If your business operates anything physical — manufacturing lines, warehouse automation, refrigeration plants, lifts, building management, even commercial kitchens or laboratory equipment — the odds are that you have an operational technology (OT) estate that is now connected to the network in some way. For most SMEs that OT estate has been quietly added to over the last decade, often by the equipment vendor during commissioning, with little thought given to ongoing cyber security. The good news is that most of the risks can be reduced substantially without replacing any of the kit.
What "OT" actually means in an SME
Operational technology covers the dedicated hardware and software that monitors or controls physical processes: PLCs, SCADA systems, HMIs, building management systems, industrial sensors, modern refrigeration and HVAC controllers, IP cameras, badge-access systems and similar. It excludes the general-purpose IT estate (laptops, servers, networks) that runs the office, even though they share physical cabling and increasingly share IP networks too. The reason this distinction matters is that OT kit has different priorities: availability usually trumps confidentiality, downtime costs money per minute, and many devices cannot be patched because the vendor controls firmware and the upgrade window is constrained.
The threat has changed
Five years ago the realistic threat to OT for an SME was almost zero. The kit was isolated, the threat actors were focused on financial services and government, and most OT incidents involved accidental disruption rather than malicious actors. That has changed. Ransomware crews routinely attack manufacturing and logistics targets because downtime translates directly into ransom leverage. Nation-state groups have pre-positioned tooling in critical-infrastructure OT for geopolitical reasons. Insurance claims for OT incidents have grown noticeably year on year. The threat is real, it is here, and it disproportionately affects organisations that have not done the basic hygiene work.
Sensible segmentation and access controls
- Physically or logically separate the OT network from the IT network. At minimum, route between them through a stateful inspection firewall with an explicit allow list of permitted traffic.
- Document every device on the OT network: what it is, what firmware it runs, who supports it, what its patching cadence is, who to call if it fails.
- Restrict outbound internet access from OT devices. The vast majority of OT kit does not need the internet at all; if it does (for vendor telemetry, for example), allow only the specific destinations the vendor specifies.
- Replace shared and default administrator credentials on every OT device. Most come with vendor-default credentials documented in the manual.
- Establish a written change-control process for anything that crosses the IT/OT boundary — a new HMI, an external vendor who needs remote access, an edge analytics box that needs to read PLC data.
Patching in an environment where downtime is costly
OT vendors often test firmware updates for months before recommending them, and applying them frequently requires a planned maintenance window. That is fine — the discipline is to schedule those windows, not to skip them forever. Build a rolling OT patch register that records what was reviewed, when it was applied, and any deliberate deferrals with a reason. For devices that genuinely cannot be patched (because the vendor has gone out of business, for example), the answer is compensating controls: tighter segmentation, stricter firewall rules, more frequent vulnerability scans, and a written decision to accept the residual risk signed off by someone senior.
When to bring in a specialist
If your OT estate is large, regulated or genuinely safety-critical — pharmaceutical, food production, water, any environment with HSE implications — bring in an OT cyber specialist for at least a first review. For most smaller SMEs a competent IT partner, working from a sensible segmentation and asset-register template, can get you 80% of the way without the cost of a specialist engagement. The right conversation to have first is always "what is the worst that happens if this stops working for 24 hours" — the answer drives both the budget and the urgency.
We help SMEs across Hertfordshire, Bedfordshire and London bring their OT estate into the same risk-managed conversation as the rest of their IT. If you have recently added any new connected equipment, or if you have never audited what is sitting on the OT network, get in touch for a one-day review.



