise, and surfacing actionable insights. But for critical decisions, the human element remains irreplaceable.

A phased approach to AI adoption offers the best results when it incorporates a clear process of verification:

Adopting a measured and strategic approach helps manufacturing teams harness the power of AI while maintaining control over mission-critical processes.

Confronting the talent gap with proactive investment

The cybersecurity talent gap is one of the biggest obstacles to building resilient manufacturing SOCs. Nearly 48% of manufacturing respondents report being understaffed, 33% feel underskilled, and 24% highlight underfunding as a persistent issue. These gaps result in greater burnout, slower response times, and an overall weakened security posture.

The solution? A combination of continuous training, automation, and a fresh approach to hiring. As Josh Ohana, Sales Business Development Manager at Splunk, shared,

Technical skills can be taught, but curiosity and eagerness to solve puzzles are invaluable traits for building resilient teams.

Best practices for addressing the talent gap:

Organizations must also prioritize knowledge sharing. Standardizing detection logic and embracing a “detection-as-code” approach ensures institutional knowledge isn’t siloed with a few individuals.

Achieving SOC unification for proactive defense

Disconnected tools and silos within SOC environments create dangerous blind spots. For example, a suspicious login in IT might lead to a change in a PLC (programmable logic controller) on the factory floor—but without a unified SOC, connecting these activities in real-time is nearly impossible.

The benefits of a unified SOC are undeniable: faster incident response, improved threat coverage, and reduced maintenance requirements. 62% of manufacturers with connected SOCs report significant gains in these areas.

Effective ways to unify your SOC:

Building resilience through a unified path forward

Manufacturing is at a pivotal moment. The convergence of IT and OT, rapid technological advancements, and a growing threat landscape invite a seismic shift in how SOCs operate. Proactively addressing inefficiencies, embracing AI judiciously, investing in talent, and unifying SOCs allows manufacturing leaders to achieve greater security resilience.

Resilience goes beyond technology. It involves a fundamental shift in culture. As Ingrid aptly put it, “Creating a culture of security needs top-down support. Security is no longer just a cost center but a strategic enabler.”

Threats never take a break, and SOC evolution relies on continuous momentum. Embracing innovation, investing in people, and adopting platforms that enable visibility, automation, and proactive defense will position your organization for long-term success. To dive deeper into these insights and take actionable steps, download the State of Security in Manufacturing Action Guide.

No results