By Denrich Sananda, Senior Consultant, Arista Cyber
As the complex, 24/7 industrial environments of pulp & paper mills move more deeply towards digital optimization, one truth is becoming unavoidable: cybersecurity is now a core component of operational reliability, safety, and product quality.
Mills now routinely integrate distributed control systems (DCS), quality control systems (QCS), manufacturing execution systems (MES), remote analytics and cloud data flows. All of this is transformational, but any of it could be directly affected by a cyberattack.
For many mills, the digital transformation journey has happened in layers. Newer systems have been added to older ones. Remote connections have been granted to OEM providers. Data flows outward to enterprise platforms or to the cloud. Again, necessary concessions for the efficiencies they bring, but each of these steps leads to increased exposure, and the piecemeal upgrade path of the pulp and paper industry has left it vulnerable and brittle.
Real-world wake up calls
This is not some theoretical idea; ransomware has struck the industry before. In 2021, an incident brought down production facilities at 17 of WestRock's mills and converting locations, causing high remediation costs and placing throughput at 85,000 tons lower than planned[1] over the affected period.
Today, operational technology (OT) - hardware and software that monitors and controls physical devices, processes, and infrastructure - and IT systems in most mills are so intertwined that a compromise in one environment almost inevitably affects the other. A cyberattack is not an abstract IT issue: it is a direct threat to production, people and the bottom line.
The pathway from an email phishing attempt to a halted paper machine is shorter than most assume, and the industrial sector in general is seeing a rise in ransomware incidents, with manufacturing industries the most attacked segment in Q3 2025[2]. With many mills continuing to run ageing assets that cannot be patched without stopping production, operators are now forced to balance cybersecurity risk against operational continuity.
Structural flaws built in
Global ICS advisories reinforce the scale of this picture: CISA, for example, is a source of repeated disclosures affecting major automation suppliers, covering flaws in PLCs, industrial firewalls, engineering tools, drives and DCS components. Field assessments across a range of mills show that the industry's cybersecurity challenge is structural, rooted in the piecemeal evolution of mills over the decades; CISA's disclosures refer, often, to the common automation platforms used in mills.
Most facilities were designed long before cyber risk was a consideration, and many still operate in the flat and minimally segmented manner of pre-digitalization networks. This means traffic can move too freely between IT and OT environments, or between production zones. One compromised engineering workstation, human-machine interface, or even vendor laptop could become a bridge to critical equipment like paper machine controls, boiler systems, or QCS hardware.
Interconnected risk
Much of this vulnerability can be attributed to the architecture of pulp and paper OT environments: DCS, QCS and MES systems, generally supplied by different vendors at different times over the course of a decade are now expected to interoperate more closely than ever.
Production planning is built upon QCS data. Control systems depend on parameters pushed from MES devices. Drives and controllers exchange information to keep fiber flows stable. Operationally, this kind of tight integration is essential. From a security perspective, it presents a problem.
Considering the diversity of assets on a typical mill floor - from the dozens of logic controller vendors to the ageing industrial PCs, sensors and remote diagnostic tools which may be lagging behind their firmware or patch cycles - attackers have options. They get numerous potential entry points, a wealth of lateral movement options, and relative safety in the knowledge that operators cannot simply reboot or update a system that is part of an ongoing process.
This uptime requirement puts pulp and paper mills in significant technical debt. Unpatched systems, insecure protocols, and out-of-date accounts and services continue being used because they just work. VPN tunnels to third-party vendors remain open because of the need for frequent remote access. The flaws of pre-digitalization systems may still exist. It is time for the industry to close the cyber gap.
Paying back technical debt
This does not mean completely reinventing the mill. It means being honest about the flaws in its structure and taking the steps required to fix it, introducing a security architecture that respects the way mills are run.
OT networks should be clearly segmented into zones aligned to process functions, allowing only the minimum required communication between, for example, DCS, QCS, safety systems and enterprise interfaces. Using firewalls, allowlists and one-way data gates, failures (and the lateral movement of attackers) can be contained.
Mills must also look at identity and access. Shared accounts are commonplace, but they offer no traceability or protection against privilege abuse. Unique credentials, multi-factor authentication and time-limited access reduce risk without preventing legitimate work. Monitoring deserves focus, particularly on the OT side of the equation, to reveal events like unauthorized configuration changes, modification of controller logic, or unexpected network behavior which often precede an attack. These are small changes which make a big difference.
Cybersecurity as a pillar of excellence
Uptime requirements are not going anywhere, but the cadence of OT should dictate efforts to upgrade. By identifying and categorizing the most critical systems and vulnerabilities, these can be prioritized for patching and scheduled during planned downtime. Even small amounts of hardening can significantly reduce the attack surface. And when systems go down, they must come back up quickly: instituting a clear and tested backup procedure which covers both IT and OT systems can make the difference between a two-day and a two-week outage.
The pulp and paper industry is no stranger to engineering discipline, and it is very familiar with the constant chase of process improvements and stability upgrades. Cybersecurity should now join that operational makeup. Cyber risk cannot be treated as a simple IT concern. What's needed is a change in mindset, and the commitment to getting the job done. An investment in OT security is an investment in continuity, product quality, and future digital innovation.
Discover Arista Cyber solutions for manufacturing:
https://aristacyber.io/industries
Denrich Sananda, Managing Partner and Senior Consultant at Arista Cyber
Recognised as a leading authority in industrial cybersecurity, Denrich Sananda combines deep technical expertise with strategic insight to address the most complex cyber risk challenges. With a career built on pioneering work in automation and critical infrastructure security, he has led high-profile initiatives across North America and the Middle East. His mission is to help shape resilient systems that stand strong against evolving threats and guide organizations toward greater security maturity, operational confidence, and long-term resilience.
Denrich is a Harvard Business School alumnus and holds many cybersecurity certifications and positions including being a member of committees working on ISA99 WG2 focusing on the description of an effective cybersecurity management system in the ISA-62443-2-1 standard and is a Member Board Of Directors - ISA Toronto.
About Arista Cyber
Arista Cyber protects the world's critical infrastructure. As a global consulting firm specializing in OT/ICS cybersecurity, Arista Cyber partners with organizations across energy, utilities, manufacturing and other essential sectors to deliver layered security solutions that align to global compliance standards. Combining unrivalled expertise with deep business insight, Arista Cyber is trusted by industries worldwide to provide future-ready end-to-end solutions adapted to operational reality. Arista Cyber's TÜV Rheinland-certified experts work closely with organizations to secure their most vital assets - protecting the pulse of industrial innovation today, and preparing for the challenges of tomorrow. Find out more: https://aristacyber.io/
[1] https://www.sec.gov/Archives/edgar/data/1732845/000115752321000147/a52374210ex99_1.htm
[2] https://www.cybermaxx.com/resources/whats-driving-the-rise-of-ransomware-in-manufacturing/
