The four-day disclosure clock is ticking, and your legacy OT network is not ready to tell time.
The SEC has officially ruined your long weekend. With new rules requiring a Form 8-K filing within four business days of a “material” incident, public companies are scrambling. But for the manufacturing sector, this isn’t just a compliance headache; it’s a forensic nightmare. While IT teams worry about exfiltrated emails, OT teams are staring at legacy PLCs that don’t even have logs. If you think your “air gapped” factory floor is safe from scrutiny, you are delusional. The clock is ticking, and that fortress you built out of firewalls is about to be tested. You need to know what “material” really means when physics is involved.
Defining Materiality When Physics is Involved
Let’s be clear about what ‘material’ actually means when we step out of the cloud and onto the shop floor. In the carpeted world of IT, a breach is usually a violation of privacy — someone stole a database of emails or passwords. It is quiet. It is a theft. In the gritty world of Operational Technology (OT), a breach is not a theft; it is a hostage situation involving physics.
When the SEC demands you disclose a ‘material’ incident within four business days, they are asking what a reasonable investor cares about. Investors do not care about your firewall rules; they care about revenue. If a bad actor pivots from a phishing email into your HMI (Human Machine Interface) and brick-walls your primary assembly line, the money stops. That is immediate materiality. The factory goes dark, shipments are missed, and the stock price takes a nosedive.
Think of it this way: an IT breach is like someone sneaking into a library and photocopying rare books. It is bad, but the library stays open. An OT breach is a bomb threat. The building is evacuated, the doors are locked, and operations cease until the bomb squad gives the all-clear. The impact is kinetic.
Here is the nightmare scenario the new rules have created: the 96-hour clock is ticking, but your forensic capabilities in the factory are non-existent. In a modern IT stack, you have logs. You have traces. In a legacy OT environment, you are staring at a programmable logic controller (PLC) or a drive controller that has zero logging capabilities, or worse, is running Windows XP Embedded. You are in forensic hell. You know something is broken because the machine stopped, but you have no idea how it happened or how far the blast radius extends.
Do not bank on a reprieve from the government, either. The rules technically allow for a delay if the US Attorney General determines disclosure poses a risk to national security. Let me be blunt: unless you are a primary defence contractor building guidance systems, you are not getting that delay. You are going to have to file that 8-K while you are still scrambling to find the ethernet cable connecting that compromised PLC to the network.
The reality is that the SEC clock is ticking for manufacturing, and most of you are trying to tell time with a sundial in the dark. You cannot determine the ‘nature and scope’ of an incident in four days if your devices cannot even tell you who logged into them.
The Air Gap Lie and the Visibility Void
Let’s rip the bandage off the biggest fairy tale in industrial automation: the Air Gap. I have walked into countless facilities where the CISO swears on a stack of manuals that their Operational Technology network is physically isolated from the internet. Yet, five minutes of scanning usually reveals a dual-homed maintenance laptop bridging the divide, or a vendor running TeamViewer on a cellular hotspot to patch a press because they didn’t want to drive to the site in the snow.
This isn’t a fortress; it is a porous slice of Swiss cheese. The reality is that your factory floor is a black box, and that is a fatal flaw under the new rules.
The SEC requires you to describe the nature, scope, and timing of the incident. How exactly do you plan to do that when your network visibility stops at the corporate firewall? You cannot report what you cannot see. In the IT world, you have centralized logging, endpoint detection, and fancy dashboards. In the OT world, you have unmanaged switches and PLCs that haven’t been rebooted since the Bush administration. When a bad actor gets in, they aren’t tripping alarms because there are no alarms to trip. You are flying blind, and by the time you realize something is wrong, the damage is likely catastrophic.
This lack of visibility is compounded by the “flat network” architecture that plagues manufacturing. Because legitimate traffic needs to flow everywhere to keep the line moving, illegitimate traffic can too. We call this the blast radius. In your current setup, a single compromised laptop in the shipping department can pivot directly to the SCADA system controlling the furnaces. There is no internal segmentation to stop the bleed.
Reliance on the air gap is simply reliance on security through obscurity, which we all know is a polite way of saying “failure.” Shenanigans are happening on your network right now — engineers bridging connections for convenience, vendors bypassing protocols for speed — and you are oblivious to it. If you think you can conduct a forensic investigation in four days on a network built on blind faith and RS-232 cables, you are in for a very rude awakening. You don’t just need a lock on the door; you need to turn the lights on.
Kill the VPN and Segment or Die Trying
If the air gap is the fairy tale we tell our auditors, the VPN is the loaded weapon we hand our executioners. Let’s be blunt: for OT access, the VPN is a dumpster fire. It is a relic from an era where we believed that once you were “inside” the castle walls, you could be trusted. That logic does not hold up when the barbarians are already inside using valid credentials they bought on the dark web.
The fundamental problem is that a VPN provides network-level access. It gives a remote user — or a compromised vendor laptop — an IP address on your plant floor. That is all-or-nothing access. Once that tunnel is established, the bad actors can pivot, scan, and move laterally from a benign shipping terminal to your critical safety systems. To survive the SEC’s four-day disclosure clock, you must kill the VPN and adopt a Zero Trust architecture where identity is the new perimeter.
We need to stop connecting people to networks and start connecting them to resources. This is where the Identity-Aware Proxy comes in. Instead of bridging a remote user onto the operational network, the proxy sits in the middle. It authenticates the user (via multi-factor authentication), checks the device hygiene, and authorizes the specific request before a single packet touches the destination server.
This shift enables micro-segmentation, which is your only hope of controlling the “materiality” of a breach. Consider the difference:- Scenario A (VPN): A vendor’s laptop is pwned. They VPN into your facility. The malware crawls across the flat network, encrypting everything from the HMI to the historian. That is a material event. You are filing an 8-K.
- Scenario B (Zero Trust): That same pwned laptop tries to access your facility. The Identity-Aware Proxy allows the user to see only the specific HMI screen they are authorised to view, rendered in a browser. The malware has nowhere to go. The blast radius is contained to a single session.
This approach also solves the visibility crisis. The SEC demands you describe the nature and scope of an incident. VPN logs are notoriously opaque — they tell you an IP connected, not what it did. An identity-based system provides a granular audit trail: “User X accessed PLC Y at 14:00.” That is the difference between a frantic four-day scramble and a confident, precise report. This is not just about avoiding fines; it is about operational resilience. You cannot secure what you cannot segment.
Conclusions
The SEC isn’t asking for the impossible, but they are exposing the negligent. Relying on obscurity or the hope that “nobody hacks factories” is no longer a strategy; it’s a liability. You cannot defend what you cannot see, and you cannot report what you don’t understand. Tear down the VPNs, implement Zero Trust, and treat identity as your new perimeter. If you don’t, you won’t just be explaining a production outage to your boss — you’ll be explaining it to federal regulators. Fix your architecture before the four-day timer starts. Patch your humans, segment your networks, and get some real visibility.