What is OT cybersecurity?
Operational technology (OT) is hardware and software that directly controls physical processes. PLCs regulate valves, temperatures, and pressures. DCS systems coordinate production across a chemical plant. SCADA systems monitor and control pipelines, power grids, and water treatment facilities across hundreds of square miles. OT cybersecurity is the set of practices, architectures, and controls that protect these systems from unauthorized access, tampering, and disruption.
OT systems were designed for reliability, not security. Most PLCs, RTUs, and DCS controllers were engineered in an era when they were physically isolated from any outside network. Security was provided by the air gap: if a device was not connected to the internet, it could not be reached from the internet. That model held for decades. It is no longer adequate.
The IT/OT convergence wave of the past decade, driven by demand for real-time analytics, remote monitoring, predictive maintenance, and enterprise visibility, connected OT networks to IT infrastructure, cloud platforms, and in some cases directly to the internet. Every connectivity improvement that made operational data more accessible also eliminated some portion of the air gap that had protected OT systems from external threats. Over 80% of manufacturers reported a surge in security incidents immediately after integrating plant networks with business IT systems. Manufacturing has become the most targeted sector globally for cyber incidents, accounting for 27.7% of incidents across critical sectors in 2025 according to the IBM X-Force Threat Intelligence Index.
The consequence distinction matters. When an IT system is breached, the consequence is typically data loss, business disruption, or financial damage. When an OT system is compromised, the consequence can be physical: a halted production line, damaged equipment, an environmental release, or a safety incident. The 2021 Oldsmar, Florida water plant incident, where an attacker accessed a SCADA system and attempted to increase sodium hydroxide concentration to dangerous levels, is a concrete example of what OT compromise looks like in critical infrastructure. The 2021 Colonial Pipeline attack shut down a 5,500-mile fuel pipeline, creating fuel shortages across the US East Coast, because the operator preemptively shut down OT systems after the connected IT network was ransomwared. These are categorically different outcomes from a database breach.
How OT security differs from IT security
OT and IT security share some common principles, such as the need for access control, network segmentation, and monitoring. But the operational constraints of OT environments make direct application of IT security practices not just unhelpful, but actively dangerous in some cases.
Information technology
IT security priorities
| Priority order | Confidentiality, Integrity, Availability (CIA) |
| Failure consequence | Data loss, regulatory fine, reputational damage |
| Patching | Frequent, often automated; 30-day patch cycles standard |
| Device scanning | Active vulnerability scanning routine and expected |
| Incident response | Isolate and shut down affected systems |
| Asset lifespans | 3 to 5 years; hardware refreshed frequently |
| Downtime tolerance | Planned maintenance windows acceptable |
| Security posture | Designed with security in mind from the start |
Operational technology
OT security priorities
| Priority order | Availability, Integrity, Confidentiality (AIC) |
| Failure consequence | Production halt, equipment damage, safety incident, environmental violation |
| Patching | Risk-based, vendor-validated, timed to maintenance windows; often deferred months |
| Device scanning | Active scanning can crash legacy PLCs and DCS; passive-only is the rule |
| Incident response | Cannot simply shut down; shutdown itself can cause physical harm or violate compliance |
| Asset lifespans | 15 to 30 years; PLCs outlive multiple IT refresh cycles |
| Downtime tolerance | Unplanned downtime measured in lost production per hour, sometimes in safety terms |
| Security posture | Designed for reliability; security bolted on later, if at all |
The most dangerous mismatch is incident response. IT security orthodoxy is to isolate and shut down affected systems. In an OT environment, an unplanned shutdown of a reactor, a pipeline, or a power generating unit can cause the very physical harm that the security program is supposed to prevent. OT security must use passive monitoring and carefully orchestrated responses, because aggressive security actions can halt physical processes, damage equipment, or trigger safety events. This is not a lesser standard; it is a recognition that the physical system and the security response must be co-engineered.
Why OT is hard to secure
OT environments present security challenges that have no direct equivalent in IT. Understanding them is a prerequisite for any realistic security program.
