Manufacturing has been the most targeted sector for cyberattacks five years running, accounting for nearly 28% of all incidents tracked by IBM X-Force in 2025. The problem is not awareness. Most production teams know they are at risk. The problem is implementation. PLCs, HMIs and industrial sensors cannot run security agents. They operate on real-time operating systems with no room for endpoint software. Traditional IT security stops at the factory door.
SASE platforms with hardware-based inline isolation change that equation. They extend Zero Trust controls to the production floor without touching the devices themselves and without disrupting operations. This guide explains what makes production networks different, how inline isolation works in practice, and what mid-market manufacturers need to evaluate before their CyFun deadline in April 2026.
How do you secure a production network without disrupting operations?
You place hardware-based inline isolation between each agentless device and the network. The isolation appliance enforces per-device communication policies, allowing a PLC to reach only its MES server and blocking everything else. No software is installed on the device. No network redesign is required. Deployment happens device by device during planned maintenance windows, and the production line keeps running throughout.
Why manufacturing is the top target (and why IT security does not help)
Ransomware hits manufacturing harder than any other sector for a straightforward reason: downtime equals lost production, and lost production means payment. According to Siemens and Forrester research, unplanned downtime costs industrial companies roughly $125,000 per hour on average. In automotive manufacturing, that figure exceeds $2 million per hour. When attackers encrypt production systems, the pressure to pay is immediate and immense.
The attack surface keeps expanding. IBM X-Force data from 2025 shows a 44% increase in attacks exploiting publicly accessible applications, now the leading entry vector at 40% of all manufacturing incidents. Infostealers, AI-generated phishing campaigns and supply chain compromises round out the threat landscape. Belgian manufacturers face the same groups active across the Benelux: Qilin, Akira and Clop have filled the gap left by LockBit’s disruption.
Traditional IT security tools do not solve this. Endpoint detection and response software requires an agent on every device. Firewalls protect the perimeter but cannot see or stop lateral movement inside the network. Antivirus catches known signatures but misses novel attacks on industrial protocols. A PLC running VxWorks with 64 MB of RAM cannot host any of these tools.
The answer is not another monitoring tool bolted onto the network. It is a platform that isolates every device at the network level, without agents, without production disruption.
What makes production networks different from IT networks
IT-OT convergence is not a future concept. It is already happening on most mid-market factory floors. Production data flows from PLCs to MES systems to ERP platforms. Remote maintenance engineers connect to HMIs from home. Sensor data feeds cloud analytics dashboards. Every one of these connections creates a path that an attacker can follow.
The Purdue model, which traditionally separated IT and OT into distinct levels with an air gap in between, has largely collapsed. Level 3.5 (the demilitarised zone) was meant to be the only crossing point. In practice, direct connections between Level 2 (control systems) and Level 4 (enterprise IT) are common.
What makes these networks fundamentally different from IT environments:
| Aspect | IT network | Production network |
|---|---|---|
| Update cycle | Monthly patches | Years between updates |
| Agent support | Standard on all endpoints | Rarely possible |
| Downtime tolerance | Planned maintenance windows | Near-zero tolerance |
| Protocols | TCP/IP, HTTPS | Modbus TCP, BACnet, EtherNet/IP, PROFINET |
| Security priority | Confidentiality | Availability |
| Vendor constraints | Open ecosystem | Certified configurations, warranty voided by changes |
The protocol mix matters more than most security vendors acknowledge. Modbus runs over TCP. BACnet runs over UDP. EtherNet/IP uses both TCP and UDP. PROFINET operates at Layer 2. Security tools that only inspect TCP traffic miss a significant portion of OT communication. Jimber’s NIAC (Network Isolation Access Controller) handles both TCP and UDP traffic from a single appliance, which is a concrete advantage over solutions limited to TCP-only inspection, as documented in the FortiSASE comparison.
How inline isolation secures devices that cannot protect themselves
This is where the conversation shifts from problem to solution. And the solution has a name.
Jimber’s NIAC sits physically between the agentless device and the rest of the network. It is a hardware appliance that enforces per-device communication policies at the network level. A PLC is only allowed to communicate with its MES server. An HMI can reach the historian database and nothing else. Every other connection attempt is blocked and logged.
