OT security for warehouses and logistics: protecting the systems that move goods

What operational technology means in a logistics context

OT – operational technology – is hardware and software that monitors and controls physical equipment. In an office or retail setting, that definition doesn't come up much. In a warehouse or distribution centre, it describes the majority of the systems that make operations run.

The OT environment in a typical logistics facility includes conveyor systems and sortation equipment that physically moves goods through the building, automated guided vehicles (AGVs) that transport pallets and totes, WMS terminals on the warehouse floor that direct picking and putaway, RFID readers and barcode scanners that track inventory movement, cold store temperature monitoring and control systems, dock door management and vehicle scheduling systems, and the building management system (BMS) that governs HVAC, power distribution, fire suppression and physical access.

The important distinction from IT is how these systems were designed. OT equipment was built to control physical processes with high reliability and deterministic behaviour – the conveyor runs at the right speed, the temperature holds within tolerance, the dock door opens when the vehicle ID is confirmed. Network connectivity was not part of the original design. For most of their history, OT systems in warehouses were air-gapped: physically isolated from business networks and from the internet. That isolation was the security model.

That's no longer the case. Remote monitoring, ERP integration and real-time visibility requirements have driven connectivity into environments that were never built for it. AGVs communicate with fleet management software over Wi-Fi. Temperature sensors feed data to cloud dashboards. WMS platforms connect directly to ERP systems. Each of those connections is operationally useful and a potential attack path.

Why logistics OT is a target

The appeal of a logistics facility to a ransomware attacker is the same as the appeal of a manufacturer: the business impact of disruption is immediate, measurable and expensive. When a warehouse conveyor stops, goods don't move. When sortation goes down, parcels don't get sorted. When a cold store control system is compromised, perishables spoil. SLAs are breached within hours, not days. Ransomware actors understand this, and they price their demands accordingly.

The OT environment is often the weakest part of the attack surface. Legacy embedded firmware on conveyor PLCs and RFID readers is rarely updated – not because operators are negligent, but because the vendor certification and testing required to update it is disruptive enough that it simply doesn't happen between equipment refresh cycles. That firmware may contain known vulnerabilities with published exploits, running on a network with no monitoring.

Vendor remote access is a recurring issue. Equipment suppliers need to connect for remote diagnostics and maintenance. In practice, those access arrangements are often permanent VPN credentials, shared across the vendor's support team, with no session recording and no time limits. That's not a hypothetical risk – it's the access pattern that's been implicated in a number of OT incidents across industrial sectors.

Most logistics facilities also have no monitoring on OT traffic. IT security teams typically have visibility of corporate network activity through SIEM tools and endpoint detection. The OT network – if it's logically separate at all – is usually dark from a monitoring perspective. An attacker can move laterally across OT systems without generating any alerts.

The WMS integration problem

Warehouse Management Systems sit directly at the IT/OT boundary, and that boundary position creates specific security risks that are easy to overlook.

WMS platforms direct OT equipment – telling conveyors where to route totes, instructing AGVs where to move, triggering RFID reads at specific points in the pick path – but they run on IT infrastructure. They're typically installed on Windows servers, connected to corporate Active Directory, and managed by IT teams. Their integration with OT systems is handled through vendor-supplied middleware or direct network connections to equipment PLCs.

The WMS-to-ERP integration creates a direct pathway from corporate IT into the operational layer. An attacker who compromises the ERP – through a phishing email, a compromised credential or an unpatched vulnerability – may have a route into the WMS, and from the WMS into the OT network. That chain is not theoretical: it's the logical consequence of building integrations without considering the security implications at each hop.

WMS vendor access is particularly worth examining. Most WMS vendors retain access to customer systems for support and troubleshooting. That access is often granted early in the implementation and never formally reviewed. Permanent, unmonitored vendor access to a system that has direct connections to OT equipment is a significant exposure – not because vendors are malicious, but because vendor support accounts are a well-documented target for attackers looking for a way in.

Cloud-hosted WMS introduces another layer of complexity. Where the WMS is SaaS-hosted, the connection between the cloud platform and on-premise OT equipment requires a persistent outbound connection from the warehouse network to the internet – or an inbound connection from the vendor's cloud environment. Either way, the security architecture needs to be thought through explicitly, not left as a default configuration.

Cold store, RFID and building systems

Some OT systems in logistics facilities carry risks beyond operational disruption, and that changes how they need to be treated from a security perspective.

