What Is OT Security and Why It Matters Now

Operational technology is the attack surface that most security professionals were never trained for, and adversaries have been exploiting for years. 

In December 2015, a cyberattack on Ukraine's power grid caused a blackout affecting 230,000 people. In 2021, an attacker accessed the water treatment system for Oldsmar, Florida, and attempted to increase the sodium hydroxide concentration to potentially dangerous levels. In 2022, a Predatory Sparrow attack destroyed equipment at an Iranian steel mill. These are not hypothetical scenarios. They are incidents that demonstrate what happens when the security assumptions of the IT world are applied, or not applied, to operational technology. 

OT security is the discipline of protecting operational technology: the industrial control systems, SCADA platforms, PLCs, RTUs, and physical infrastructure systems that control real-world processes, power generation and distribution, water treatment, manufacturing, oil and gas pipelines, building management systems, and transport infrastructure. It is one of the fastest-growing specialisms in cybersecurity and one of the most underserved in terms of qualified practitioners. 

The consequences of an OT security failure are different in kind from an IT security failure. A ransomware attack on an IT system costs money and time. A ransomware attack on an OT system can stop a power station, contaminate water, or halt a production line. The stakes are physical. The security discipline must reflect that. 

The OT Environment: What Makes It Different 

Legacy systems and long operational lifetimes 

Industrial control systems are designed for operational continuity over decades, not for security updates over months. A PLC installed in 2005 running firmware from 2003 is not unusual in critical infrastructure. Many OT systems run operating systems that are no longer supported: Windows XP, Windows Server 2003, and custom embedded OS variants that never had a vendor security update programme. Patching is complex or impossible. Downtime for maintenance is unacceptable in systems that must operate continuously. The IT security assumption that systems will be regularly patched does not apply. 

Air gap mythology 

The conventional defence of OT environments has been the air gap: physical separation from IT networks and the internet. The air gap is largely a myth in modern industrial environments. Business integration requirements have driven connectivity between OT and IT networks. Remote maintenance access for vendors and OEMs requires network connectivity. Corporate reporting systems that pull data from plant floor systems require integration. The air gap that existed in 2000 has been progressively eroded in most organisations. The security designed for an air-gapped environment does not work when the gap no longer exists. 

The availability imperative 

In IT security, the CIA triad places confidentiality first. In OT security, the priorities are reversed: availability is paramount, integrity is critical, and confidentiality, while relevant, is secondary. A hospital cannot accept a system going offline for a security patch. A power station cannot tolerate a reboot cycle during peak demand. The OT security professional who applies IT security thinking to OT environments, blocking ports, isolating systems, applying patches during maintenance windows, risks creating operational disruption that may be more damaging than the security risk they were attempting to mitigate. 

Protocol diversity and proprietary systems 

OT environments use industrial protocols- Modbus, DNP3, IEC 61850, EtherNet/IP, Profibus that most IT security professionals have never encountered. Many control systems use proprietary vendor platforms with limited documentation. The security tools, detection capabilities, and incident response procedures designed for IT environments do not apply directly to OT. Specialised OT security platforms (Claroty, Dragos, Nozomi Networks) exist specifically because standard IT security tools cannot inspect or analyse OT protocols effectively. 

The IT security professional who enters an OT environment assuming their skills transfer directly will find an environment where their standard tools do not work, their standard assumptions are wrong, and their standard interventions may cause the very outages they are trying to prevent. OT security requires specific knowledge, not just security knowledge applied to a new context. 

The Threat Landscape for OT 

Nation-state actors and critical infrastructure 

The most significant OT threat actors are nation-state groups with strategic objectives: disrupting an adversary's critical infrastructure during a crisis, demonstrating offensive capability as a deterrent, or pre-positioning for future conflict. Groups identified in OT environments include VOLT TYPHOON (China, US critical infrastructure), SANDWORM (Russia, energy and industrial targets), and XENOTIME (attributed to Russia, safety system targeting). These actors conduct reconnaissance and pre-positioning over extended periods, establishing persistent access that may be activated months or years later. 

Ransomware in OT environments 

The Colonial Pipeline ransomware attack in 2021 demonstrated that ransomware targeting OT environments does not need to encrypt OT systems to cause operational disruption. Colonial shut down pipeline operations proactively when the IT network was compromised, because they could not safely operate the OT network without IT system visibility. The interconnection between IT and OT meant an IT ransomware attack had an OT operational impact. This pattern of ransomware groups targeting OT-connected organisations to maximise operational leverage has become significantly more common. 

Supply chain attacks on OT vendors 

OT vendors, system integrators, and remote maintenance providers represent high-value supply chain targets. Compromising a vendor with remote access to hundreds of industrial sites provides an attacker with persistent access to those sites through trusted, difficult-to-monitor channels. The SolarWinds pattern- compromise the vendor, inherit access to all customers- applies in the OT context with potentially catastrophic physical consequences. 

The OT Security Career 

OT security is one of the few specialisms in cybersecurity where demand is dramatically outstripping supply. The organisations that operate critical infrastructure energy, water, manufacturing, transport, healthcare are all increasing security investment in response to regulatory requirements and incident awareness. The supply of qualified OT security professionals is extremely limited, and the professionals who combine both OT operational understanding and cybersecurity capability command significant salary premiums. 

Key frameworks and standards 

• IEC 62443: The international standard for industrial cybersecurity. The foundational framework for OT security programme design. 

• NIST SP 800-82: Guide to Industrial Control Systems Security. The US government reference framework for ICS security. 

• NERC CIP: Critical Infrastructure Protection standards for the North American energy sector. Regulatory requirements for utilities. 

• NIS2: For operators of essential services in the EU, including energy, water, transport, and healthcare. Significant OT security obligations. 

Key tools 

• Claroty, Dragos, Nozomi Networks: The leading OT asset discovery and network monitoring platforms. Understanding these tools is a prerequisite for OT security operations roles. 

• Purdue Model and IEC 62443 zone and conduit model: The network architecture frameworks that govern how OT environments should be segmented and protected. 

The security professional who understands both the IT security fundamentals and the OT-specific protocols, constraints, and attack surface is the one who can actually protect critical infrastructure. The supply of these professionals in 2026 is far below demand. This gap is a career opportunity for professionals willing to develop the specialist knowledge.