Cloud-native manufacturing execution systems (MES) and accelerating IT/OT convergence are redefining industrial cybersecurity. Elastic, hybrid MES architectures offer resilience and agility, but introduce new risks at the intersection of plant networks, corporate IT, and public cloud.

This analysis explores how cloud MES is reshaping data governance, identity and access management (IAM), and risk management in manufacturing. It outlines key security design considerations for maintaining uptime and compliance with NIS2, IEC 62443, and zero trust security principles.

Cloud Manufacturing and Elastic MES Move into the Mainstream

Cloud-native MES is now mainstream. Rockwell Automation, through FactoryTalk Hub and Plex MES, and other vendors position SaaS-based, cloud manufacturing platforms as central to their portfolios-spanning design, operations, analytics, and maintenance.

Rockwell Automation's State of Smart Manufacturing report indicates that 95% of manufacturers are using or considering smart manufacturing technologies, with cloud and SaaS highlighted as leading technologies driving ROI[1]

What 'cloud-native MES' means for security

Cloud-native MES architectures typically feature:

  • SaaS delivery model with centralized, multi-tenant backends and automated updates.
  • Edge connectivity components (gateways, agents, connectors) deployed in OT networks to synchronize orders, production events, and quality data with the cloud.
  • API-centric integration with ERP, PLM, quality management, and industrial IoT (IIoT) services.
  • Elastic scaling of compute, storage, and analytics across multiple regions or availability zones.

Plex MES, for example, is delivered as a cloud platform with integrated MES, quality, and production monitoring. Documentation details enterprise-grade cloud infrastructure, dedicated security features, and a 99.5% availability service level.[2]
Plex MES, part of Rockwell Automation's cloud ecosystem, is SaaS-based with a public 99.5% uptime guarantee[2]

From a security perspective, this alters several fundamentals compared to traditional, on-premises MES:

  • Security controls extend beyond the plant perimeter to shared cloud infrastructure.
  • MES data flows now traverse enterprise networks, industrial demilitarized zones (DMZs), and public cloud endpoints.
  • Governance must cover both SaaS provider controls and the manufacturer's configuration, identity, and endpoint security.

IT/OT convergence as the baseline architecture

Industry 4.0 initiatives increasingly connect operational technology (OT) networks with information technology (IT) systems. Cloud-native reference architectures for smart manufacturing assume continuous data exchange across the "industrial compute continuum" from edge to cloud.[3]

Research such as the CRACI cloud-native architecture highlights that hierarchical models like ISA-95 face pressure from real-time analytics, cross-site optimization, and digital twins.[3] As a result:

  • MES is often positioned at the Level 3/3.5-4 boundary of the Purdue model, bridging plant operations and enterprise IT.[4]
  • Cloud connectors, data hubs, and remote access jump hosts cluster in industrial DMZs, requiring strict zoning and conduit controls under IEC 62443.[5]

This places MES at the center of contemporary industrial cybersecurity and risk governance.

A New Industrial Cybersecurity Risk Profile

Ransomware and supply-chain attacks at scale

Manufacturing remains a primary target for ransomware and supply chain attacks. Current threat intelligence underscores the operational and financial impacts:

  • Kaspersky estimates ransomware attacks on manufacturing organizations caused over USD 18 billion in financial losses from January to September 2025, with attacks averaging 13 days[6]
  • A Kaspersky ICS-CERT review details 2023 incidents causing weeks-long production disruptions, including for German component manufacturers and US consumer goods firms.[7]
  • Clorox reported a 2023 cyber incident contributed to a net sales decline of approximately USD 356 million due to prolonged operational disruption[7]

These incidents often originate in IT systems and propagate to MES, planning, and shop-floor operations. Cloud-native MES and IT/OT convergence elevate the blast radius and highlight the need for coordinated response.

Shared responsibility and visibility gaps

Cloud MES operates under a shared responsibility model. SaaS providers secure the cloud infrastructure, platform, and some application controls, while the customer manages identity, endpoint security, data classification, and secure configuration.[8]
Under the standard SaaS shared responsibility model, providers secure infrastructure and the base platform, while customers are accountable for application configuration, user and device security, and data protection[8]

This can introduce visibility gaps for MES security teams:

  • Limited insight into provider controls, incident response, and forensics.
  • Fragmented logging across MES, OT gateways, identity providers, and SIEMs.
  • Unclear RACI during incidents, especially during MES downtime spanning OT, IT, and cloud provider domains.

