OT Exposure Intelligence · 2025 · Inaugural Edition

The State of OT Security in Cement & Mining

An intelligence report built not from platform telemetry, but from a full year of hands-on OT network assessments and managed support across an active multi-plant cement operation. Every figure came off a plant floor.

View / Download the PDFDiscuss your plant

82%

of 267 OT network switches assessed were End-of-Life or Discontinued — outside vendor support, patches, and spare-part guarantees.

Switch lifecycle — 267 assessed

Discontinued
122 · 46%
End-of-Life
97 · 36%
Active (Mature)
16 · 6%
Active
18 · 7%
Unclassified
14 · 5%

275 OT support activities were required over the year just to hold the line — the operational tax of deferred modernization. (76 incidents + 199 planned services)

Seven conditions, as observed

The exposure is structural, not exotic — obsolescence, weak segmentation, and ungoverned access allowed to persist.

01

OT switching is largely obsolete

The majority of the assessed fleet sits outside vendor support — no patches, no guaranteed spares.

82% EOL / Discontinued

02

Current, supported equipment is the exception

Only a thin minority of the fleet remains in active, fully supported status.

~7% Active

03

The installed base concentrates in a few vendors

Three vendors hold roughly three-quarters of the fleet — lock-in by default, where one vendor's lifecycle decisions ripple across the whole plant.

3 vendors ≈ 75%

04

Obsolete fieldbus still carries production traffic

Legacy fieldbus segments remained in production, mid-migration to modern industrial Ethernet.

in production

05

IT and OT were not yet physically separated

A baseline control was still being established for the first time in 2025 at sites that had run for years without it.

just begun

06

Unmanaged & consumer-grade switches in OT paths

Consumer-grade and unmanaged switches sat in critical OT paths — no segmentation, no monitoring, no management plane.

present

07

Obsolescence carries a continuous operational tax

Keeping the networks stable took 76 incidents plus 199 planned services across the year.

275 activities / yr

The framework

The Potenza OT Maturity Model

A diagnostic of what an operator can see and control — not which products they own. The assessed fleet entered the year largely between Blind and Aware; the year’s work moved priority systems toward Controlled.

  1. Stage 1 · No visibility

    Blind

    No reliable inventory, topology, or lifecycle visibility. Basic questions about the OT network can't be answered.

  2. Stage 2 · On paper

    Aware

    Inventory and topology exist on paper. Gaps and obsolescence are known, but not yet controlled.

  3. Stage 3 · Maintained

    Controlled

    Segmentation, governed access, and lifecycle management are in place and maintained for priority systems.

  4. Stage 4 · Continuous

    Resilient

    Controls are continuous and tested. The environment degrades gracefully under stress rather than failing silently.

The OT service owner cannot be the OT vendor.
A vendor-concentrated installed base raises a question the sector rarely asks aloud: if the OEM that supplies the equipment also governs its security, who provides the independent check? Structural independence is the alternative — assessment, documentation, and governance by a party with no equipment to sell and no product quota. For an operator carrying an obsolete installed base, an independent modernization roadmap is how it keeps leverage over its own future spend.

The Cement & Mining OT Baseline

Five controls form the minimum defensible baseline. They are ordered — each enables the next. Maps cleanly onto ISA/IEC 62443 and NIST SP 800-82r3 for operators who need framework alignment.

  1. 1

    Inventory & lifecycle of record

    You can't secure or budget what you can't see. Lifecycle status turns obsolescence from a surprise into a plan.

  2. 2

    Topology of record

    The authoritative map of assets, VLANs, flows, and remote paths — the artifact every later decision depends on.

  3. 3

    Purdue-aligned segmentation

    Separate IT from OT and zone the plant floor so one compromise can't traverse the whole network.

  4. 4

    Governed remote & privileged access

    Brokered, logged, least-privilege access — no single tool whose failure cuts off all support.

  5. 5

    Independent governance

    An operator-side owner that assesses and prioritizes in the operator's interest, not a vendor's roadmap.

See where your plant sits

The report describes the pattern; an assessment locates your plant on it. Start with a scoped Topology Assessment of your OT network.

Schedule a Conversation

OT security for cement & mining

See how the model and the baseline translate into an engagement — independent assessment, documentation, and governance for your plant.

See our approach