OT security is the practice of protecting operational technology — the hardware and software that monitors and controls physical processes — from cyber threats. This includes the systems that run factories, power plants, water treatment facilities, oil refineries, transportation networks, and any environment where digital commands drive physical outcomes.
Operational technology is different from information technology. IT manages data. OT manages machines. When IT fails, you lose files. When OT fails, equipment can be damaged, production can stop, the environment can be harmed, and people can get hurt.
OT security exists because these systems were not built with cybersecurity in mind. They were designed for reliability and uptime in an era when they operated on isolated networks. That isolation is gone. Industry 4.0, remote operations, cloud dashboards, and IT/OT convergence have connected OT systems to the wider network — and to every threat that comes with it.
The core truth: OT security is not IT security applied to a factory. It is a separate discipline with different priorities, different constraints, and different consequences for failure.
Table of Contents
What Is Operational Technology?
Operational technology is any hardware or software that directly monitors or controls physical equipment and processes. It includes:
| OT Component | What It Does | Where You Find It |
|---|---|---|
| PLC (Programmable Logic Controller) | Automates specific physical processes — opens valves, starts motors, controls sequences | Manufacturing lines, pump stations, substations |
| SCADA (Supervisory Control and Data Acquisition) | Monitors and controls distributed systems across wide areas | Pipelines, power grids, water networks |
| DCS (Distributed Control System) | Controls continuous processes in a single facility | Chemical plants, refineries, power generation |
| HMI (Human-Machine Interface) | The screen operators use to see process data and issue commands | Control rooms, operator stations |
| RTU (Remote Terminal Unit) | Collects field data and sends it to SCADA; executes remote commands | Remote pipeline stations, substations |
| Historian | Stores time-series process data for trending and analysis | Site data centers, increasingly in the cloud |
| Safety Instrumented System (SIS) | Independent system that shuts down processes when unsafe conditions are detected | Any facility with high-consequence processes |
| Engineering Workstation | Used by engineers to program PLCs, configure controllers, and modify logic | Plant engineering offices |
The key characteristic of all OT is this: it interacts with the physical world. A command sent to a PLC does not move a file — it opens a valve, spins a turbine, or adjusts a chemical dosing rate.
Why OT Security Matters
Physical Consequences
A cyberattack on OT can cause real-world harm. The 2017 TRITON attack targeted safety systems at a petrochemical plant — the systems designed to prevent explosions and chemical releases. The 2021 Oldsmar incident saw an attacker try to poison a city’s drinking water by remotely manipulating chemical levels through an HMI.
Operational Downtime
The Dragos 2026 OT Cybersecurity Year in Review tracked 119 ransomware groups impacting over 3,300 industrial organizations. Many of these attacks did not directly breach OT systems but forced operators to shut down production out of caution because they could not confirm the OT network was safe.
Regulatory Pressure
NIS2 in the EU, NERC CIP in North American energy, and an increasing number of national frameworks now mandate OT security for critical infrastructure operators. New York’s mandatory cybersecurity rules for water and wastewater systems took effect in March 2026 — a sign of what is coming everywhere.
Insurance and Liability
Cyber insurers are tightening requirements for OT environments. Companies without demonstrated OT security programs face higher premiums, coverage exclusions, or outright denial.
OT Security vs. IT Security: The Critical Differences
IEC 62443-1-1 states this clearly: in industrial systems, the priority of security objectives is inverted compared to traditional IT. IT puts confidentiality first. OT puts availability first.
Here is the full comparison:
| Factor | IT Security | OT Security |
|---|---|---|
| Top priority | Confidentiality (protect data) | Availability (keep systems running) + Safety |
| Second priority | Integrity | Integrity |
| Third priority | Availability | Confidentiality |
| Response time requirements | Seconds acceptable | Milliseconds required — control loops cannot tolerate latency |
| Patching | Automated, frequent | Manual, rare, vendor-approved, requires outage windows |
| System lifespan | 3–5 years | 15–30 years |
| Scanning | Active vulnerability scanning is standard | Active scanning can crash PLCs and RTUs — passive monitoring only |
| Antivirus/EDR | Standard on all endpoints | Often impossible on embedded devices and legacy controllers |
| Protocols | TCP/IP, HTTP, TLS, DNS | Modbus, DNP3, OPC UA/Classic, PROFINET, EtherNet/IP, BACnet |
| Failure impact | Data loss, business disruption, financial damage | Equipment damage, environmental harm, production loss, injury, death |
| Change management | Agile, frequent | Rigid, safety-reviewed, tested offline, deployed during scheduled outages |
| Network architecture | Flat or microsegmented | Layered by IEC 62443 reference model levels, zones, and conduits |
The Biggest Mistake
The most common failure in OT security is applying IT tools and practices directly to OT without adapting them. Active vulnerability scanners can crash PLCs. Automatic patching can disrupt real-time control loops. Endpoint agents can consume the limited resources that controllers need for process execution. Network changes that take seconds in IT can require weeks of planning and a production shutdown in OT.
