The Challenge
The group manufactures precision components across eight facilities in the Midlands and the East of England. The facilities operate a mix of modern CNC equipment connected to the corporate network, legacy industrial control systems installed a decade ago and not designed for network connectivity, and newer OT environments that were networked deliberately as part of a digital manufacturing initiative.
The near-miss that prompted the engagement occurred on a Friday afternoon in the third week of the digital manufacturing initiative's second phase. An engineer conducting remote diagnostics on a CNC cell used credentials that had not been rotated since installation. The session was not logged through the secure remote access gateway the IT security team had established for OT access. The connection was made directly through the flat corporate network segment that the OT team used for day-to-day operations. The session lasted forty minutes before the IT security team's network monitoring flagged the traffic pattern as anomalous.
Nothing was damaged. No production was disrupted. The engineer had legitimate reasons to access the system and had done so using a method that was technically faster than the approved gateway. The near-miss was not a malicious act. It was an operational shortcut taken by a skilled engineer who had not been trained on the security implications of unlogged direct access to industrial control systems.
The post-incident review identified the root cause as a gap in the training programme rather than a gap in the engineer's competence or intent. The group's IT security training covered corporate IT systems, phishing, password management, and data handling. It had been designed for office-based staff and extended to manufacturing employees without modification. There was no content addressing OT-specific risks, the security implications of IT/OT network convergence, or the difference between acceptable shortcuts in a standard IT environment and the same shortcuts in an environment where the downstream consequence could be unplanned production stoppage, equipment damage, or in more serious scenarios, physical harm.
The IT security team's own assessment identified a further problem. The OT environment across eight facilities was not homogeneous. Each facility had accumulated its own configuration, its own access practices, and its own informal norms. Some facilities had strict access discipline because a senior engineer there had a personal interest in security. Others had developed informal practices that the facility manager had tolerated because they enabled faster response to production issues.
The group's Head of IT Security described the challenge as follows: the training problem was not one of awareness but of translation. Engineers at these facilities were technically sophisticated, experienced, and risk-aware in the context of physical machinery. The concept of security risk was not foreign to them. What was missing was a translation layer between the IT security concepts in the existing training and the operational reality they worked in every day.
The Approach
The engagement design was built around the translation principle. LimitedView worked with the group's OT team and the IT security team jointly to develop content that was explicitly grounded in the manufacturing environment rather than adapted from generic IT security material.
The first triggered module, deployed within forty-eight hours of the near-miss being classified, was built directly from the incident. It used the actual access pattern that had created the near-miss — sanitised of personal identifiers — as the primary scenario. Engineers were walked through the specific steps that had been taken, why each step was technically understandable as a shortcut, and what the security implications of each step were in an OT environment.
The module was deployed to all engineering and operations staff across all eight facilities. A parallel version was created for IT staff responsible for OT network management, covering the same incident from the IT security monitoring perspective.
The facilitation model was adapted for facilities. LimitedView worked with each facility's production manager to identify delivery windows that did not conflict with shift patterns or production schedules. In most facilities, this meant delivery in two cohorts aligned with shift changeovers. The facilitated group delivery format — the same content, a facilitator leading the session rather than self-paced digital completion — was used for the initial module because the group's OT staff had lower rates of desktop access during their working day.
Subsequent modules in the programme were built around the specific OT risk areas identified in the access audit that followed the near-miss. The audit found six categories of recurring unsafe access behaviour across the eight facilities. LimitedView built one triggered module per category, deployed in sequence over five months following the initial incident module. Each module used a scenario drawn from the audit findings rather than generic examples.
The programme also involved a collaborative element between the IT security team and the OT team that had not previously existed. For each module build, LimitedView facilitated a joint session where IT security staff and OT engineers reviewed the scenario together, with the OT team providing operational context that the IT security team needed to ensure the content was technically accurate for the manufacturing environment.
This joint working produced an unexpected secondary output: a documented translation glossary mapping IT security terminology to OT operational equivalents. The glossary was used by both teams going forward and was incorporated into the group's onboarding process for new engineers.
The Results
The group tracked unsafe OT access behaviours through its network monitoring system, which logged access events against the approved gateway and flagged direct-access sessions. A baseline was established from the twelve months prior to the engagement. The post-engagement period covered seven months.
Unsafe OT access behaviours — defined as any access to OT systems that did not use the approved secure gateway, regardless of whether the access was legitimate or malicious in intent — fell by 58% in the seven months following the programme launch compared to the equivalent baseline period.
The reduction was not uniform across facilities. Two facilities that had the least consistent access practices at baseline showed reductions of 71% and 67%. Three facilities that had already established relatively strong access discipline showed smaller but still meaningful reductions of 38% to 44%. One facility showed no statistically significant change in the first four months before a new facility manager joined and the pattern shifted in the fifth month.
The group's IT security team also tracked the rate of access events that were proactively reported by engineers before the monitoring system flagged them. In the baseline period, no such proactive reports were received — engineers had not known what to report or had not considered direct access reportable. In the seven months following the programme, fourteen proactive reports were submitted. In twelve of those cases, the engineer had used the direct access method for a legitimate reason under time pressure and was self-reporting as a precautionary measure. The security team treated these reports as evidence of the cultural shift the training was intended to create.
The OT access audit findings were used to update the group's IT/OT security policy. Five of the six unsafe behaviour categories identified in the audit had not been addressed in the previous policy. The updated policy incorporated the specific controls and reporting requirements that the triggered training had established as expected practice.
What Changed
The Head of IT Security described the before state succinctly: engineers knew the IT security training existed and largely treated it as something designed for office staff. The content referred to networks, systems, and threat vectors that were recognisable to IT staff and unfamiliar to people whose professional frame of reference was machine tools and production tolerances.
The OT-specific triggered content changed that immediately. The feedback from facility engineers across the initial module was consistent: this was the first security training they had received that felt like it had been written for them. The scenarios were recognisable. The risk implications were explained in terms of production impact rather than data loss. The correct behaviours were specific to the equipment and access patterns they worked with.
The joint working between the IT security team and the OT engineers produced a relationship that the group had not previously had. The IT security team came away with a better understanding of the operational constraints that drove unsafe access behaviour — specifically, that the approved gateway added three minutes to a diagnostic session that might need to happen quickly during a production incident. That understanding led to a revised gateway configuration that reduced the time overhead significantly, addressing the operational pressure that had been driving the shortcuts.
The group's Operations Director noted in a quarterly review that the combination of the training programme and the gateway reconfiguration was the first security intervention that had not been experienced by the operations function as an imposition from IT. It had been built with the operations function rather than for it. That distinction, he noted, was the reason it had worked.
