Federal regulators have intensified scrutiny of how manufacturers deploy cloud-native Manufacturing Execution Systems (MES) within converged OT/IT environments, issuing new zero-trust architecture guidance for operational technology as market investment in cloud MES accelerates across critical industrial sectors.
Background
The convergence of operational technology (OT)-the hardware and software that controls physical production processes-with corporate information technology (IT) networks has fundamentally altered the industrial threat landscape. Systems once isolated or manually operated are now digitally integrated and remotely managed, rendering traditional perimeter-based defenses and implicit trust models inadequate for protecting critical processes.
Cloud-native MES platforms, which coordinate shop-floor execution, quality workflows, and real-time production data across distributed facilities, sit directly at this IT/OT boundary. Manufacturers increasingly adopt cloud-based MES platforms for their scalability, remote accessibility, and cost-effectiveness, while demand grows for advanced MES solutions with enhanced security capabilities to address cybersecurity threats, data privacy concerns, and regulatory compliance requirements.
The global MES market was valued at approximately USD 15.95 billion in 2025 and is projected to reach USD 25.78 billion by 2030, at a compound annual growth rate of 10.1%, according to MarketsandMarkets research. Cloud deployment is the fastest-growing segment within that expansion, recording a CAGR of 16% during the 2025-2032 forecast period driven by scalability, reduced upfront costs, and remote accessibility.
Details
CISA, together with the FBI and the Departments of Defense, Energy, and State, released the guide Adapting Zero Trust Principles to Operational Technology in late April 2026. The guide provides OT owners, operators, and zero-trust practitioners with practical insights on overcoming unique constraints, addressing potential challenges, and prioritizing key areas for integrating zero trust into OT environments.1Geopolitical shifts amplify OT security risks | PwC It focuses on establishing comprehensive asset visibility, proactively addressing supply chain risks, and implementing robust identity and access management, while stressing the importance of layered security measures-including network segmentation, secure communication protocols, and vulnerability management.
CISA Acting Executive Assistant Director for Cybersecurity Chris Butera specifically cited nation-state threat actors in justifying the guidance. "CISA has observed threat actors like Volt Typhoon targeting OT systems to compromise, escalate, and maintain access within operational environments," Butera stated, adding that "Zero Trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems."
The guidance arrives alongside a separate initiative from NIST's National Cybersecurity Center of Excellence (NCCoE), which announced plans in April 2026 to launch a dedicated OT asset visibility project. NCCoE Director Cherilyn Pascoe said cross-sector consultations identified asset visibility as "the largest challenge" facing critical infrastructure operators, noting that achieving it in OT and industrial control system environments "is very difficult." Industry voices reinforced this gap: the executive director of the Operational Technology Cyber Coalition told a House Homeland Security Committee hearing that "most sectors have not done an OT asset inventory-so they don't even know what they have."
That assessment aligns with practitioner data. Asset inventory and visibility was the top technology investment area in 2025, cited by 50% of respondents to the SANS State of ICS/OT Cybersecurity Survey, and remains the top priority for 2026-2027 at 54%.
On the vendor side, Rockwell Automation announced a series of strategic updates to its elastic MES portfolio in December 2025, positioning the platform as a cloud-native architecture for unifying OT and IT. Anthony Murphy, vice president of product management at Rockwell Automation, stated: "Our elastic MES strategy and investments drive a fundamental shift in how manufacturers connect and optimize their operations. DIY and disparate systems increase cost, risk and complexity. Rockwell's elastic MES unifies critical applications across OT and IT on a cloud-native, resilient architecture that grows with our customers." According to Rockwell's 2025 State of Smart Manufacturing Report, 21% of manufacturing leaders cite integration challenges as a top internal obstacle-a gap the elastic MES platform addresses through a single unified platform connecting the manufacturing lifecycle from materials and inventory to production and tooling.
IDC Associate Research Director Lorenzo Veronesi commented that "legacy MES systems, while foundational, have become barriers to agility in an era defined by rapid change," stating the future lies in modern, flexible, and scalable MES platforms that enable on-demand process reconfiguration and seamless integration across the digital thread.
Critical Manufacturing separately announced a partnership with Canonical in December 2025 to broaden cloud-native MES deployment options using Canonical Kubernetes. The collaboration aims to create "a strong foundation for manufacturers looking for secure, scalable deployment options across cloud, hybrid, or on-premises environments," shortening ramp-up time and lowering entry barriers for manufacturers moving to cloud-native execution platforms.
The regulatory pressure compounds implementation complexity. CISA's zero-trust OT guidance emphasizes that traditional IT-centric approaches cannot be directly applied to OT due to legacy systems, limited visibility, and strict availability requirements. The document notes that ideal access controls may not be feasible in OT environments given operational needs, so organizations should stack compensating controls to make it harder for attackers to exploit access-control weaknesses.
Outlook
Cybersecurity policy remains in flux, with regulations shifting, agencies being restructured, and expectations increasingly fragmented across federal, state, and industry lines. Manufacturers deploying cloud-native MES will face mounting pressure to demonstrate OT asset inventory completeness and zero-trust segmentation before connectivity to cloud execution layers is permitted under emerging frameworks. Covered entities will need to prepare for far-reaching notification obligations under CIRCIA and the EU's NIS2 Directive that require not only visibility over OT assets but the capability to determine whether a cyber incident affecting those assets is "significant" for regulatory purposes. NIST's forthcoming NCCoE project on OT visibility is expected to produce actionable guidance that directly shapes how MES vendors architect discovery and asset-management capabilities within converged production environments.