🧳
Legacy devices designed without security
PLCs, RTUs, and DCS controllers from the 1990s and 2000s commonly run on unpatched operating systems, use protocols without authentication or encryption (Modbus, DNP3, Profibus), have default factory credentials that cannot be changed, and cannot run endpoint security software. Replacing them requires validation, regulatory approval, and significant downtime. They will remain in service for years regardless of their security posture.
📋
Unknown asset inventory
Many organizations do not have an accurate, current inventory of all OT devices on their networks. Equipment added by contractors, temporary connections established during maintenance, and IIoT sensors deployed without network team involvement all create undocumented assets. You cannot protect what you do not know exists. Asset discovery must be passive in OT environments: active scanning can disrupt or crash sensitive PLCs.
🔌
Flat networks with no internal segmentation
Many industrial networks were designed as flat, open networks where every device could reach every other device. In this architecture, a compromised engineering workstation or vendor laptop has direct access to every PLC, HMI, and historian on the network. A flat network means a single phishing email opening a door on the office side can give an attacker direct access to PLCs and SCADA servers within minutes. Segmentation is the highest-impact single control in most OT environments.
🔧
Vendor and remote access exposure
OT equipment vendors routinely have remote access to customer systems for diagnostics, updates, and emergency support. This legitimate access creates trusted entry points that attackers can exploit if the vendor's own security is compromised. Many remote access connections persist permanently rather than being session-specific and time-limited, creating always-on attack surfaces the asset owner cannot fully monitor.
⏱
Patch management constraints
Patching OT systems requires vendor validation that the patch does not affect control logic behavior, a scheduled maintenance window (often months away on 24/7 processes), and in some regulated industries, revalidation of the system after patching. Many OT patches are never applied because the operational risk of applying them is judged higher than the security risk of leaving them unapplied. Compensating controls must fill the gap.
👥
Organizational and skills gaps
IT security teams understand networks, authentication, and threat hunting but often have no knowledge of ladder logic, industrial protocols, or what a safe response to an OT anomaly looks like. OT engineers understand their processes deeply but often lack cybersecurity training. The joint governance required to secure an OT environment, where both domains have accountability at the IT/OT boundary, rarely exists without deliberate organizational design.
The OT threat landscape
The threat actors targeting OT environments in 2025 and 2026 are more capable and more numerous than at any previous point. The threat categories that are most operationally significant for industrial organizations are:
Ransomware
IT-to-OT ransomware propagation
The most common high-consequence OT threat. Ransomware typically enters through the IT network (phishing, exposed RDP, compromised VPN credentials) and propagates toward OT through flat or insufficiently segmented IT/OT connections. The Colonial Pipeline attack is the defining case: ransomware on the IT billing network prompted precautionary shutdown of the OT pipeline system. Even without the ransomware reaching OT directly, the IT/OT connectivity caused the operators to halt OT operations. Dragos Year in Review 2025 documented an 87% rise in ransomware attacks directed at industrial systems.
Targeted ICS malware
Purpose-built weapons for industrial control systems
A small but growing category of malware specifically designed to interact with industrial protocols, device firmware, and control logic. Triton/Trisis (2017) targeted safety instrumented systems at a petrochemical facility in an attempt to disable safety shutdowns before a process upset. Industroyer/Crashoverride (2016) targeted Ukrainian power grid SCADA. INCONTROLLER/Pipedream (2022) was designed to interact directly with PLCs from multiple vendors. These attacks require deep industrial knowledge and represent state-level threat capability directed specifically at physical process disruption.
Supply chain compromise
Trusted software and vendor access as attack vectors
Compromising software that OT organizations trust installs malware on their systems without requiring any direct credential exploitation. The SolarWinds attack demonstrated this at scale for IT environments; similar attacks targeting industrial automation software, historian platforms, and engineering workstation tools represent the same vector for OT. Vendor remote access connections, if not properly controlled with session recording and time-limited access, are functionally permanent backdoors into OT networks that the asset owner cannot inspect.