Cold store temperature monitoring and control is a critical system in any facility handling food, pharmaceuticals or other temperature-sensitive goods. A failure that results in a cold chain breach doesn't just mean spoilage – it creates regulatory obligations, potential product liability and, depending on the goods, serious public health risk. Cold store controls are typically PLCs with network connections for remote monitoring, running firmware that hasn't been updated in years. They're treated as facilities infrastructure rather than IT systems, which means they're often excluded from any IT security review and have no monitoring applied to them at all.

RFID readers and barcode scanners are ubiquitous in logistics and almost universally underestimated as security risks. They're typically placed on flat networks shared with other systems, running outdated firmware with no update mechanism, and managed by whoever did the integration rather than any ongoing IT security function. A compromised RFID reader can be used to manipulate inventory data or as a foothold for lateral movement to other systems on the same network segment.

Dock door systems and physical access control sit at the boundary between digital and physical security. A dock management system that controls which bays are available and schedules vehicle arrivals connects directly to physical infrastructure. Access control systems that manage who can enter the facility are increasingly IP-connected and managed through software. These systems are almost never included in IT security reviews and almost never have monitoring applied – despite controlling physical access to the facility and its goods.

Building management systems – covering HVAC, power distribution, fire suppression and sometimes physical access – are the most commonly overlooked category. They've moved to IP connectivity over the past decade, often using standard networking protocols, but they're managed by facilities teams and invisible to IT security. A BMS that shares a network segment with WMS terminals or office systems is a security boundary that doesn't exist in practice.

Network segmentation for logistics OT

The core problem in most logistics facilities is the flat network. AGVs, WMS terminals, RFID readers, office PCs, guest Wi-Fi and sometimes BMS controllers all share the same network, with no meaningful boundaries between them. An attacker who compromises any one of those systems can reach all the others. That's not a configuration that any security framework would approve – it's simply the state that facilities arrive at when network design is driven by operational convenience rather than security architecture.

Proper segmentation means OT traffic runs on dedicated VLANs separated from IT traffic by firewall rules that are defined, documented and enforced. The conveyor PLC should not be able to initiate a connection to an office PC. The WMS server should have defined, audited routes to the OT devices it needs to communicate with and no others. Any traffic crossing the IT/OT boundary should be logged and reviewed.

Vendor access should go through a jump server – a controlled bastion host where sessions are recorded, time-limited and tied to a specific vendor identity rather than a shared credential. Permanent VPN access for equipment vendors should not exist. When a vendor needs to connect for remote support, the access should be granted for a defined window, monitored in real time, and revoked when the session ends.

The practical challenge is that segmenting a live distribution centre is not straightforward. Operations can't stop for a network redesign. The approach we use is phased: identify the highest-risk boundary points first (typically the IT/WMS and WMS/OT boundaries), implement initial segmentation controls there, then work outward to the broader OT environment over a planned timeline that minimises operational disruption.

Getting from current state to compliant

The starting point for any logistics OT security programme is an asset inventory, and most operators don't have one that's accurate. The IT asset register covers servers, laptops and switches. The OT environment – conveyors, AGVs, RFID readers, temperature controllers, BMS controllers – is typically undocumented from a security perspective. Nobody knows what firmware version the sortation PLCs are running, what network addresses the cold store controllers have, or whether any of the AGV management software still has the default credentials from commissioning.

That inventory exercise regularly surfaces surprises: equipment that's been on the network for years without anyone in the current team knowing it's there, vendor access arrangements that were set up during commissioning and never reviewed, and direct connections between OT and IT systems that the network diagrams don't show because they were added informally to solve an operational problem.

Once the inventory exists, risk prioritisation is the next step. Not everything needs the same level of protection. Cold store controls in a pharmaceutical facility are higher risk than RFID readers in an ambient warehouse. AGVs on a network with the WMS need segmentation sooner than a standalone barcode scanner on a dedicated VLAN. The prioritisation should be driven by the business impact of a failure, not by technical complexity.

The regulatory context is also shifting. The Cyber Security and Resilience Bill increases obligations for operators in critical supply chains, and NIS2's scope – while implemented in the UK through the Bill rather than directly – covers logistics operators who are part of essential service supply chains. Customers are increasingly asking supply chain partners about their OT security posture as part of vendor assessments. The question isn't just what the regulator requires – it's what your customers will require next year.