Research · INV-04

Industrial Cybersecurity (OT): 82% of Critical Networks Lack Effective Segmentation

Fernando Arrieta·February 28, 2026

OT SecurityIndustrialIEC 62443Segmentation

Overview

About this research

Security audit of Operational Technology (OT) networks in 35 industrial plants across energy, manufacturing, and utilities sectors in Argentina, Brazil, and Chile revealed that 82% of critical networks lack effective segmentation from the corporate network (IT). In 68% of cases, it was possible to reach critical Programmable Logic Controllers (PLCs) from the administrative network via simple lateral movements in under 4 hours of controlled penetration testing. Insecure industrial protocols (Modbus TCP, unencrypted DNP3) were detected in 94% of OT networks without secure encapsulation. 76% of SCADA systems run on obsolete, unsupported operating systems (Windows 7/XP) that cannot be patched. IEC 62443 standard evaluation showed an average maturity level 1 (initial) compliance in 71% of plants, with critical deficiencies in third-party account management (maintenance vendors with unsupervised remote access in 88% of cases).

Key findings

What the research found

Central questions answered with verifiable data from the study.

Is IT/OT segmentation effective?

Not in 82% of cases. Jumping from corporate to industrial networks is possible in under 4 hours in 68% of plants.

Which vulnerabilities are most critical?

Obsolete OS (76%), insecure protocols (94%), and unsupervised vendor remote access (88%).

What is the average maturity level?

Level 1 (Initial) of IEC 62443 in 71% of plants.

Methodology

How we conducted the research

Steps completed, sources consulted, and evidence collected during the study.

Normative and theoretical framework: IEC 62443 (series 2-1, 3-2, 3-3); NIST SP 800-82r3 (Guide to Industrial Control Systems Security); Purdue Reference Model; CIS Controls v8 (IG2/IG3 adapted to OT).

01ON-SITE technical audit in 35 industrial plants (energy, manufacturing, utilities) across 3 countries

02Controlled segmentation testing (IT->OT pivoting) and passive traffic listening

03Modbus/DNP3 traffic analysis for protocol vulnerability detection

04Maturity evaluation against IEC 62443-2-1 and IEC 62443-3-3

Deliverables

Available deliverables

Documents with the full results of this research, adaptable to each organization’s context.

OT Cybersecurity Status Report LATAM — findings in 35 plants

Effective IT/OT segmentation checklist based on IEC 62443

Download Audit Material

Request the complete methodological package for research [INV-04]. Institutional use only.

Tratamiento de datos confidencial según ISO/IEC 27001

Related research

Complementary studies

Research that extends or contrasts the findings of this study.

Cyber Resilience in the Financial Sector: Only 22% of Entities Pass a Ransomware Stress TestINV-06 ISO 42001 in Practice: Only 28% of Certified Organizations Manage AI EffectivelyINV-02 Cybersecurity AuditSystem OT ConsultingSystem AI AuditSystem AI GovernanceSystem Information SecuritySystem

Share this research

Help circulate evidence-based governance.

Share on LinkedIn Share on X Share via email

Does this research apply to your organization?

If the question is institutional and has context, we can guide you on the next steps.

Start a conversation View all research

Cargando

Preparando la información solicitada…