Insider threats
Malicious or negligent insiders with OT access
Employees and contractors with legitimate OT access can cause significant damage, whether intentionally or through negligence (plugging in an infected USB drive, connecting personal devices to OT network segments, failing to follow change management procedures). Role-based access control, session recording for privileged access, and separation of duties reduce the risk but cannot eliminate it entirely. USB media control is a practical early-priority control because the air-gapped nature of some OT networks makes USB the primary vector for introducing malware.
Exposed remote access
Internet-exposed OT interfaces and weak remote access
Internet-accessible HMIs, remote desktop connections to engineering workstations, and vendor VPN connections with weak or default credentials remain among the most common OT compromise entry points. CISA and FBI advisories consistently document attacks that begin with internet-exposed OT interfaces. The Oldsmar water plant incident involved TeamViewer remote access with default or weak credentials. Simple controls (requiring MFA for all remote access, eliminating direct internet exposure of OT interfaces, session-specific access for vendors) address the majority of this attack surface.
Foundational OT security controls
Effective OT security is built on a layered set of controls, applied in priority order based on consequence reduction. The highest-impact controls address the largest attack surfaces; they do not require sophisticated technology and should come before any advanced threat detection investment.
Asset inventory
Know what is on your OT network
Every OT security program that has failed, failed here. You cannot protect, segment, monitor, or patch what you do not know exists. Build an asset inventory using passive network monitoring tools (Claroty, Dragos, Nozomi) that fingerprint devices from observed traffic without injecting any packets. The correct approach is passive asset discovery: deploy a passive network tap or SPAN port on OT network switches and use a protocol-aware OT visibility tool to fingerprint devices from observed traffic. The inventory should capture device type, vendor, model, firmware version, protocols in use, and communication patterns.
Network segmentation
Eliminate flat networks; enforce zone and conduit architecture
Segment the OT network into security zones based on operational function and consequence of compromise. Implement the industrial DMZ (iDMZ) at Level 3.5 of the Purdue Model as the controlled boundary between IT and OT. Kill flat networks where any device can reach any other device. Each conduit between zones must be documented and controlled by a firewall with explicit allow rules for required traffic, blocking everything else. The iDMZ is where historian servers, remote access servers, and data exchange platforms live; nothing in the OT network should have a direct uncontrolled path to the IT network.
Passive monitoring
Continuous visibility without active injection
Deploy protocol-aware passive monitoring that understands Modbus, EtherNet/IP, DNP3, Profibus, and other OT protocols. Passive monitoring observes traffic from a network tap or SPAN port without generating any traffic on the OT network. It establishes a behavioral baseline of normal communications between devices and alerts when anomalies appear: a PLC attempting to communicate with an address it has never contacted, a new device appearing on the network, or a change in scan rate from an engineering workstation. Never run active vulnerability scanners or active discovery tools on live OT networks without specific vendor authorization.
Access control
MFA, least privilege, session-limited vendor access
Require multi-factor authentication for all remote access to OT systems. Implement role-based access control: process operators do not need access to engineering workstations; IT helpdesk staff have no need to access the DCS. Eliminate shared accounts on HMIs where practicable (an ongoing challenge given operational constraints). All vendor remote access must be session-specific, time-limited, and monitored with session recording. No always-on vendor tunnels. Privileged Access Workstations (PAWs) for engineering activities prevent lateral movement from a compromised corporate laptop to the OT network.
Risk-based patch management
Patch what you can; compensate for what you cannot
Apply a risk-based patch management process aligned to IEC 62443-2-3: assess each vulnerability for exploitability and impact in the specific OT context, implement compensating controls (network isolation, protocol-aware monitoring, temporary access restrictions) for vulnerabilities that cannot be patched immediately, and document accepted risk with a remediation timeline tied to the next available maintenance window. Never apply patches in production OT environments without vendor validation that the patch does not affect control logic behavior. Test in a replica environment first where possible.
