Mid-market manufacturers are accelerating adoption of open interoperability standards to modernize aging control systems, driven by surging cyberattacks on legacy operational technology (OT) and new federal guidance that explicitly frames proprietary vendor lock-in as a security liability.
Background
Although the fourth industrial revolution has been underway for more than a decade, the manufacturing sector continues to struggle with upgrading to Industry 4.0-conforming technologies. Small and medium enterprises in particular cannot always afford to replace legacy systems outright. The dominant retrofit challenge is protocol heterogeneity: early industrial communications networks relied on serial-based interfaces that became de facto standards, producing a fragmented market of incompatible variants. Legacy protocols such as Modbus and PROFIBUS remain widely embedded on production floors.
Against this backdrop, the threat environment has deteriorated sharply. Manufacturing emerged as the most heavily targeted sector in 2025, with ransomware attacks rising 56% from 937 incidents in 2024 to 1,466 in 2025 and average ransom demands more than doubling from $523,000 to $1.16 million. Roughly 80% of firms still harbor critical vulnerabilities in legacy OT systems, according to Q3 2025 industrial sector data.
Details
On interoperability and standards, CISA's 2025 guidance documents converge on a single message: proprietary protocols and vendor lock-in are security liabilities, and manufacturers should adopt open standards and participate in formal certification and interoperability testing programs. CISA's January 2025 Secure by Demand guidance, co-authored with the NSA, FBI, EPA, and TSA, frames vendor lock-in as an ownership problem that impedes operator autonomy. The document cites a real-world case in which an asset owner had to remove an entire architecture after a proprietary vendor went out of business-illustrating the supply-chain risk U.S. government buyers are working to eliminate.
CISA found that many organizations delayed or declined to implement secure communications because of significant costs, including retrofitting legacy systems and upgrading hardware for cryptography. During procurement, operators frequently faced a choice between fully upgrading components-which can cost as much as the original equipment-or "wrapping" legacy traffic with gateways that add authentication but provide less comprehensive protection. Given those costs, many chose segmentation and continuous monitoring as more predictable investments while expressing concern about vendor lock-in.
OPC Unified Architecture (OPC UA) has emerged as a widely accepted Industry 4.0 standard, enabling manufacturer-independent data exchange. The VDMA, Europe's largest industrial association, lists OPC UA as "a key prerequisite for the successful introduction of Industry 4.0 into production."1Secure by Demand: Priority Considerations for Operational ... When devices and edge gateways share common protocols and data models, teams avoid costly point-to-point integrations and can scale from one-off proofs of concept to full rollouts. OPC UA provides a structured way to expose machine data so that higher-level systems can consume it consistently, reducing custom adapters and improving data quality.
The Open Process Automation Standard (O-PAS), developed by the Open Process Automation Forum (OPAF), pursues a broader objective. O-PAS defines an open, standards-based, secure architecture for hardware- and software-platform independence, aiming to reduce total cost of ownership, accelerate innovation, and increase flexibility for industrial process control. However, ten years since its launch, O-PAS may be at a crossroads for adoption, though some of its concepts have already entered mainstream industrial automation discussions.
Executives within the sector acknowledge that the cost-benefit trade-off between vendor standardization and potential lock-in remains a key technical decision for each organization. Vendor lock-in can create technical silos and single-supplier dependencies that make system changes prohibitively expensive while limiting integration of external tools.
Retrofitting legacy systems delivers measurable advantages: addressing compatibility issues with new devices and technologies, meeting current process requirements, and strengthening security and regulatory compliance. The process starts with evaluating the legacy system's attributes and limitations, then integrating modern technologies to improve efficiency and interoperability while leveraging existing facilities to reduce costs.
On the cybersecurity side, operators are advised to prioritize products that support crypto-agility so cryptographic algorithms can be updated over a product's lifespan, and to ensure that open-standard protocol implementations are properly certified-including security features such as key exchange mechanisms. OT leaders are now expected to extend protection models beyond the plant into contracts, vendor audits, and software bills of materials (SBOMs).
Outlook
The 2025 regulatory landscape is driving significant shifts in how U.S. industrial and critical infrastructure organizations must secure their OT environments, with several key frameworks shaping compliance requirements across energy, manufacturing, and other sectors reliant on industrial control systems. Procurement teams should audit existing vendor agreements for restrictions on third-party maintenance or security testing and treat such restrictions as disqualifying factors in future procurements. U.S. operators with federal contracts should also anticipate that sector risk management agencies will increasingly use CISA's 12-element framework as the basis for compliance assessments. The challenge is compounded by OEM pressure to cut costs, limiting mid-market investment in upgrades-with studies estimating that the inability of smaller firms to invest in equipment contributes to a 40% productivity gap with large manufacturers.
