The industrial enterprise is under siege from new and persistent threats, says Rick Kaun, Global Director Cybersecurity Services, Rockwell Automation.
The attack surface is growing due to the proliferation of connected assets, remote monitoring systems, mobile devices, and cloud-integrated industrial applications. Every new connection introduces potential exposure points for cyberattacks. According to the SANS 2024 ICS/OT Cybersecurity Report, 83 per cent of OT leaders have experienced at least one security breach within the past three years — a number expected to climb. A recent State of Smart Manufacturing Report ranks cybersecurity as the second-most pivotal external challenge facing manufacturers today.
Legacy infrastructure, 24/7 operational demands, limited cybersecurity resources and sophisticated adversaries compound the challenge. In sectors like manufacturing, energy and logistics, even a minor cyber incident can lead to significant operational disruption, safety hazards or environmental consequences, underscoring the need for more innovative, integrated strategies to support increasingly digitized operations.
Cybercriminals and nation-state actors are increasingly targeting critical infrastructure with increasingly sophisticated methods, such as AI attacks, ransomware campaigns, ICS-specific malware and supply chain compromises. The blend of financial motivation and geopolitical agendas makes sectors like utilities, oil and gas and manufacturing frequent targets. These attacks are no longer rare but should be anticipated as inevitable.
Organizations everywhere are facing a widening cybersecurity skills gap. In a recent survey, manufacturing leaders pointed to a lack of skilled workers as the top competitive challenge, with nearly half seeing cybersecurity skills and standards as an increasing priority in hiring. On top of the cybersecurity skills challenge, OT teams are often under-resourced, stretched across multiple facilities and managing environments that can’t afford downtime. As these tight teams may not be equipped to respond to potential threats or reduce risk due to insufficient training or skills, they often resort to manual efforts, separated systems or outdated processes. Again, a challenge for teams both locally and globally.
Having siloed procedures is not only time-consuming and cumbersome but also dangerous. The urgency to detect and prevent threats can determine whether the organization undergoes a multi-million-dollar catastrophic outage or a momentary anomaly. Having an in-sync global and local cybersecurity model minimizes this risk, improves resilience, and provides the opportunity for more intelligent decision-making throughout the organization.
Strategy
The “Think Global, Act Local” model is more than a lofty idea. It is a methodology for constructing robust cybersecurity strategies through sustainable, multi-layered frameworks that help organizations future-proof their operations.
The first step is centralizing risk analysis. Consolidating real-time data from every facility or part of the facility into a unified dashboard provides a 360-degree view of weaknesses and risks that need remediation. A Think Global, Act Local approach allows teams to quickly identify emerging threats, prioritize remediations, and develop more standardized play-books.
This model or methodology delivers a unified database that allows for OT flexibility and customizes controls for every environment. It also empowers local experts with contextual expertise and real-time actions.
Fundamentally, this is a vendor-agnostic approach, helping to deliver real-time inventory of all assets, threat detection, vulnerability management, and risk remediation. Automation tools can further streamline tasks such as log analysis, alert correlation, and policy enforcement, allowing enterprise leaders to detect and respond to threats built around the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). This framework — which organizes capabilities across Govern, Identify, Protect, Detect, Respond, and Recover — enables organizations to move from patchwork efforts to coordinated cyber strategy.
Central intelligence, local execution
Think Global, Act Local is a model relying on regional subject matter experts (SMEs) who serve as bridges between central policy and local execution. These regional SMEs support OT security by providing context to risk decisions, leveraging their unique knowledge and nuance of specific limitations, systems, and workflows. They are tasked to translate governance into practical action at the facility. This methodology includes the SME recommending compensation controls for infrastructure that cannot be easily patched and customizing detection logic for specific site behavior. They bring skills and knowledge that prevent central policy from turning into operational friction.
Localized execution empowers on-site OT and engineering teams with the tools and guidance to take action. These SMEs have reliable insights and automated workflows that help them act decisively when threats arise. With support from global teams and SMEs, local operators can isolate infected systems, initiate containment protocols or execute patching routines with minimal disruption to uptime. Notably, these local actions are captured in dashboards to provide enterprise-wide visibility, and they enable continuous improvement and audit readiness.
Case study
When a vulnerability sent shockwaves through the global software landscape, one industrial company used the Think Global, Act Local approach to reduce its response time dramatically. What might have taken weeks using traditional methods was resolved in just 93 minutes.
Local teams began by using a non-invasive profiling tool that didn’t require network access to scan their systems for the vulnerable component. The results were aggregated into a central dashboard in near real-time, enabling security leaders to assess exposure across the enterprise almost instantly. Host-based intrusion detection systems were deployed on impacted assets, while an expert patched or compensated controls, which were rolled out depending on each system’s criticality and availability constraints.
This streamlined, coordinated effort not only minimized disruption but also reduced remediation costs by over 70%. The organization protected its operations and strengthened its security posture by empowering local teams to take quick, informed action while keeping central oversight in the loop.
As cyber threats continue to grow in both volume and sophistication, industrial organizations must adopt more resilient, scalable approaches to OT security. The Think Global, Act Local approach provides the operational balance needed to reduce risk without sacrificing uptime or overburdening frontline teams.
This model ensures that security decisions are grounded in both enterprise risk priorities and real-world operational constraints. It empowers organizations to improve visibility and streamline remediation, even amid expanding attack surfaces, limited resources and continuous change. Threats will continue to evolve at the same pace of technology. The Think Global, Act Local approach provides a new baseline for industrial resilience.
