Can I use Nessus or Nmap to scan OT networks?

Standard active scanning with tools like Nmap or Nessus active scan profiles is dangerous in OT environments and should not be performed without explicit vendor approval for each device type. Industrial PLCs and controllers can crash, freeze, or execute unintended actions when they receive unexpected network packets — including standard ICMP pings and TCP SYN packets from port scanners. OT security tools such as Nozomi Networks and Claroty use passive traffic monitoring (span port/TAP) to build asset inventories without sending any traffic to OT devices. If active querying is required, use tools that speak native industrial protocols (as Tenable OT does) and test in a lab environment first.

What is the Purdue Model and is it still relevant?

The Purdue Enterprise Reference Architecture, developed in the 1990s at Purdue University, provides a hierarchical model for industrial network architecture with levels ranging from physical process (Level 0) through enterprise IT (Levels 4-5), with an Industrial DMZ at Level 3.5 separating OT from IT. The Purdue Model remains the reference architecture for many OT environments and is referenced in IEC 62443 and NIST 800-82. However, Industry 4.0 connectivity, cloud historians, and remote monitoring are blurring the traditional level boundaries. The model is best understood as a conceptual framework for defining security zones and conduits rather than a strict network topology prescription.

What is IEC 62443 and who needs to follow it?

IEC 62443 is the international standard series for security of industrial automation and control systems (IACS). It is organized into four series covering general concepts, policies and procedures, system requirements, and component requirements. Unlike NERC CIP (which is mandatory for the electric sector), IEC 62443 is not mandated by law in most jurisdictions but is widely adopted as the reference standard by asset owners, system integrators, and product vendors globally. Organizations in critical infrastructure sectors — oil and gas, water, manufacturing, power — increasingly require IEC 62443 compliance from their control system vendors and integrators. Some European regulatory frameworks (NIS2 Directive) reference IEC 62443 as a compliance pathway.

How do IT security professionals transition into OT security?

IT security skills — network analysis, vulnerability assessment, incident response, security architecture — are directly applicable to OT security. The key gaps to fill are: understanding industrial processes and the physical consequences of control system failure; learning industrial protocols (Modbus, DNP3, EtherNet/IP, PROFIBUS); understanding OT architectures (Purdue Model, DCS vs. SCADA vs. PLC); and familiarizing yourself with sector-specific regulations (NERC CIP, IEC 62443, NIST 800-82). SANS ICS curricula (ICS410, ICS515) provide structured training. Spending time with plant operations staff to understand what the systems actually do — before touching anything technical — is essential and often underestimated.

What happened in the Colonial Pipeline attack and what could have prevented it?

In May 2021, a DarkSide ransomware affiliate gained access to Colonial Pipeline's IT network using a compromised VPN password found in a leaked credential database. The VPN account had no multi-factor authentication enabled. Colonial shut down pipeline operations proactively out of concern that the attack could spread to OT systems. The shutdown caused fuel shortages along the U.S. East Coast for nearly a week. The primary preventable failure was the absence of MFA on remote access accounts — a basic control that would have prevented the initial compromise. Secondary lessons include the need for IT/OT network separation robust enough to allow IT incident containment without requiring OT shutdown, and the importance of credential monitoring to detect use of compromised passwords.

← Cybersecurity Studio

Engineering·13 min read·June 23, 2026

⚙️ OT vs IT Security: Understanding the Difference for Industrial Environments

A guide for IT security professionals entering OT environments — covering why security priorities differ, common OT vulnerabilities, regulatory frameworks, and real-world incidents.

Defining IT and OT

Information Technology (IT) encompasses the systems that store, process, and transmit business information: ERP systems, email servers, databases, corporate endpoints, cloud workloads, and the networks connecting them. IT security is the discipline most security professionals are trained in — and it is the domain where the majority of commercial security products, frameworks, and certifications are designed.

