For the better part of a decade, manufacturers have been told that cyber risk is a problem of sophistication - that somewhere out there is an adversary clever enough to find the one weakness nobody anticipated. It is a comforting story, because it implies the answer is simply to buy something cleverer in return.
The data tells a more uncomfortable one. Manufacturing has been the most-attacked industry on earth for the fifth consecutive year, absorbing close to 28% of all incidents that IBM's X-Force team responded to across every sector. Industrial ransomware climbed by roughly 64% in 2025 alone. And when you look closely at how those intrusions actually unfold, the recurring theme is not brilliance on the attacker's side. It is blindness on the defender's. The compromised device was one nobody knew was connected. The exposed pathway was one nobody remembered leaving open. The vulnerable controller was one that had quietly run a production line for fifteen years while the asset register said something else entirely.
You cannot protect what you cannot see. It sounds almost too simple to be a strategy. But in operational technology, it is the strategy - the foundation everything else is built on, and the step most programmes skip.
The inverted pyramid
Walk into most manufacturing security programmes and you will find the work happening in the wrong order. There is a segmentation project. There is a remediation backlog. There is a compliance deadline driving a flurry of control implementation. All of it is necessary. All of it is being attempted on top of an asset inventory that everyone privately admits is incomplete.
This is the inverted pyramid, and it is why so many OT programmes stall. Segmentation assumes you know what sits in each zone. Remediation assumes you know what needs remediating and can rank it by what actually matters to production. Compliance - whether you are working towards IEC 62443, mapping to NIST 800-82, or preparing for the regulatory tightening arriving through CMMC and NIS2 - ultimately rests on your ability to evidence what you have and how it is protected. Each of those efforts is only ever as good as the picture of the estate beneath it. Build on a partial inventory and you get partial security, delivered at full cost.
Visibility is not a precursor to the real work. It is the first piece of real work.
Why OT visibility is genuinely hard
If asset visibility were easy, every manufacturer would already have it. It is worth being honest about why they don't, because the reasons are structural rather than negligent.
Operational technology was built for uptime and longevity, not for being inventoried. A great deal of it predates the idea that a factory floor would ever touch a corporate network - and yet, through years of OT/IT convergence, that is exactly what has happened. Plant systems now feed cloud analytics platforms, vendors hold remote-access tunnels, and the once-clean line between "office IT" and "factory OT" has all but dissolved. Convergence delivered the real-time data and efficiency manufacturers wanted. It also quietly connected equipment that was never designed to be reachable.
Then there are the assets that refuse to stay still. Contractor laptops, engineering tools and USB drives plug in, do a job and leave - bypassing every network control in the building. Industry studies suggest transient devices of this kind are behind a substantial share of OT incidents, and they are invisible to anything that only watches the perimeter. Add to that the legacy estate - a meaningful proportion of manufacturers are still running OT assets more than fifteen years old - and a culture that, for entirely good reasons, treats "do not disturb the running line" as close to sacred. Put together, these are not the conditions in which a tidy, complete asset register spontaneously appears.
The maturity paradox
Here is the counterintuitive part, and the one we would ask any leadership team to sit with. The manufacturer that reports 100% visibility into its OT environment is, more often than not, less mature than the one that can point to its blind spots.
Fortinet's research into operational technology security found exactly this pattern: as organisations mature, they become more aware of what they cannot see, not less. The confident "we have full visibility" tends to come from teams who have never looked hard enough to be unsettled. The honest "here are the four areas we don't yet have eyes on" comes from teams who have done the looking. Naming a gap is not an admission of failure. It is the single clearest sign that a programme is working.
This matters because it changes the conversation at board level. The right question is not "are we secure?" - a question that invites a reassuring and usually misleading yes. The right question is "what can't we see, and what would it cost us if it were exploited?" That reframing, from counting vulnerabilities to describing impact in operational terms - uptime, safety, production quality, regulatory exposure - is what turns visibility from a technical exercise into a business one.
Seeing clearly, without stopping the line
The understandable fear is that gaining visibility means disruption: aggressive scanning that crashes a fragile controller, or a wholesale rip-and-replace that no operations director would ever sign off. It needn't, and it shouldn't.
The pragmatic path is the opposite of dramatic. It begins with passive discovery - listening to what is already moving across the network rather than probing devices that were never built to withstand it - so that the picture builds without risk to production. It prioritises by operational consequence rather than raw vulnerability count, because a medium-severity flaw on a line that ships your highest-margin product matters more than a critical one on a system that has been offline for a year. And it expands incrementally. The most successful programmes we see do not try to boil the ocean; they start with a single painful process - a line where visibility is poor or a recurring quality issue - prove the value there, and grow outward from a result rather than a mandate.
The goal is a living asset picture: not a spreadsheet that was accurate the day it was filled in and wrong by the end of the week, but a continuously maintained view that spans assets, identities, data flows and, increasingly, the AI services now reaching into operations. That living view is what lets you remediate with confidence, segment with precision, and walk into a compliance assessment with evidence rather than hope.
Visibility is the platform, not the project
It is tempting to treat asset visibility as a box to tick before moving on to the more interesting work. That is a mistake. Visibility is not a project that finishes; it is the platform the rest of the strategy runs on.
Every priority manufacturers are wrestling with right now connects back to it. Remediation needs it to set sensible priorities. Segmentation needs it to draw meaningful boundaries. Compliance needs it to produce evidence. And the AI ambitions arriving from every corner of the business need it too - because an AI initiative reaching into the plant floor is only as trustworthy as the visibility you have into what those systems can access and how they behave.
So when the roadmap is being drawn and someone asks where visibility belongs in the sequence, the answer is not step five. It is step one. The manufacturers who internalise that - who treat seeing clearly as the foundation rather than the afterthought - are the ones quietly building resilience while their peers buy cleverer tools to defend a floor they cannot fully map.
At VE3, we help manufacturers build that foundation: a clear, living view of the OT estate, established safely and without interrupting production, that turns security from a series of disconnected projects into a coherent, defensible programme. If you are not yet certain what you cannot see, that is the most useful place to start.
VE3 partners with manufacturers and industrial operators to bring visibility, resilience and intelligence to converged IT and OT environments.


.png)
.png)
.png)



