
A ransomware attack hit a water treatment plant in Minot, North Dakota this week, forcing operators to run the facility manually for 16 hours while systems were restored. Water safety and pressure were maintained throughout — the physical treatment process continued — but the digital control systems that monitor and manage operations were knocked offline, leaving operators to manage everything by hand.
For Houston businesses — particularly those in energy, manufacturing, petrochemical, and healthcare — this isn't a story about a small-town water plant. It's a preview of what happens when ransomware crosses the IT/OT boundary and disrupts operational technology systems that control physical processes.
Ransomware groups have learned that attacking operational technology creates dramatically more pressure to pay than attacking office systems. When email goes down, people are frustrated. When a production line stops, a pipeline shuts down, or medical equipment goes offline — the financial damage is measured in hundreds of thousands of dollars per hour, and the safety implications create urgency that no executive can ignore.
Greater Houston's economy is built on industries that operate critical infrastructure:
Every one of these environments has operational technology that was designed for reliability, not cybersecurity. Many run legacy systems — Windows XP, proprietary SCADA protocols, unpatched PLCs — that can't be updated without shutting down production.
The Minot water plant attack follows the same pattern seen in Colonial Pipeline (2021), JBS Foods (2021), and dozens of less-publicized incidents: the ransomware enters through IT systems and then impacts operations — either by directly reaching OT networks or by forcing operators to shut down OT as a precaution.
In many cases, the ransomware never actually touches the OT systems. The organization shuts down operations voluntarily because they can't confirm the threat hasn't crossed the boundary. The uncertainty is what forces the shutdown — and the uncertainty exists because IT/OT segmentation wasn't strong enough to provide confidence.
IT and OT networks must be architecturally separated — not just on different VLANs, but with firewalls, DMZs, and explicit allow-rules controlling every connection between them. The Purdue Model (ISA/IEC 62443) provides the reference architecture:
If a ransomware attack encrypts your entire corporate IT network, your OT systems should continue operating independently because they have no network path to the compromised systems.
Traditional IT security tools (EDR, SIEM) don't understand OT protocols — Modbus, DNP3, OPC-UA, EtherNet/IP. You need OT-specific network monitoring that can detect anomalous commands, unauthorized connections, and configuration changes within industrial control networks. Tools like Claroty, Nozomi Networks, or Dragos provide this visibility.
Your incident response plan must address the IT/OT question explicitly: under what conditions do you shut down operations? Who makes that decision? What are the manual operation procedures? How long can you operate manually? The Minot plant could operate manually for 16 hours. Can your facility?
PLC programs, HMI configurations, SCADA server images, and safety system settings need offline backups that ransomware cannot reach. If you have to rebuild your OT environment from scratch, how long does it take — and do you have the configuration data to do it?
The reason these attacks keep succeeding is that IT and OT are converging — intentionally. Businesses want real-time production data in their ERP systems, remote monitoring of field equipment, cloud-based analytics on sensor data, and the ability for engineers to access control systems from home. Every one of these capabilities creates a pathway that ransomware can follow from IT into OT.
The solution isn't to stop converging — it's to converge securely. Every connection between IT and OT should be mediated through a secure DMZ, monitored by OT-aware security tools, and documented in your network architecture. The convenience of convergence cannot come at the cost of operational safety.
LayerLogix works with Houston manufacturing, energy, and healthcare organizations to implement IT/OT segmentation, deploy monitoring solutions, and build incident response plans that keep operations running when cyberattacks hit the IT side. If your business has industrial control systems, SCADA, or connected operational technology — your cybersecurity plan needs to account for the OT environment specifically.
Schedule an IT/OT security assessment. We'll evaluate your network segmentation, identify IT/OT boundary risks, and build a plan to keep your operations running even when attackers breach the corporate network. Call 713-571-2390.
Related: Oil & Gas IT Services | Manufacturing IT Services | Managed Detection & Response | Top Cyberthreats in 2026
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.