Without clear governance, these gaps undermine security operations and regulatory compliance.

How MES architecture choices shape security posture

The choice among on-premises, cloud-native SaaS, and hybrid MES models directly impacts security design.

Table 1 - Security posture characteristics by MES deployment model

Aspect Traditional on-prem MES Cloud-native MES (SaaS) Hybrid / elastic MES (edge-to-cloud)
Patch & upgrade control Controlled by plant IT/OT; often slow cycles Driven by provider; frequent releases; contract-based change control Provider manages cloud; OT teams manage edge runtimes
Exposure surface Inside plant network Internet-facing APIs, identity providers, admin portals Cloud-facing APIs plus on-site edge nodes in DMZ/OT
Data residency & sovereignty Local by default Provider regions and configuration Mix of cloud data and local caches for critical data
Identity & access management Plant AD / local accounts, often weak segregation Centralized IAM, SSO, MFA for cloud users IAM for cloud plus local roles and device identities
Monitoring & logging Local SIEM or point tools Provider logs and APIs; possible SIEM export Combined cloud telemetry and OT logs from gateways/controllers
Resilience to WAN outages High (local) Dependent on WAN; may require manual fallbacks Designed for disconnected operations and automatic resync
Compliance evidence Internal controls, OT audits SOC 2, ISO 27001, provider pen tests Provider attestations and site-level OT security audits

Hybrid "elastic" MES architectures, combining cloud intelligence and resilient edge execution, are increasingly viewed as balancing uptime and agility.[2] These concentrate risk at connectors and DMZs, which must be treated as critical assets in any cybersecurity strategy.

Data Governance and Residency in Cloud MES

What changes when MES data leaves the plant

MES has traditionally stored production, genealogy, and quality data within plant boundaries. Cloud-native MES and data hubs now extend this scope across regions and partners.

Key developments include:

  • Broader data sharing with enterprise analytics, logistics providers, and contract manufacturers.
  • More complex jurisdictional exposure as production data is processed or backed up in multiple countries.
  • Longer retention and extended use of detailed shop-floor data for AI models, digital twins, and benchmarking.

Emerging initiatives such as Manufacturing-X and policy-control languages are being designed to support fine-grained governance, e.g., restricting access or enforcing automatic deletion, without custom coding.[9]

Practical data residency and segregation patterns

Manufacturers increasingly use these key patterns when integrating MES with cloud platforms:

  • Regional data hosting and localization

    • Restrict MES tenants to specific regions (e.g., EU-only) for compliance and sovereignty.
    • Use separate tenants for sensitive units or regulated product lines.

  • Industrial DMZ handoff points
    Symestic's IEC 62443 zoning guidance defines clear handoff points, typically via industrial DMZs, for secure data exchange between OT and higher systems.[10]

    • Site-level data brokers or queues reside in the DMZ.
    • Only these brokers communicate with the cloud via tightly controlled conduits.

  • Selective data replication and minimization

    • Sync only necessary fields to the cloud, using anonymized data when possible.
    • Retain highly sensitive or export-controlled parameters on-premises.

  • End-to-end encryption and key control
    Security guidance emphasizes strong IAM and end-to-end encryption.[11]

    • Use TLS 1.2+ for all MES and gateway connections.
    • Apply field-level encryption for sensitive data.
    • Manage encryption keys, with customer-managed keys preferred for critical workloads.

Manufacturing data governance now requires cross-disciplinary coordination among OT, IT security, and legal teams.

Identity and Access Management for OT Users and Machines

Converged IAM becomes the new perimeter

As IT/OT boundaries blur, identity is recognized as the primary security perimeter. AWS industrial data guidance and specialized IAM solutions stress consistent authentication and authorization across IT and OT.[12][13]

Key security implications for MES include:

  • Plant operators, engineers, and external service providers access MES from various locations and devices.
  • MES APIs are used by both humans and automation systems, edge agents, and partners.
  • Identity assurance directly impacts risks of sabotage or data leakage.

Design elements of robust IAM for cloud MES

Critical IAM practices for secure MES in these environments include:

  • Central directory and federation

    • Consolidate MES authentication through enterprise identity providers with SSO (SAML or OIDC).
    • Apply conditional access for administrative roles.

  • Role-based and attribute-based access control

    • Define roles such as line supervisor, quality technician, and service engineer.
    • Map permissions to OT tasks and enforce least privilege.