The OT Threat Landscape in 2026
Threats to OT environments have grown in volume, capability, and intent. Here is what defenders face right now:
Ransomware Targeting Industrial Operations
Ransomware groups have learned that attacking industrial operators is highly profitable because downtime costs are enormous. The TXOne Networks 2026 report found that 96% of OT security incidents originate from IT-level compromises, and 60% of surveyed organizations experienced incidents in 2025. Attackers do not need to reach the PLC — encrypting the historian, the HMI server, or the engineering workstation is enough to halt production.
Nation-State Prepositioning
State-sponsored groups are no longer just gaining access. The Dragos 2026 report found that adversaries have progressed to actively mapping control loops inside OT environments — understanding how to manipulate physical processes. Three new OT-focused threat groups emerged in 2025 alone.
Living Off the Land (LotL)
Attackers use legitimate tools already present on OT systems — PowerShell, WMI, vendor engineering software — to move laterally and execute commands without triggering traditional security alarms. These techniques are harder to detect because the tools are authorized.
Supply Chain Attacks
Attackers target vendor firmware, software updates, and remote access tools. A compromised vendor update channel can deliver malware to hundreds of sites simultaneously. IEC 62443-2-4 exists specifically to address the security requirements of IACS service providers for this reason.
Protocol Exploitation
Modbus, DNP3, and older OPC variants have no authentication or encryption. Attackers who can reach the network can issue commands that look identical to legitimate traffic. Without deep packet inspection tuned for industrial protocols, these attacks are invisible.
Expanding Attack Surface
The Palo Alto Networks 2026 OT Security Report identified a 332% increase in internet-exposed OT devices. Nearly 20 million OT-related devices are now observable on the public internet. Every cloud-connected sensor, cellular RTU, and remote access gateway expands the perimeter.
Key OT Security Frameworks and Standards
IEC 62443 — The Global Standard for Industrial Cybersecurity
The most comprehensive standard for OT security. It covers the full lifecycle and assigns clear requirements to asset owners, system integrators, product suppliers, and service providers. Core concepts that directly apply to OT security:
- Zones and conduits — divide your OT network into security zones with controlled communication pathways
- Seven foundational requirements — identification/authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, resource availability
- Four security levels (SL 1–4) — match defenses to the attacker profile, from casual to nation-state
- CSMS — cybersecurity management system as a continuous program, not a one-time project
- Maturity levels — assess and improve the maturity of your security processes over time
NIST SP 800-82 — Guide to ICS Security
U.S.-focused guidance that maps well to the NIST Cybersecurity Framework. Provides specific overlays for OT environments, recommended architectures, and risk management practices. Revision 3 includes OT-specific controls for low, moderate, and high-impact systems.
NIST Cybersecurity Framework (CSF) 2.0
The high-level framework organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover. Used for overall governance, with IEC 62443 providing the OT-specific details underneath.
NERC CIP
Mandatory for the North American bulk electric system. Covers electronic security perimeters, physical security, personnel training, incident reporting, and supply chain risk management for power grid SCADA and OT systems.
NIS2 Directive
The EU’s updated directive broadens the scope of regulated critical infrastructure sectors and tightens requirements for incident reporting, risk management, and supply chain security. Aligns with IEC 62443 principles.
OT Security Architecture: Defense in Depth
IEC 62443-1-1 defines defense in depth as “the provision of multiple security protections, especially in layers, with the intent to delay if not prevent an attack.” For OT, this means security at every level:
The IEC 62443 Reference Model
IEC 62443-1-1 defines its own reference model for industrial network architecture, derived from IEC 62264-1. The industry commonly calls this the “Purdue Model” (after the Purdue Enterprise Reference Architecture), but the standard itself does not use that name. It organizes the network into logical levels:
Level 4 — Enterprise Systems Business planning and logistics. Corporate IT, ERP, email, cloud services. This level faces the full range of internet threats. IEC 62443-1-1 notes that business planning and logistics systems at this level are not explicitly part of the IACS but connect to it.
