Building a Manufacturing SOC for IT and OT Security
CISO Circle Tom Harrop Director Manufacturing & IoT Specialization at SplunkA single compromised sensor on the factory floor can now bring global production to a grinding halt before the security team even clears their morning alert queue. As operational technology and IT become linked, the traditional SOC is no longer equipped to keep the assembly lines moving.
While interconnected IT and OT environments drive innovation and efficiency, this progress introduces increased security challenges. In fact, according to Splunk’s State of Security 2025 report, 77% of manufacturing organizations revealed they’re reevaluating how their SOCs perform to prepare for what’s next.
We know firsthand how challenging this environment can be. From the relentless flood of threats to the adoption of AI and the persistent talent gap, manufacturers face a perfect storm of complexity. Let’s explore the critical challenges, actionable strategies, and technology-driven solutions that can help build a more resilient, future-ready SOC within manufacturing.
A shifting cybersecurity landscape in manufacturing
Historically, manufacturing security relied on perimeter defenses like firewalls to establish a demarcation between corporate IT systems and factory floor operational technology. While the idea of a fully air-gapped environment, one completely isolated from external connections, is often referenced, the reality is that most companies relied on firewalls to separate these two worlds rather than truly air gapping the manufacturing environment from IT.
Today, the drive for real-time data, predictive maintenance, and cloud analytics requires these two worlds to connect even more closely. That firewall-based separation is coming under increasing pressure because business efficiency and modern manufacturing initiatives demand a seamless flow of data from the factory floor to the boardroom.
This integration introduces complex security risks. Legacy industrial control systems were built decades ago to prioritize continuous uptime rather than modern cybersecurity. They often lack basic defenses like encryption, strong authentication, or the ability to receive software patches. As the separation between IT and the factory floor erodes, these vulnerable machines are suddenly exposed to the broader network. A threat actor can now use a simple phishing email to breach the corporate IT network and move laterally into the factory floor. This turns a standard data breach into a physical production shutdown.
This convergence exposes significant inefficiencies in many SOCs. Security teams are too often consumed by manual tasks such as patching and configuring tools. This hinders their ability to focus on proactive threat detection and response.
The status quo leaves organizations vulnerable. Adopting a unified and proactive approach empowers leaders to evolve their SOCs and safeguard their businesses.
Breaking free from alert overload
One of the manufacturing sector’s most pressing challenges is inefficiency within SOC environments. Nearly 60% of manufacturing respondents report being overwhelmed by alerts. False positives and context-lacking notifications clog workflows, leading to delays in incident response and draining analysts’ time and energy.
Disparate tools and siloed systems are major culprits. Many organizations rely on a patchwork of IT and OT systems compounded by legacy tools that were never designed to work together. Analysts often endure swivel chair operations by toggling between multiple dashboards and screens to correlate data. This creates a massive productivity drain.
Consolidating tools and investing in platforms that unify data from across the environment allows teams to reclaim lost time and dramatically improve SOC efficiency.
As Ingrid explains,
Optimizing SOC efficiency begins with auditing the existing toolset to identify overlaps or inefficiencies. From there, leaders can consolidate redundant systems and upgrade to platforms with broader capabilities. Enabling orchestration and automation further reduces manual workloads and streamlines responses, allowing teams to operate with greater agility.
Leveraging AI as a strategic co-pilot
The adoption of AI in manufacturing security has sparked excitement and hesitation in equal measure. Splunk’s research revealed an AI paradox: while 58% of respondents have seen efficiency gains with AI, only 9% fully trust it for mission-critical operations. AI clearly offers potential, but trust in its reliability remains low—particularly when production lines and safety protocols are on the line.
The path forward lies in treating AI as a high-powered co-pilot, not the pilot. AI excels in handling the “heavy lifting” of data analysis, reducing noise, and surfacing actionable insights. But for critical decisions, the human element remains irreplaceable.
A phased approach to AI adoption offers the best results when it incorporates a clear process of verification:
- Start small by using domain-specific AI tools built for security to ensure meaningful results.
- Focus on low-risk tasks by applying AI to triage low-priority alerts, enrich data, and summarize incident reports.
- Keep humans in the loop by pairing the speed and scale of AI with human expertise in context and intuition.
Adopting a measured and strategic approach helps manufacturing teams harness the power of AI while maintaining control over mission-critical processes.
Confronting the talent gap with proactive investment
The cybersecurity talent gap is one of the biggest obstacles to building resilient manufacturing SOCs. Nearly 48% of manufacturing respondents report being understaffed, 33% feel underskilled, and 24% highlight underfunding as a persistent issue. These gaps result in greater burnout, slower response times, and an overall weakened security posture.
The solution? A combination of continuous training, automation, and a fresh approach to hiring. As Josh Ohana, Sales Business Development Manager at Splunk, shared,
Best practices for addressing the talent gap:
- Invest in ongoing training and certifications: Equip teams with skills in cloud security, AI, OT protocols, and DevSecOps.
- Hire for curiosity, not just technical expertise: Look for adaptable, problem-solving candidates who can grow with your organization.
- Automate repetitive tasks to free up analysts for higher-value work, such as proactive threat hunting and strategic defense planning.
Organizations must also prioritize knowledge sharing. Standardizing detection logic and embracing a “detection-as-code” approach ensures institutional knowledge isn’t siloed with a few individuals.
Achieving SOC unification for proactive defense
Disconnected tools and silos within SOC environments create dangerous blind spots. For example, a suspicious login in IT might lead to a change in a PLC (programmable logic controller) on the factory floor—but without a unified SOC, connecting these activities in real-time is nearly impossible.
The benefits of a unified SOC are undeniable: faster incident response, improved threat coverage, and reduced maintenance requirements. 62% of manufacturers with connected SOCs report significant gains in these areas.
Effective ways to unify your SOC:
- Break down silos: Foster collaboration between IT, OT, and security teams by aligning processes and objectives.
- Standardize processes: Develop clear incident response protocols, train teams, and regularly test workflows through tabletop exercises.
- Adopt a unified platform: Use a central hub that integrates data from across IT, OT, and cloud systems to enable visibility and coordination.
Building resilience through a unified path forward
Manufacturing is at a pivotal moment. The convergence of IT and OT, rapid technological advancements, and a growing threat landscape invite a seismic shift in how SOCs operate. Proactively addressing inefficiencies, embracing AI judiciously, investing in talent, and unifying SOCs allows manufacturing leaders to achieve greater security resilience.
Resilience goes beyond technology. It involves a fundamental shift in culture. As Ingrid aptly put it, “Creating a culture of security needs top-down support. Security is no longer just a cost center but a strategic enabler.”
Threats never take a break, and SOC evolution relies on continuous momentum. Embracing innovation, investing in people, and adopting platforms that enable visibility, automation, and proactive defense will position your organization for long-term success. To dive deeper into these insights and take actionable steps, download the State of Security in Manufacturing Action Guide.