research

Manufacturing M&A: The IT Integration Checklist for Factory Floor Systems and OT

Manufacturing acquisitions add OT (Operational Technology) complexity that standard IT DD misses. SCADA, PLCs, MES systems, and the cybersecurity requirements for industrial environments.

Luna ·
manufacturing ot scada plc industrial m-and-a

Manufacturing acquisitions have a layer of complexity that doesn’t exist in most other M&A deal types: Operational Technology (OT) environments.

The IT team knows about servers, workstations, and cloud environments. But in a manufacturing company, there’s a second layer — the factory floor systems — that is often invisible to the IT team and completely outside the normal ITDD scope.

These systems run the factory. If they’re compromised during integration, the production line stops.

The OT Discovery Layers in Manufacturing M&A

Layer 1: SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems monitor and control industrial processes — water treatment, electrical distribution, chemical processing, assembly line control.

SCADA systems are typically:

  • Running on Windows Server 2008 or 2012 (frequently, because the vendor hasn’t updated the software to support newer OS versions)
  • Accessed via a web interface that has known vulnerabilities
  • Connected to the corporate network (the IT network) for data collection purposes
  • Managed by an OT team, not the IT team

Key finding in IT DD for manufacturing targets: Is the SCADA system connected to the corporate network? If yes, what is the network segmentation? A compromised SCADA system can be used as a pivot point to attack the corporate network — and vice versa.

Layer 2: PLCs and Industrial Control Systems

Programmable Logic Controllers (PLCs) are the hardware devices that control factory floor equipment. They’re programmed by automation engineers using vendor-specific programming environments (Siemens TIA Portal, Rockwell Studio 5000, Schneider Unity).

PLCs don’t appear in a standard IT inventory. They don’t run Windows or have IP addresses that are easy to discover. They do have IP addresses — but they’re on industrial Ethernet networks (PROFINET, EtherNet/IP, Modbus) that are separate from the corporate IT network.

Discovering PLCs requires: network scanning on the OT network segment, or asking the OT team for the PLC inventory directly.

Layer 3: MES and MOM Systems

Manufacturing Execution Systems (MES) and Manufacturing Operations Management (MOM) systems are the software layer that sits between ERP (which plans the production) and the factory floor (which executes it).

MES systems are typically:

  • Running on Windows servers (often 2012 or 2016)
  • Connected to both the corporate IT network and the OT network
  • Containing production data, recipe data, and quality data that is critical to operations
  • Licensed per production line or per site — complex licensing that doesn’t translate cleanly during a merger

Layer 4: Industrial Network Infrastructure

The industrial network (also called the OT network or the plant network) is separate from the corporate IT network, but connected via a DMZ or a SCADA firewall.

The industrial network contains: industrial Ethernet switches, routers, firewalls (typically vendor-specific OT firewalls from Claroty, Nozomi, or Palo Alto’s OT-specific products), and wireless access points for handheld scanners and mobile devices on the factory floor.

The Cybersecurity Problem in Manufacturing M&A

Manufacturing companies are the most targeted sector for ransomware attacks — and the most affected, because an attack on the OT environment can shut down production lines.

The specific cybersecurity risks in the OT environment:

  • Unpatched Windows systems: SCADA and MES servers frequently run unpatched Windows because the vendor requires testing before patches are applied. A patching cycle that takes 2 weeks in IT can take 3-6 months in OT.
  • Legacy protocols: OT networks use industrial protocols (PROFINET, EtherNet/IP, Modbus) that were designed without security in mind and are now being networked into modern environments.
  • Shared credentials: SCADA systems frequently have default vendor credentials or shared credentials across multiple sites. These are rarely changed.
  • Flat networks: Many OT networks are flat (no network segmentation between engineering workstations, PLCs, and SCADA servers). A compromise of one device can move laterally across the entire OT network.

The OT Integration Checklist for Manufacturing M&A

Discovery (pre-close)

  • SCADA system inventory: vendor, version, OS, network connectivity, remote access methods
  • PLC inventory: vendor, model, firmware version, IP address, programming workstation
  • MES/MOM system inventory: vendor, version, OS, data stores, integrations
  • Industrial network architecture: segmentation, firewalls, switches, DMZ configuration
  • OT security monitoring: is there an OT-specific security monitoring solution deployed? (Claroty, Nozomi, Dragos, etc.)

Security Assessment

  • Identify the most critical OT assets (the ones whose compromise would shut down production)
  • Assess network segmentation between IT and OT networks
  • Identify all remote access paths to OT environments (vendor remote access, IT remote access tools that have been extended to OT)
  • Check for default or shared credentials in SCADA and PLC systems

Integration Planning

  • Do not extend IT identity infrastructure (Azure AD, AD) into the OT environment without careful planning
  • Plan for OT-specific patching cycles (typically quarterly, not monthly)
  • Plan for the separation of OT network from corporate network — this is a security requirement, not an optional optimization
  • Establish an OT security monitoring baseline: what does “normal” traffic look like in the OT network?

Post-Close

  • Deploy OT-specific security monitoring if not already in place
  • Conduct an OT-specific penetration test (different from a standard IT penetration test — requires OT-specific tooling and expertise)
  • Establish an OT incident response plan separate from the IT incident response plan
  • Identify the OT vendor contacts for all critical systems — these vendors need to be part of the incident response plan

The OT Finding That Changes the Deal

The finding that most commonly changes a manufacturing M&A deal: the OT network has no segmentation from the IT network.

If a manufacturing company’s OT network is flat with its IT network, any ransomware that gets into the IT environment can spread to the OT environment. And from there, to the SCADA systems, the PLCs, and the production line.

This is not theoretical. It’s happened. The 2021 Colonial Pipeline attack: the ransomware compromised the IT network, not the OT network directly — but the operator shut down the pipeline as a precaution because the OT network was reachable from the IT network.

If ACQI’s network discovery finds that a manufacturing target has no IT/OT network segmentation, this is a high-severity finding that requires a remediation plan before Day 1.

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team