The NIAC uses AI-driven device fingerprinting to identify what each device is without manual configuration. It builds a profile of normal communication patterns, then enforces policies based on that profile. Both TCP and UDP protocols are supported. All of this is managed from the same cloud console that controls ZTNA, SWG, FWaaS and SD-WAN, meaning the IT team does not need a separate tool or interface for production network security.
Here is what this looks like in practice.
Scenario 1: USB stick on a shared VLAN
A maintenance engineer plugs a USB stick into an HMI to update a recipe file. The USB carries malware that infects the HMI. On a traditional flat network or shared VLAN, that malware scans for other devices and spreads to PLCs, historians and engineering workstations within minutes.
With Jimber’s NIAC in place, the infected HMI can only communicate with the specific systems its policy allows. The malware’s network scan returns nothing. The compromise stays contained to one device. The security team gets an alert from the anomalous traffic attempt. Production continues on every other line.
Scenario 2: Vendor remote access through VPN
An external engineer needs to troubleshoot a PLC. The standard approach is a VPN connection that grants access to the entire OT network segment. The vendor sees every device, every protocol, every system on that segment.
Jimber replaces that broad VPN with ZTNA: time-limited, per-application access. The vendor reaches only the specific PLC they need to service. The session is logged end to end. Access expires automatically when the maintenance window closes. No lateral movement is possible because the vendor never enters the broader network.
Scenario 3: Ransomware crossing from IT to production
Ransomware encrypts file servers on the corporate IT network. It spreads through SMB shares and moves toward the production segment via a shared switch or router. On a traditional network, the ransomware reaches PLCs, HMIs and historians within the same broadcast domain.
With inline isolation, every production device sits behind a NIAC that permits only its defined communication paths. The PLC communicates with the MES server and the update server. Everything else is blocked. The ransomware’s lateral movement hits a wall at every single device boundary. IT recovers from the ransomware incident while production never stops.
For a detailed technical comparison of how this contrasts with perimeter-only OT approaches, see the Cato Networks comparison.
NIS2 and IEC 62443: what compliance demands from your production network
Manufacturing companies in Belgium classified as “important entities” under NIS2 face a concrete deadline. The CyberFundamentals (CyFun) framework, administered by the Centre for Cybersecurity Belgium (CCB), requires a first conformity verification by April 2026. Full certification for essential entities follows in April 2027.
CyFun maps to international frameworks including NIST CSF 2.0 and ISO 27001, but adds Belgian-specific controls. For manufacturers, the relevant requirements include network segmentation and access control for production systems, incident detection and logging capabilities, supply chain risk management (including vendor access to OT environments), and board-level accountability for cybersecurity measures.
IEC 62443, the international standard for industrial automation security, complements NIS2 with its zone-and-conduit model. It requires manufacturers to define security zones around groups of assets with similar security requirements and to control all communication that crosses zone boundaries through defined conduits.
Inline isolation maps directly to both frameworks. Each NIAC creates a security zone of one device. Communication policies define the conduits. Every access decision is logged.
Jimber’s single management console provides the centralised logging and audit trail that NIS2 assessors expect. Every access decision, every device communication flow, and every policy change is recorded in one place. For manufacturers classified as important entities, Jimber’s platform generates the evidence packages that CyFun conformity assessments require, without manual log assembly from five different tools.
For the full NIS2 compliance requirements and a practical NIS2 compliance checklist, see the linked guides. The device posture checks guide covers how managed devices fit into the same compliance picture.
What to evaluate when choosing security for mid-market manufacturing
Not every SASE platform is built for production environments. When evaluating options, these five criteria separate solutions that work on the factory floor from those that only work in the data centre.
1. Agentless device support: inline isolation vs monitoring-only
Passive OT monitoring tools like Claroty and Nozomi detect anomalies but do not block them. They tell you that something went wrong. Inline isolation prevents it from happening. Jimber’s NIAC provides hardware-based inline isolation, not passive monitoring. It enforces policies in real time, blocking unauthorised communication before it reaches the target device.