Operational Technology (OT) refers to hardware and software that monitors and controls physical processes, devices, and infrastructure. OT systems include:

PLCs (Programmable Logic Controllers): Industrial computers that control machinery, valves, motors, and actuators in real time.
DCS (Distributed Control Systems): Control architectures for continuous industrial processes such as oil refining, chemical production, and power generation.
SCADA (Supervisory Control and Data Acquisition): Systems that provide centralized monitoring and control over geographically distributed infrastructure — pipelines, power grids, water distribution.
RTUs (Remote Terminal Units): Field devices that gather data from sensors and report to SCADA systems.
HMIs (Human-Machine Interfaces): Operator workstations and panels through which humans monitor and interact with industrial processes.

OT systems are found in power generation and transmission, oil and gas production and distribution, water and wastewater treatment, manufacturing, transportation, and building automation. These are not abstract digital systems — they control physical processes with physical consequences.

Why Security Approaches Differ Fundamentally

IT security professionals entering OT environments frequently make the mistake of applying familiar IT security thinking to OT systems. The differences are not merely technical — they are philosophical and operational.

The Priority Inversion: CIA vs. SAIC

In IT security, the classic framework is the CIA triad: Confidentiality, Integrity, Availability — in roughly that priority order. Protecting sensitive data from disclosure is the primary concern; keeping systems running is important but secondary.

In OT security, the priority order is effectively inverted:

Safety: The paramount concern in OT is preventing harm to people. A process that malfunctions due to a cyberattack can injure or kill workers, contaminate water supplies, or trigger explosions. Safety overrides all other considerations.
Availability: Industrial processes often cannot tolerate downtime. A power generator that goes offline unexpectedly may destabilize the grid. A water treatment plant that loses control of chemical dosing creates a public health emergency. Availability is non-negotiable.
Integrity: The accuracy of sensor readings and control commands is critical — manipulated data fed to a SCADA system can cause incorrect control actions without triggering obvious alarms.
Confidentiality: While important, confidentiality is typically the lowest priority in OT. The operational data itself (flow rates, temperatures, valve positions) is often not highly sensitive. The concern is control, not disclosure.

This inversion has profound practical implications. Security controls that are routine in IT — antivirus agents, vulnerability scanning, automatic patch deployment — can be dangerous in OT because they may interfere with the deterministic, real-time control requirements of industrial processes.

Patching: The Fundamental OT Security Challenge

IT systems can typically be patched on a monthly cycle, rebooted remotely, and taken offline for maintenance with minimal operational impact. OT systems often cannot:

Uptime requirements: Many industrial processes run continuously. A power plant or chemical facility may have scheduled maintenance windows once or twice per year — patches must wait until then.
Vendor lock-in: OT vendors frequently specify that unauthorized software installation (including security patches) voids equipment warranties or support agreements. Patches must be qualified by the OT vendor before deployment.
Legacy operating systems: It is common to find Windows XP, Windows 2003, and even Windows NT in active OT environments. These systems control equipment that cost millions of dollars and has a 20-30 year operational life. The control software does not run on modern OS versions, and the equipment cannot be replaced on an IT refresh cycle.
Testing requirements: In regulated industries (nuclear, pharmaceutical), changes to control system software require extensive validation testing. A patch that takes 30 minutes to deploy in IT may require weeks of testing in OT.

Key OT Environments

Understanding the specific environment matters because threats, regulations, and operational constraints vary:

Electric power (generation, transmission, distribution): Governed by NERC CIP. Attack impact: grid destabilization, blackouts affecting millions of people.
Oil and gas: Pipelines, refineries, and offshore platforms. Subject to TSA pipeline directives post-Colonial Pipeline. Attack impact: product spills, explosions, fuel supply disruption.
Water and wastewater: Municipal water treatment and distribution. Subject to America's Water Infrastructure Act (AWIA). Attack impact: contamination of drinking water, public health emergency.
Manufacturing: Discrete (automotive, aerospace) and process (chemicals, food). Attack impact: production disruption, product quality compromise, safety incidents.
Building Automation Systems (BAS/BMS): HVAC, access control, elevators, and fire suppression in commercial and government buildings. Often overlooked; increasingly connected to corporate IT networks.

