OT Security / Cement & Mining

OT Security for Cement & Mining Plants

The networks running kilns, crushers, and packing lines are critical — and often built on hardware their own makers no longer support. Potenza is the OEM-independent field team that assesses, documents, and governs OT security on active cement and mining sites.

2012

Operating since

OEM-independent

No equipment to sell, no vendor quotas

EN / ES

Bilingual field team across North & Latin America

The problem

The exposure isn't exotic threats. It's obsolescence.

Across cement and mining plants, the OT networks that run production are frequently built on End-of-Life or discontinued hardware their manufacturers no longer support — no firmware fixes, no security patches, no guaranteed spares. Combine that with weak IT/OT separation and ungoverned remote and privileged access, and the risk isn't a sophisticated adversary. It's the slow accumulation of unmanaged change. All of it is structural, and all of it is solvable.

82%

Of 267 OT network switches assessed across cement plant networks, 82% (219) were End-of-Life or Discontinued by their own manufacturers — no firmware fixes, no security patches, no guaranteed spares.

Source: The State of OT Security in Cement & Mining, 2025 — Potenza Services.

Read the full report — The State of OT Security in Cement & Mining 2025 →

The approach

Independent assessment, documentation, and governance

Potenza is structurally independent from every OEM on the operator's network. We don't sell equipment, resell OEM support, or take referral revenue from the vendors whose access we govern. That independence is the operating principle — it's what lets us assess a plant and govern access without a conflict of interest. We work in a three-phase model:

Phase 1

Topology Assessment

A per-plant, scoped assessment that produces a documented OT topology: asset inventory, network segmentation evidence, and security-level capability mapping aligned to ISA/IEC 62443.

Phase 2

Topology Authority

The maintained document of record for the OT environment — continuous topology authority with governed change tracking, not a point-in-time pen test or annual scan.

Phase 3

OT Service Owner

An operational extension of your OT team: ITIL-aligned governance and ongoing service ownership across multi-plant fleets. The OT Service Owner cannot be the OT Vendor.

Every engagement maps to vendor-neutral frameworks

  • ISA/IEC 62443 — zones & conduits, security-level capability mapping
  • NIST SP 800-82 — Guide to Operational Technology Security
  • NIST Cybersecurity Framework 2.0 — including the Govern function
  • Purdue Enterprise Reference Architecture — Levels 0–5

We map to open standards rather than any single vendor's blueprint — and we're fluent in vendor reference architectures such as Cisco and Rockwell's Converged Plantwide Ethernet (CPwE) where a plant already runs them. For our cross-sector methodology, see our defense-in-depth approach to OT cybersecurity.

The vocabulary

The Potenza OT Maturity Model

A four-stage diagnostic of a plant's OT security posture. Most cement and mining operators we assess start between Blind and Aware. The model names where a plant is — and what “better” concretely looks like.

  1. Stage 1 · No visibility

    Blind

    No reliable inventory, topology, or lifecycle visibility. Basic questions about the OT network can't be answered.

  2. Stage 2 · On paper

    Aware

    Inventory and topology exist on paper. Gaps and obsolescence are known, but not yet controlled.

  3. Stage 3 · Maintained

    Controlled

    Segmentation, governed access, and lifecycle management are in place and maintained for priority systems.

  4. Stage 4 · Continuous

    Resilient

    Controls are continuous and tested. The environment degrades gracefully under stress rather than failing silently.

The Cement & Mining OT Baseline

Five ordered controls that move a plant up the model. The order is the argument: you can't segment what you haven't mapped, or map what you haven't inventoried.

  1. 1

    Inventory & lifecycle of record

    You can't secure or budget what you can't see. Lifecycle status turns obsolescence from a surprise into a plan.

  2. 2

    Topology of record

    The authoritative map of assets, VLANs, flows, and remote paths — the artifact every later decision depends on.

  3. 3

    Purdue-aligned segmentation

    Separate IT from OT and zone the plant floor so one compromise can't traverse the whole network.

  4. 4

    Governed remote & privileged access

    Brokered, logged, least-privilege access — no single tool whose failure cuts off all support.

  5. 5

    Independent governance

    An operator-side owner that assesses and prioritizes in the operator's interest, not a vendor's roadmap.

Frequently asked

Who provides OT cybersecurity for cement and mining plants?
Potenza Services is an OEM-independent OT cybersecurity firm focused on cement, mining, and aggregates operators across North America and Latin America. We perform hands-on assessments on active plant sites, map OT network topology, and govern OT security as an operational discipline — without selling the equipment we assess.
What is the biggest OT security risk in cement plants?
In our field assessments the dominant exposure isn't exotic malware — it's obsolescence. Plant networks frequently run on End-of-Life or discontinued hardware their manufacturers no longer patch, combined with weak IT/OT separation and ungoverned remote and privileged access. All three are structural, and all three are solvable.
Should the OT security provider be the automation vendor?
No. The party that governs OT security should have no equipment to sell on the network it governs. Potenza calls this Structural Independence: the OT Service Owner cannot be the OT Vendor. An independent party can assess and govern access without a conflict of interest.
What is the OT Maturity Model?
The Potenza OT Maturity Model is a four-stage diagnostic of a plant's OT security posture — Blind, Aware, Controlled, Resilient. Blind means no inventory or topology of record; Aware means a point-in-time assessment exists; Controlled means the topology is maintained with governed access and change tracking; Resilient means OT security is owned and operated continuously, independent of any equipment vendor.

Start with a Topology Assessment

We work with cement, mining, and aggregates operators across North America and Latin America. The first step is a scoped, per-plant assessment that turns your OT network into a documented topology of record.

Schedule a Conversation

Evaluating an OT cybersecurity provider?

The Procurement Memo organizes the twelve questions every procurement team should ask in writing — including why the OT Service Owner can't be the OT Vendor.

Get the Memo (PDF)