2. Protocol support: TCP and UDP
Production environments use both TCP-based protocols (Modbus, EtherNet/IP CIP) and UDP-based protocols (BACnet, PROFINET). A security solution that only inspects TCP traffic leaves UDP communication unmonitored and uncontrolled. Jimber supports both TCP and UDP protocols from the same appliance.
3. Single console for IT and OT
Managing production security from a separate tool creates blind spots and doubles the operational load. Jimber manages NIAC policies, ZTNA access rules, SWG configuration and SD-WAN connectivity from one interface. The IT team sees the entire network, IT and OT, in a single dashboard.
4. NIS2 compliance reporting
Manual log assembly from multiple tools is time-consuming and error-prone. Centralised logging generates the audit evidence CyFun assessors require. Jimber’s console captures every policy decision across every component in one searchable log.
5. Deployment without production disruption
Any solution that requires network redesign, VLAN restructuring or extended downtime is impractical for a production environment. NIAC sits inline without reconfiguring existing network infrastructure. Phased rollout, device by device, during planned maintenance windows. A typical mid-market production floor with 20 to 50 agentless devices can be fully covered in days, not months.
For a broader view of how SASE architecture brings these components together, and how microsegmentation works at the identity level, the linked guides go deeper on each topic. The network segmentation guide covers the evolution from VLANs to identity-based isolation.
What is OT security and how does it differ from IT security?
OT security focuses on protecting the systems that control physical processes: PLCs, HMIs, SCADA systems, sensors and actuators. The priority is availability and safety, not confidentiality. Patching is rare because updates can disrupt production. Devices run for decades. Protocols lack built-in authentication. IT security assumes you can install agents, push patches monthly and tolerate brief outages for maintenance. None of those assumptions hold on the factory floor.
Can I secure PLCs without installing software on them?
Yes. Inline isolation hardware like Jimber’s NIAC sits between the device and the network, enforcing per-device communication policies without any software on the PLC itself. The NIAC identifies the device through traffic fingerprinting, learns its normal communication patterns, and blocks everything outside that baseline. The PLC does not know the NIAC is there.
Does NIS2 apply to manufacturing companies?
Yes. Manufacturing is explicitly listed as a sector under NIS2. Companies in the Annex I and Annex II categories, which include manufacturers of medical devices, electronics, machinery and transport equipment, are classified as important or essential entities depending on size and societal impact. In Belgium, the CCB uses the CyFun framework for compliance verification. The first deadline is April 2026. See the full NIS2 compliance checklist for specifics.
How does SASE differ from dedicated OT monitoring tools like Claroty or Nozomi?
OT monitoring tools provide visibility into industrial network traffic and detect anomalies. They are valuable for understanding what is happening on your production network. But they do not enforce policies or block unauthorised communication in real time. SASE with inline isolation, as Jimber provides through NIAC, combines detection with enforcement. It does not just tell you that a PLC received an unauthorised command. It prevents the command from reaching the PLC in the first place.
What is IEC 62443 and do I need it?
IEC 62443 is the international standard for security in industrial automation and control systems. It defines a zone-and-conduit model where assets are grouped into security zones and all cross-zone communication flows through controlled conduits. While not legally mandatory in Belgium, CyFun references its principles, and many manufacturers in regulated sectors (pharma, food, energy) use it as their baseline. Inline isolation aligns naturally with IEC 62443 because each device behind a NIAC effectively becomes its own zone.
How long does it take to deploy inline isolation on a production floor?
Jimber’s NIAC can be deployed device by device during planned maintenance windows. No network redesign required. The appliance is placed inline, learns normal traffic patterns in monitoring mode, then switches to enforcement mode once the baseline is established. A typical mid-market production floor with 20 to 50 critical devices can be fully covered in days, not months. Rollout is phased so production never stops.
Jimber’s SASE platform brings the same Zero Trust controls your IT network already uses to the production floor. No agents on PLCs. No downtime during deployment. One console for everything. If your CyFun deadline is approaching and your production devices are still unprotected, now is the time to close that gap. See the industrial OT security use case for deployment details, or book a demo to see inline isolation working on real industrial protocols.
