Why OT Cybersecurity Is Different

Operational Technology (OT) — the PLCs, SCADA systems, DCS, and RTUs that control physical processes — was designed for reliability and determinism, not security. Most OT protocols (Modbus, DNP3, Profibus) have no authentication or encryption. Many OT devices cannot be patched without taking the controlled process offline. In IT, the priority is Confidentiality → Integrity → Availability (CIA). In OT, it is Availability → Integrity → Confidentiality — a plant cannot stop production every time a security patch is released.

These differences mean that IT security tools (antivirus agents, frequent patching, active vulnerability scanning) often cannot be directly applied to OT environments. OT security requires a specialized approach.

The Threat Landscape

Real-world ICS cyber incidents have demonstrated the stakes:

  • Stuxnet (2010) — Targeted Iran's uranium enrichment centrifuges via Siemens S7 PLCs, destroying physical equipment through software manipulation
  • Ukraine Power Grid (2015, 2016) — Attackers remotely operated SCADA systems to de-energize distribution substations, causing widespread power outages
  • Triton/TRISIS (2017) — Targeted Schneider Electric Safety Instrumented Systems (SIS), attempting to disable safety systems at a petrochemical plant
  • Colonial Pipeline (2021) — Ransomware in IT systems caused the company to proactively shut down OT pipeline operations, causing fuel shortages in the US Southeast

Key OT Security Frameworks

IEC 62443 is the primary international standard for industrial cybersecurity. It defines security levels (SL 1–4) for zones and conduits in an ICS network, and specifies security requirements for system integrators, product suppliers, and asset owners. SL 1 protects against unintentional or casual violation; SL 4 protects against nation-state adversaries with sophisticated resources.

NERC CIP (Critical Infrastructure Protection) standards are mandatory for bulk electric system operators in North America. They define specific requirements for electronic security perimeters, access control, patch management, and incident response for grid-connected assets.

NIST SP 800-82 provides a guide to ICS security specifically tailored for OT environments, adapting the NIST Cybersecurity Framework for industrial contexts.

Network Segmentation: The First Defense

The most impactful OT security control is network segmentation — isolating the OT network from the IT network and the internet. The Purdue Model (ISA-95) defines a network architecture with separate layers: Level 0–2 (field devices and control systems), Level 3 (manufacturing operations), and Level 4–5 (enterprise IT). Traffic between levels passes through a Demilitarized Zone (DMZ) with firewalls that enforce strict communication rules. No direct connection from the internet to OT devices should ever exist.

Key Controls for OT Security

  • Asset inventory — you cannot protect what you don't know exists; passive network monitoring tools discover and catalog OT assets without disrupting operations
  • Vulnerability management — track CVEs for OT software and firmware; prioritize patches based on exploitability and consequence severity
  • Least privilege — operator accounts access only what they need; remote access through VPN with MFA only
  • Monitoring and anomaly detection — OT-specific IDS (Claroty, Dragos, Nozomi) passively monitor protocol traffic and alert on anomalies
  • Incident response planning — have a documented plan for cyber incidents that includes manual process control fallback procedures