Common OT Vulnerabilities

OT environments typically harbor vulnerabilities that IT security teams find surprising:

Default credentials: PLCs, SCADA servers, and HMI workstations shipped with default usernames and passwords that are frequently never changed. Many OT devices do not support password complexity requirements.
Unpatched HMIs: Operator workstations running end-of-life operating systems without security updates, often connected to the process control network and sometimes to the internet via cellular modems for vendor remote support.
Flat OT networks: All devices on a single network with no segmentation — an attacker who reaches any device can communicate with every PLC and DCS controller.
Undocumented remote access: Cellular modems, dial-up lines, and vendor-installed remote access software installed for convenience and forgotten. These create persistent access paths that bypass all perimeter controls.
Insecure industrial protocols: Legacy protocols such as Modbus, DNP3, and PROFIBUS were designed for reliability and determinism, not security. They carry no authentication and no encryption — any device on the network that speaks the protocol can issue control commands.

IT Security Tools That Do Not Work in OT

Applying standard IT security tooling to OT environments without adaptation can cause the very incidents you are trying to prevent:

Active network scanning (Nmap, Nessus active scans): Sending probe packets to industrial devices can crash PLCs or trigger unintended control actions. The Stuxnet investigation found that some OT devices crash in response to standard ICMP pings. Active scanning in OT requires explicit vendor approval for each device type.
Antivirus agents: AV agents on HMI workstations can interfere with real-time control software, consume CPU resources during scans at inopportune times, or quarantine legitimate control system files that share signatures with malware.
Automatic patch management: Auto-deploying patches and rebooting OT systems without coordination with operations staff is unacceptable. Patches must be scheduled, tested, and coordinated with plant operators.
Network access control (NAC) with automatic quarantine: NAC solutions that automatically quarantine non-compliant devices may take a critical PLC or historian offline when it fails a compliance check.

OT-Specific Security Tools

The OT security market has developed tools specifically designed for passive, non-intrusive monitoring of industrial environments:

Claroty: Passive network monitoring using span port traffic mirroring. Builds asset inventory and detects anomalies without sending any traffic to OT devices.
Dragos: OT-specific threat detection platform with an intelligence team focused on ICS-targeting threat groups. Known for tracking adversaries such as ELECTRUM and KAMACITE.
Nozomi Networks: Asset discovery, vulnerability assessment, and anomaly detection through passive monitoring. Includes AI-based behavioral analysis of industrial protocol traffic.
Tenable OT (formerly Indegy): Combines passive monitoring with safe active querying using native industrial protocols — querying devices in the way they expect to be queried by controllers, rather than sending generic port scans.

The common thread: passive discovery only. These tools listen to network traffic and learn the environment without injecting packets that could harm sensitive industrial devices.

Regulatory Frameworks for OT Security

OT environments are subject to sector-specific regulatory requirements that differ significantly from IT compliance frameworks:

IEC 62443: The international standard for industrial automation and control system security. Defines security levels (SL 1-4), security zones and conduits, and requirements for system integrators and product vendors. The most widely referenced OT security standard globally.
NERC CIP (Critical Infrastructure Protection): Mandatory reliability standards for the North American bulk electric system. Covers cyber system categorization, configuration management, incident reporting, and supply chain risk. Enforced by NERC with significant financial penalties.
NIST SP 800-82 (Guide to ICS Security): NIST's guidance document for industrial control system security. Describes OT architectures, threats, and countermeasures. Rev 3 (2023) aligns with the NIST CSF and addresses cloud, mobile, and supply chain considerations.
TSA Pipeline Directives: Issued following the Colonial Pipeline ransomware attack in 2021. Requires pipeline operators to designate a cybersecurity coordinator, report incidents within 12 hours, develop contingency plans, and conduct architecture reviews.
NRC Cybersecurity Rule (10 CFR 73.54): Requires nuclear plant licensees to protect digital computer and communication systems from cyberattacks that could affect safety systems.