Level 3 — Operations Management Site-level operations servers, engineering workstations, application servers. This is where site-wide coordination happens.
DMZ (between Level 3 and Level 4) The most critical boundary in the entire architecture. While the standard’s reference model does not define a “Level 3.5,” industry best practice places a demilitarized zone here. It contains data diodes, historian mirrors, jump servers, and patch staging servers. No direct traffic should cross from the enterprise network into the control network.
Level 2 — Supervisory Control HMIs, SCADA servers, and supervisory controllers. This is where operators interact with the process.
Level 1 — Basic Control PLCs, RTUs, and DCS controllers. These devices execute the actual control logic.
Level 0 — Process Sensors, actuators, valves, drives. The physical endpoints that interact with the real world.
The standard also defines a separate safety and protection function that operates alongside levels 0–2. Safety Instrumented Systems (SIS) should be isolated from the control network to prevent an attacker from disabling safety protections.
Each level boundary is a security control point. Firewalls, access controls, and monitoring are applied at every transition. The boundary between the enterprise network and the OT network is the single most important one to get right.
Zones and Conduits in Practice
Within the OT network, group assets into security zones that share the same protection requirements. Connect zones through conduits — controlled communication pathways with defined security rules. This limits lateral movement. If an attacker compromises one zone, the conduit between zones should stop or slow their progress.
OT Security Best Practices
These are the controls that consistently appear in the strongest OT security programs, drawn from IEC 62443, NIST SP 800-82, and lessons from real-world incidents:
1. Asset Inventory — Know What You Have
You cannot protect what you do not know exists. Build and maintain a comprehensive inventory of every OT device: PLCs, HMIs, RTUs, switches, historians, engineering workstations, cellular modems, serial-to-Ethernet converters. Include firmware versions, communication paths, and vendor details. Use automated passive discovery — do not rely on spreadsheets.
2. Network Segmentation — Separate IT From OT
Implement the IEC 62443 zone and conduit model. At minimum, place a DMZ between your enterprise IT network and your OT network. Within OT, further segment by reference model levels and functional zones. No direct traffic should flow between corporate IT and the control network. Ever.
3. Remote Access — Lock It Down
Remote access is the top attack vector for OT breaches. Replace always-on VPN connections with on-demand, time-limited, multi-factor authenticated sessions. Record all remote sessions. Use jump servers in the DMZ. Audit vendor access quarterly.
4. Endpoint Hardening — Reduce the Attack Surface
Remove unnecessary services and software from every OT endpoint. Change all default passwords. Disable unused ports. Apply application whitelisting on HMIs and engineering workstations. Where vendors provide patches, test in a staging environment before production — following IEC TR 62443-2-3.
5. OT Network Monitoring — Watch the Wire
Deploy OT-specific network detection tools that understand industrial protocols (Modbus, DNP3, OPC, EtherNet/IP). Establish traffic baselines. Alert on new devices, unexpected communication patterns, and abnormal command sequences. Passive monitoring is preferred — it does not inject traffic into the control network.
6. Access Control — Enforce Least Privilege
Apply IEC 62443 FR 2 (Use Control). Every user gets only the access they need. Use role-based access. Review permissions quarterly. Remove accounts immediately when people change roles or leave. Log every access attempt.
7. Incident Response — Plan for OT Realities
Build an incident response plan that accounts for the fact that you may not be able to shut down the system during an event. Define roles, escalation paths, and communication procedures. Include both IT security staff and OT engineers. Run tabletop exercises at least twice per year with realistic OT scenarios.
8. Backup and Recovery — Test Your Restores
Back up PLC logic, HMI configurations, historian databases, and network settings. Store backups offline in an immutable repository. Test restoration quarterly. A tested backup is the difference between hours of recovery and weeks.
9. Supply Chain Security — Vet Your Vendors
Use IEC 62443-2-4 requirements to evaluate the security practices of every integrator, vendor, and service provider who touches your OT environment. Require security incident notification SLAs in contracts. Audit vendor access pathways regularly.
10. Training — Make It OT-Relevant
Generic IT security training does not work for OT personnel. Train operators to recognize abnormal physical behavior on HMIs that might indicate a cyber event. Train engineers on secure PLC configuration and the risks of dual-homed workstations. Connect digital risk to physical outcomes in every training session.
Industries That Need OT Security
Any organization that uses operational technology to control physical processes:
- Energy & Utilities — power generation, transmission, distribution, renewables, nuclear
- Oil & Gas — upstream drilling, midstream pipelines, downstream refining and distribution
- Water & Wastewater — treatment plants, distribution systems, stormwater management
- Manufacturing — automotive, aerospace, electronics, food and beverage, pharmaceuticals, chemicals
- Transportation — rail signaling, port operations, airport systems, traffic management
- Mining & Metals — extraction, processing, smelting operations
- Building Automation — HVAC, fire systems, access control, elevator systems in large facilities
- Healthcare — medical device networks, building systems in hospitals
The OT Security Maturity Journey
IEC 62443-1-1 describes a common mistake: treating OT security as a project with a start and end date. When this happens, security levels decline over time as new threats emerge and attention fades. The standard recommends a continuous cybersecurity management system (CSMS) approach instead.
The maturity journey typically follows these stages:
Stage 1 — Visibility
You build an asset inventory, map your network, and understand what you have. Most organizations start here. The goal is to answer: “What devices are on our OT network, and how are they connected?”
Stage 2 — Protection
You implement network segmentation, access controls, endpoint hardening, and remote access security. You close the most obvious gaps. The goal is to reduce the attack surface.
Stage 3 — Detection
You deploy OT network monitoring, establish baselines, and build alerting for anomalies. You integrate OT alerts with your security operations. The goal is to know when something goes wrong.
Stage 4 — Response
You build and test incident response plans specific to OT. You run tabletop exercises. You define recovery procedures and test backups. The goal is to handle incidents without making them worse.
Stage 5 — Resilience
You embed security into ongoing operations. Risk assessments are continuous, not annual. Vendor security is actively managed. Training is role-based and regular. The goal is to maintain security levels over time, not just achieve them once.
88% of organizations surveyed in the TXOne Networks 2026 report increased OT security spending by more than 10% — a sign that the industry is moving from awareness to action.
Frequently Asked Questions
What is OT security in simple terms?
OT security protects the systems that control physical things — machines, valves, pumps, turbines, conveyor belts — from cyberattacks. If IT security protects your data, OT security protects your operations.
What is the difference between OT and ICS security?
ICS (Industrial Control Systems) security is a subset of OT security. ICS refers specifically to control systems like SCADA, DCS, and PLC-based systems. OT security is the broader term that includes ICS plus all other operational technology.
Why can’t you just use IT security tools for OT?
Many IT security tools are incompatible with OT environments. Active vulnerability scanners can crash PLCs. Endpoint agents consume resources that controllers need for real-time process execution. Automatic patching can disrupt control loops. OT security requires tools designed for the constraints of industrial environments.
What is the Purdue Model?
The Purdue Enterprise Reference Architecture (PERA) is a layered model that organizes an industrial network into levels, from physical field devices at the bottom to the enterprise network at the top. IEC 62443 uses its own reference model derived from IEC 62264-1 with levels 0 through 4. The industry commonly refers to this as the “Purdue Model,” though the IEC 62443 standard itself does not use that name. IEC 62443 adds the zone and conduit security framework on top of this layered architecture.
How do I start an OT security program?
Three steps deliver the most immediate risk reduction: (1) build a complete asset inventory of your OT network, (2) segment your IT and OT networks with a DMZ, and (3) secure and audit all remote access. These address the top attack vectors and create the foundation for everything else.
Is OT security required by law?
It depends on your industry and location. Energy companies in North America must comply with NERC CIP. EU operators fall under NIS2. Many countries have national critical infrastructure laws. Even where not legally mandated, customers, insurers, and business partners increasingly require demonstrated OT security.
What is the best OT security standard?
IEC 62443 is the most widely accepted international standard for OT security. It is endorsed by the United Nations, recommended by CISA, and used across more than 20 industries. NIST SP 800-82 is the most commonly referenced U.S. guidance.
How much does OT security cost?
It varies by environment size, current maturity, and target security level. The IEC 62443 risk-based approach helps you prioritize spending where it reduces the most risk. Organizations typically begin with asset discovery, segmentation, and remote access controls — which deliver the highest return on investment.