Secure remote access
Eliminate internet-exposed OT; control all remote paths
Audit every internet-exposed OT interface and eliminate direct exposure. No HMI, no historian, no engineering workstation, and no PLC should be directly reachable from the internet without passing through an authenticated, monitored jump server in the iDMZ. All remote access must require MFA. Replace consumer-grade remote access tools (TeamViewer, AnyDesk) with OT-grade solutions that provide session recording and time-limited access. Cogent DataHub's outbound-only tunneling model for OT data transfer is a concrete example of how to move data across the IT/OT boundary without opening inbound ports on the OT network side.
OT security standards and frameworks
Three frameworks provide the primary structure for OT security programs. They are complementary: NIST SP 800-82 provides the program management structure, IEC 62443 provides the technical engineering specification, and NERC CIP applies specifically to the North American electric utility sector.
US government guidance
NIST SP 800-82 Rev. 3
The US NIST Guide to OT Security (Rev. 3, 2023) expands its scope from ICS to all operational technology and provides defense-in-depth architecture guidance based on the Purdue Model. It maps to the NIST Cybersecurity Framework's six functions: Govern, Identify, Protect, Detect, Respond, Recover. NIST 800-82 tells you what to achieve in OT security; IEC 62443 tells you how to implement it technically. Use NIST CSF as the program skeleton and 800-82 as the OT-specific architecture guide.
International standard
IEC 62443 (ANSI/ISA-62443)
The global standard for Industrial Automation and Control System (IACS) security. Organized in four series: general concepts, policies and procedures (for asset owners), system security requirements (Zone and Conduit model, security levels SL1-SL4), and component requirements. IEC 62443's Zone and Conduit model is the primary framework for network segmentation design in OT environments. Security Levels define the sophistication of attack each zone must withstand. IEC 62443-2-3 addresses the OT patch management lifecycle specifically.
Electric utility sector
NERC CIP
NERC Critical Infrastructure Protection standards apply mandatory cybersecurity requirements to bulk electric system cyber assets in North America. They cover electronic security perimeters, access management, configuration management, incident reporting, and recovery planning. NERC CIP compliance is audited and enforced; non-compliance carries financial penalties. Organizations in power generation, transmission, and distribution who operate BES Cyber Systems must comply regardless of whether other frameworks are also followed.
Where to start when the task seems overwhelming: Start with passive asset discovery across your OT network to build an accurate inventory. Then implement network segmentation starting at the IT/OT boundary: kill flat OT networks and apply the conduit controls between the highest-consequence zones first, which yields the largest attack surface reduction fastest. Asset inventory and segmentation address the root cause of most OT security incidents before any advanced technology investment is required.
How Software Toolbox products fit into OT security
SWTB does not sell a dedicated OT cybersecurity product. What SWTB does provide is the connectivity, data transport, and contextualization layer that intersects directly with OT security architecture at the IT/OT boundary. How SWTB products are deployed has direct security implications for OT environments.
Secure boundary
Cogent DataHub: Outbound-only OT data transportDataHub's tunneling architecture uses outbound connections from the OT-side instance to the DMZ or IT-side instance. No inbound ports need to be opened on the OT network firewall, which keeps the attack surface of the IT/OT boundary smaller. Data diode mode enforces strictly one-way data flow from OT to IT, making reverse connections physically or logically impossible. Store-and-forward preserves data integrity during network outages without requiring continuous connectivity. These are not just connectivity features; they are architectural choices that align with the conduit security requirements in IEC 62443 and the boundary protection guidance in NIST SP 800-82.
Protocol scope
TOP Server: Replacing direct client connections to OT devicesBefore OPC and TOP Server, each SCADA, historian, and MES application needed its own direct connection to each OT device. Multiple simultaneous polling connections to a PLC increase the device's attack surface and communication load. TOP Server consolidates all client application access through a single OPC server instance that manages one connection to each device. This reduces the number of processes that have direct protocol-level access to PLCs and DCS systems, which is a meaningful attack surface reduction. Removing direct historian and SCADA connections to PLCs in favor of OPC-mediated access is standard practice in OT security architecture reviews.