IT/OT Convergence and Industry 4.0 Attack Surface

The industrial sector is increasingly connecting OT systems to enterprise IT networks and the internet to enable remote monitoring, predictive maintenance, production optimization, and supply chain integration — collectively described as Industry 4.0 or the Industrial Internet of Things (IIoT). Each connection between OT and IT creates a potential attack path.

The Colonial Pipeline attack (2021) illustrated this risk: attackers entered through the IT network and the company proactively shut down the OT pipeline as a precautionary measure, causing fuel shortages across the U.S. East Coast for nearly a week. The OT systems themselves may not have been directly compromised, but the IT/OT boundary was insufficient to prevent operational impact.

Notable OT Security Incidents

Ukraine Power Grid Attack (December 2015): The SANDWORM threat group (attributed to Russian GRU) used spearphishing to compromise Ukrainian electricity distribution companies, then deployed the BLACKENERGY malware to gain access to SCADA systems. Attackers manually operated breakers to cut power to approximately 230,000 customers for several hours — the first confirmed cyberattack to cause a power outage. A second attack in 2016 used the INDUSTROYER/CRASHOVERRIDE malware, purpose-built to speak industrial protocols and directly manipulate power grid equipment.
Colonial Pipeline (May 2021): A DarkSide ransomware affiliate compromised Colonial Pipeline's IT network through a compromised VPN credential (no MFA enabled). The company shut down pipeline operations as a precaution, causing widespread fuel shortages and a declared federal emergency. Colonial paid approximately $4.4 million in ransom; the FBI recovered approximately $2.3 million.
Oldsmar Water Treatment Plant (February 2021): An attacker gained remote access to a Florida water treatment facility's HMI (apparently via TeamViewer software with a shared password) and attempted to increase sodium hydroxide (lye) concentration to 111 times the normal level. An operator observed the change in real time and reversed it. The incident highlighted the vulnerability of small utilities with limited IT/OT security resources.

Building an IT/OT Security Program

Organizations approaching OT security for the first time should consider several structural questions:

Separate teams vs. unified SOC: Some organizations maintain separate IT and OT security teams to preserve operational expertise; others integrate OT monitoring into a unified SOC with OT-trained analysts. The unified approach improves visibility and reduces alert silos, but requires significant investment in OT-specific training and tooling.
OT-aware SIEM: Standard SIEM platforms require customization to ingest and interpret OT data sources (Historian logs, DCS event logs, industrial protocol anomalies). Purpose-built OT SIEM integrations or dedicated OT monitoring platforms feeding a SIEM are typically required.
Incident response considerations: OT incident response differs from IT: isolating a compromised PLC may mean stopping a production line; forensic investigation must not disturb running control systems; restoration requires coordination with plant engineers, not just IT staff. OT-specific incident response playbooks and tabletop exercises with operations personnel are essential.
Vendor coordination: OT security changes — patching, tool deployment, configuration changes — almost always require OT vendor involvement. Establish vendor communication protocols and service agreements before an incident occurs.

For IT security professionals entering OT environments: the skills transfer, but the context does not. Invest time in understanding the operational processes, the physical consequences of system failure, and the regulatory environment before applying technical security measures. The best OT security practitioners combine cybersecurity expertise with genuine respect for the engineering and operational realities of industrial systems.

Topics covered

OT securityIT securityoperational technologyindustrial control systemsSCADA securityPLC securityIEC 62443NERC CIPNIST 800-82Purdue ModelOT IT convergenceDragosClarotyNozomi NetworksColonial PipelineUkraine power gridOldsmar waterIndustry 4.0OT SOCpassive network discovery

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps