Updated: 15 Apr 2026
The production line runs 24 hours a day. A line shutdown at a capital goods manufacturing facility in Pune costs between Rs 5 and Rs 20 lakh per hour, depending on the product and the customer contract. Security teams at these facilities know this number precisely. It is the reason MFA has not been deployed on OT systems.
The reasoning is understandable. The risk calculus is wrong.
In Indian capital goods manufacturing, OT systems, including PLCs, SCADA platforms, and manufacturing execution systems, are increasingly connected to IT networks for remote monitoring, predictive maintenance, and ERP integration. The authentication requirements that remote connectivity creates were not part of the original OT deployment design.
The result: a modern industrial network where the office Active Directory is protected by MFA, the corporate VPN requires a second factor, and the SCADA system on the same network segment authenticates with a shared password the OEM engineer set during commissioning in 2017.
CERT-In CISG-2025-02 requires MFA for all remote access connections, covering remote access to OT systems, SCADA platforms, and industrial control systems without exception for operational technology environments. The CERT-In auditor does not accept operational continuity as a reason for non-compliance. They ask for the control. They ask for the log.
A compromised credential on an OT-connected system in a capital goods manufacturing facility does not produce a data breach. It produces production disruption, potential equipment damage, and in safety-critical environments, physical risk.
The factory floor cannot stop for a security deployment.
It can stop because one was never done.
Cisco Duo, Cisco's identity security platform, integrates with OT environments via RADIUS, covering SCADA access, MES authentication, remote monitoring platforms, and vendor remote access without requiring legacy OT systems to be replaced or reconfigured at the PLC level. Named individual authentication replaces shared OT credentials. Session logs satisfy CERT-In 180-day retention requirements.
In Proactive's Cisco Duo deployments across capital goods manufacturing environments in Pune and Mumbai, the credential audit consistently finds shared credentials on OT-connected systems: commissioning accounts never deactivated, vendor maintenance accounts from closed service engagements, and shift operator team accounts provisioned because individual accounts were never implemented.
The deployment does not stop the line. It starts with privileged access and vendor remote access. The shop floor notices nothing. The CERT-In auditor notices everything has changed.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo across capital goods and industrial OT environments in Pune and Mumbai. We have deployed into running production environments. We know how to do it without stopping them.
The factory floor cannot stop.
The authentication gap already has.
Talk to a Proactive Cisco Duo specialist. Write to [email protected].
We'll get back to you shortly.