Data fidelity
N3uron: Edge contextualization with security-aware data transportN3uron publishes OT data to MQTT brokers using Sparkplug B over TLS-encrypted connections. The edge deployment model means sensitive OT data is contextualized and filtered locally before any data leaves the plant network, reducing the volume of raw process data that needs to cross the IT/OT boundary. N3uron also supports secure authentication to MQTT brokers and cloud platforms. For organizations building a UNS, the MQTT broker in the iDMZ provides a single controlled egress point for OT data, rather than individual OT devices attempting cloud connectivity on their own.
Least privilege
OPC Router: Controlled OT-to-IT data routingOPC Router provides explicit, auditable workflows that define exactly which OT data flows to which IT destination under what conditions. This visibility is useful for security reviews: the data flow documentation produced by OPC Router's visual workflow is a practical implementation of the conduit documentation required by IEC 62443. Rather than undocumented direct connections from OT historians to enterprise databases, OPC Router creates explicit, reviewable data pipelines that can be audited and controlled.
Frequently asked questions
What is the difference between OT security, ICS security, and SCADA security?+−
These terms are often used interchangeably, but they have slightly different scopes. OT (Operational Technology) is the broadest term: it encompasses all hardware and software that monitors and controls physical processes and devices, including building automation, transportation systems, and industrial manufacturing, not just traditional industrial automation.
ICS (Industrial Control Systems) is a subset of OT that specifically refers to systems that directly control industrial processes: PLCs, DCS, RTUs, safety instrumented systems, and the engineering workstations and historians that support them. ICS security is a more specific term for the security of that control system layer.
SCADA (Supervisory Control and Data Acquisition) is a category of ICS that typically refers to systems monitoring and controlling geographically distributed assets: pipelines, power grids, water distribution networks. SCADA security addresses the specific challenges of that distributed architecture. In practice, "OT cybersecurity" is the dominant umbrella term in current usage, with ICS and SCADA understood as components within it.
Why can't I use standard IT security tools in my OT environment?+−
IT security tools were designed for general-purpose computing environments. The most critical issue is active scanning: vulnerability scanners and network discovery tools that generate high volumes of probe traffic can overload or crash legacy PLCs, DCS controllers, and RTUs that were designed for deterministic, low-overhead communication. Active scan traffic can cause network congestion on time-sensitive control networks, potentially disrupting the real-time control loops that PLCs execute. Several documented incidents have involved plant disruptions caused by IT security teams running scans on OT networks without understanding these constraints.
Beyond scanning, IT security tools typically do not understand OT-specific protocols. An intrusion detection system that does not recognize Modbus, EtherNet/IP, or DNP3 traffic cannot distinguish normal OT communication from an anomalous one. An endpoint protection agent running on a SCADA server may flag legitimate industrial process control software as suspicious. These tools need OT-aware variants that understand industrial protocols and have been specifically validated against OT system constraints before deployment in production OT environments.
How should I handle patches for OT systems that cannot be updated on standard IT timelines?+−
IEC 62443-2-3 provides an OT-specific patch management framework built around risk-based assessment rather than fixed timelines. For each unpatched vulnerability, evaluate its exploitability in your specific OT network context (is the affected service exposed to the IT network? is the device accessible from outside a well-controlled zone?) and its potential impact (does this device control a safety-critical process?). Then implement compensating controls appropriate to the risk: network isolation that prevents the vulnerability from being reached, OT-aware monitoring that would detect exploitation attempts, or temporary access restrictions while a patch is prepared.
Document the accepted risk formally: what vulnerability is unpatched, what compensating controls are in place, and what is the target timeline for remediation tied to the next validated maintenance window. Coordinate with the equipment vendor for patch validation in a test environment before production deployment. Never apply patches in a production OT environment without vendor validation and a tested rollback procedure.