  • Multi-factor authentication and privileged access

    • Require MFA for high-risk functions.
    • Use privileged access management (PAM) and just-in-time elevation for sensitive operations.[14]

  • Machine and workload identities

    • Assign unique identities to MES gateways and automation services.
    • Rotate credentials automatically and avoid shared accounts.

IAM in manufacturing now encompasses every MES API call across the industrial ecosystem.

Zero Trust Security for Cloud-Enabled MES

Applying IEC 62443 zones and conduits to MES

IEC 62443 standards define security zones, conduits, and security levels for industrial automation and control systems.[15]
IEC 62443 describes requirements for asset owners, suppliers, and service providers, using zones-and-conduits and security levels to govern controls[16]

Cloud MES integrations are modeled as controlled conduits between the Site Operations Zone or DMZ (Level 3/3.5) and the Enterprise/Cloud Zone (Level 4/5).[10] This enables:

  • Explicit security level definitions for MES conduits (SL2 or SL3, depending on criticality).
  • Defined inspection points at DMZ firewalls and application gateways.
  • Segregation of MES traffic from direct controller or safety-system networks.

Industrial DMZs with dual firewalls and jump hosts are anchored in this model and recommended in standards and vendor references.[17]

Aligning zero trust principles with OT constraints

Zero trust security, defined in NIST SP 800-207, is influencing converged IT/OT security.[18]
NIST SP 800-207 establishes zero trust as a model where continuous verification is required for identities, devices, and context-network location alone does not confer trust[18]

OT security guidance increasingly combines zero trust with IEC 62443 zoning.[19] Practical zero trust measures in MES-centric architectures include:

  • Strong authentication and authorization for every MES API and session.
  • Microsegmentation between MES, historians, SCADA, and safety systems by IEC 62443 zones.
  • mTLS-encrypted, authenticated connections between cloud and site gateways.
  • Continuous monitoring for anomalous MES traffic.

Table 2 - Example zero trust control set for a cloud MES conduit

Domain Example controls at MES conduit (DMZ) Zero trust question addressed
Identity SSO + MFA for MES admins; service certificates for gateways Is this user or service who it claims to be?
Device posture Only hardened, monitored servers as MES gateways Is this device in a trustworthy state?
Network Firewall rules limited to MES endpoints; protocol inspection Should this connection be allowed at this time?
Application RBAC for MES APIs; rate limiting; API tokens tied to roles Is this call allowed for this role and function?
Data TLS for all traffic; field-level encryption; DLP on exports Is sensitive data adequately protected?
Telemetry & SIEM Centralized logging into an OT-aware SIEM Can anomalies be detected and investigated?

Zero trust in OT must be applied pragmatically to avoid interfering with real-time or safety functions, but is increasingly treated as an extension of IEC 62443 zoning.

Regulatory and Standards Drivers: NIS2, IEC 62443, and Assurance

NIS2: From IT security to operational resilience

The EU's NIS2 Directive expands cybersecurity requirements for critical and important sectors, including manufacturing.[20]
NIS2 classifies many manufacturing organizations as "essential" or "important," mandating initial incident notification within 24 hours and follow-up within 72 hours to one month[21]

Germany transposed NIS2 into national law via amendments to the Federal Office for Information Security Act (BSIG) in December 2025.[22]

NIS2 requires:

  • Risk management across IT and OT, including business continuity and disaster recovery.
  • Supply chain cybersecurity, referencing service providers of networked production systems-including MES, SCADA, OT gateways, and data pipelines.[23]
  • Documented incident response and regular audits of providers.[24]

Cloud MES security and governance are now regulatory obligations for many manufacturers.

Standards and attestations: IEC 62443, NIST guidance, ISO 27001, SOC 2

Industrial cybersecurity programs increasingly map to multiple frameworks:

  • IEC 62443 for OT architecture, zoning, security levels, and provider requirements (e.g., IEC 62443-2-4).[16]
  • NIST SP 800-82 for ICS/SCADA, and NIST SP 800-207 for zero trust.[25]
    NIST SP 800-82 addresses ICS security, while SP 800-207 defines zero trust principles being applied in OT/IT networks[25]
  • ISO/IEC 27001 and SOC 2 for information security management and SaaS assurance, often required for cloud MES procurement.[26]

Vendor attestations support due diligence but do not ensure acceptable risk. Under NIS2 and internal governance, manufacturers must:

  • Assess vendor controls and integration with plant OT security.
  • Verify and monitor shared responsibility boundaries.
  • Incorporate MES and related cloud services into enterprise response plans and testing.

Design Recommendations and Next Steps for Manufacturing Leaders

Governance and architecture

Recommended governance actions for cloud MES adoption include:

  • Establish joint IT/OT/cloud security governance covering MES, with clear RACI for architecture, operations, and incident response.
  • Map MES data flows and trust boundaries across OT, DMZ, IT, and cloud, ensuring correct definition and strengthening of IEC 62443 zones and conduits.[27]
  • Align architecture with reference models (Purdue, IEC 62443, NIST), adapting to hybrid MES scenarios.[4]

Technical control priorities

Consistently recommended controls from incident analyses and best-practice guidance include:[7]

  • Segment and protect MES conduits

    • Deploy gateways in DMZs with dual firewalls.
    • Minimize open ports and use HTTPS with mTLS.
    • Apply IDS/IPS and anomaly detection on MES traffic.

  • Harden identity and remote access

    • Implement SSO, MFA, and PAM for MES admins and service providers.
    • Use time-bound, approval-based remote sessions with recording and audits.

  • Elevate logging and observability

    • Centralize logs from MES, gateways, identity providers, and OT assets in an OT-aware SIEM.
    • Develop playbooks for detecting suspicious MES activity.

  • Strengthen backup and recovery

    • Ensure data and configurations can be restored independent of primary cloud regions.
    • Regularly test MES edge recovery and integrations.

Resilience, testing, and incident response

Analyses show business interruption drives most financial impact in manufacturing incidents.[6]
Recent incident analyses indicate outages of automation and production systems can cause losses from tens to hundreds of millions per event[6]

Resilience-focused actions include:

  • Tabletop exercises and red-team simulations involving cloud MES, gateways, and ERP/MES integration points.
  • Zero trust and segmentation validation through attack emulation or factory network testbeds.[28]
  • NIS2-compliant incident reporting workflows, integrating MES, IT, and OT stakeholders to meet rapid deadlines.

Frequently Asked Questions

How does cloud-native MES change manufacturing cybersecurity compared with on-premises systems?

Cloud-native MES introduces internet-facing APIs, centralized SaaS backends, and continuous integration, expanding the attack surface beyond plant networks. It also enables stronger IAM, standardized logging, and more rapid patching compared to many legacy deployments.

In converged IT/OT environments, MES becomes a critical conduit between OT networks and cloud analytics, requiring explicit zoning, encryption, and identity controls. Security depends on both plant- and cloud-level configuration.

Where should MES data reside to balance performance and compliance?

Manufacturers often use a hybrid model-keeping time-critical execution and buffering near the line while centralizing historical and analytical data in regional cloud environments. Regional hosting and data minimization help meet regulatory and sovereignty requirements.

Sensitive process or export-controlled information is retained on-premises or encrypted with customer-managed keys, while aggregated data supports cloud analytics. The exact approach is determined by a data classification framework spanning OT, IT, and legal teams.

Can zero trust security be applied in OT without disrupting production?

Zero trust can be applied incrementally by focusing on high-value conduits such as MES integrations and remote access. Combining IEC 62443 zoning with identity, mTLS, and microsegmentation allows for more granular controls without re-architecting core networks.

Organizations often start with MFA and SSO for MES and remote access, DMZ hardening, and centralized logging before progressing to advanced policy engines. Close collaboration between OT engineers and security teams is essential to avoid disrupting control or safety functions.

What incident reporting obligations apply to MES under NIS2?

Under NIS2, manufacturers classified as essential or important must report major cybersecurity incidents affecting service provision. MES disruptions impacting production, safety, or supply chains may meet this threshold.

Organizations must submit initial notification within 24 hours, followed by detailed updates and a final report within one month. Response processes need criteria for when MES events trigger NIS2 reporting and guidance on collecting cross-domain evidence.

Which metrics help track security posture in a cloud manufacturing environment?

Key metrics include time to detect and contain MES incidents, MFA and SSO coverage for MES and OT admins, unsegmented or non-hardened MES conduits, and the percentage of MES and OT assets under centralized monitoring.

Additional metrics track recovery test frequency and results, high-severity findings from assessments, and the percentage of critical suppliers (including cloud MES providers) with compliant security attestations.