Is the Purdue Model still relevant for OT security architecture?+−
The Purdue Model's physical layer hierarchy is less applicable than it was in the 1990s, because IIoT devices now connect directly to cloud platforms, edge nodes publish MQTT data across network boundaries, and remote operations centers access plant-level data from central IT infrastructure. Some practitioners argue this makes the model obsolete.
The more useful framing is that the Purdue Model's core principle, that systems with different security requirements and operational functions should be separated by controlled interfaces, remains as relevant as ever. The iDMZ at Level 3.5 is more important as a security control now than when the model was designed, because the number of legitimate data flows crossing the IT/OT boundary has increased. Most current OT security frameworks, including NIST SP 800-82 Rev. 3 and IEC 62443's Zone and Conduit model, are extensions and adaptations of the Purdue hierarchy rather than replacements for it. The practical answer is to use the Purdue Model as a mental framework for segmentation planning while accepting that modern OT architectures require adapting its physical topology assumptions to cloud and IIoT realities.
What does zero trust mean in an OT context?+−
Zero trust in IT means never trusting network location as a proxy for trustworthiness: every user and device must authenticate and authorize for every resource request, regardless of whether they are inside the corporate network perimeter. This is well-suited to IT environments where devices are general-purpose computers that can run authentication agents and participate in identity management systems.
Applying zero trust to OT environments requires adaptation. Legacy PLCs and RTUs cannot run authentication agents, cannot participate in modern identity management systems, and cannot tolerate the latency that continuous authentication might introduce in time-critical control loops. Zero trust for OT is better understood as micro-segmentation (making zones small enough that the blast radius of any compromise is limited), strict conduit controls (ensuring every device-to-device communication path is explicitly authorized), privileged access management (requiring step-up authentication for all engineering and administrative access), and continuous behavioral monitoring (alerting on communications that deviate from established baselines). These principles implement zero trust intent within the operational constraints of OT environments.
What regulatory compliance requirements apply to OT cybersecurity?+−
Applicable requirements vary significantly by sector and geography. In North America, NERC CIP applies mandatory requirements to bulk electric system owners and operators. Chemical sector facilities handling certain quantities of hazardous chemicals are subject to CISA Chemical Facility Anti-Terrorism Standards (CFATS). Water utilities over a certain size must conduct cybersecurity assessments under America's Water Infrastructure Act. Nuclear facilities have NRC cybersecurity requirements. In the EU, the NIS2 Directive sets minimum cybersecurity requirements for operators of essential services, including energy, water, transport, and digital infrastructure, with implementation in member states' national law.
Beyond sector-specific mandates, insurance requirements have become a significant driver. Industrial cyber insurers increasingly require evidence of OT security controls, network segmentation, and asset inventory before offering coverage or setting premiums. Many organizations find that insurance requirements are a more immediately actionable driver of OT security investment than regulatory compliance, particularly in sectors without mandatory cybersecurity standards.
Getting started with OT cybersecurity
The most impactful first step for any organization new to OT cybersecurity is passive asset discovery. Deploy a network tap or SPAN port on your OT network switches and use a protocol-aware passive monitoring tool to build an inventory of every device, every communication path, and every protocol on your OT network. You will almost certainly find devices, connections, and protocols you did not know existed. That inventory is the foundation for every security control that follows.
The second step is to eliminate flat IT/OT connectivity. If your enterprise network and your OT network share a network segment, or if there is an uncontrolled path between them, implement an industrial DMZ (iDMZ) at the IT/OT boundary with dual firewalls and explicit allow rules for only the traffic that has a documented business justification. Cogent DataHub's outbound-only tunneling architecture is specifically designed for this boundary: OT initiates all connections, no inbound ports need to be opened on the OT network firewall, and data diode mode is available for hardware-enforced one-way data flow.
Software Toolbox engineers have been designing and implementing secure IT/OT data architectures for decades. If you are assessing your OT security posture, planning an iDMZ implementation, or need to move OT data to enterprise systems without compromising the security of your control network, our team can help you design an architecture that works within the operational constraints of your facility.
