The Network That Runs the Plant Was Never Built to Be Defended
Executive Summary
The systems that run physical operations — the controllers, sensors, drives and protocols that keep a plant producing, a grid balanced, a pipeline flowing — were designed under a set of assumptions that no longer hold. They were built to be reliable, deterministic and safe, often over operational lifespans measured in decades. They were not built to be connected to the internet, scanned by adversaries, or held hostage by ransomware. And yet that is exactly the environment they now operate in.
This creates a problem that many security programs have approached incorrectly. The instinct, when a CISO is handed responsibility for operational technology, is to extend the IT security playbook into the plant: patch aggressively, deploy endpoint agents, scan continuously, enforce modern authentication everywhere. In an OT environment, that instinct is not just ineffective — it can be dangerous. A vulnerability scan that crashes a safety controller is not a security improvement. It is an availability incident with potential physical consequences.
Securing operational technology requires accepting that it is a fundamentally different environment, with different priorities, different failure modes, and a different definition of what "good" looks like. The organizations that succeed are the ones that build a security model around what OT actually is — not around what they wish it were.
Why This Matters Now
For most of their history, operational environments were protected by obscurity and isolation. They ran proprietary protocols, sat on physically separate networks, and were largely invisible to anyone outside the plant. That isolation has eroded — comprehensively and irreversibly.
The convergence of IT and OT, driven by the genuine business value of operational data, has connected previously air-gapped systems to corporate networks and, through them, to the internet. Remote access — accelerated by the operational realities of recent years — has become standard rather than exceptional. Modern industrial equipment ships with network connectivity by default. The practical result is that the isolation OT relied on for security no longer exists in most environments, even where leadership believes it does.
At the same time, threat actors have recognized operational environments as high-leverage targets. An attacker who can halt physical production, disrupt a service the public depends on, or threaten safety has enormous coercive power. The consequence of an OT compromise is not measured only in data loss — it is measured in downtime, physical risk and, in critical infrastructure, public impact. That changes the stakes of getting this wrong.
CISO2CISO Insight
In IT, the worst case is usually data. In OT, the worst case is physics. Any security model that does not start from that difference will eventually propose a control that trades a small cyber risk for a large operational one.
Why the IT Playbook Does Not Transfer
The differences between IT and OT are not cosmetic. They are structural, and they invert several assumptions that IT security treats as foundational.
Availability outranks confidentiality. In IT security, the instinct is often to isolate, block or shut down when in doubt. In OT, an unplanned shutdown can itself be the incident — halting production, damaging equipment, or compromising safety. The priority order that IT security internalizes is frequently reversed in the plant, and controls have to respect that.
You often cannot patch. Much OT equipment cannot be patched on a modern cadence — sometimes because the vendor no longer supports it, sometimes because patching requires a production outage that the business cannot absorb, sometimes because the system is certified in a specific configuration that a patch would invalidate. A strategy that depends on timely patching will fail in OT, and the security model has to compensate with controls that do not require it.
The equipment lifespan is measured in decades. OT systems routinely operate for fifteen, twenty, or more years. The controller running a process today may predate modern security entirely and may never be replaceable on a security-driven timeline. Defending it means wrapping protection around it rather than expecting to harden the device itself.
Agents and scans can break things. Endpoint agents and active scanning — staples of IT security — can disrupt the fragile timing and limited resources of industrial devices. Visibility in OT generally has to be achieved passively, by observing network traffic rather than interrogating the endpoints, precisely because interrogation carries operational risk.
What Actually Works in OT
A defensible OT security model rests on a small number of principles that respect the environment.
Visibility comes first, and it comes passively. Most organizations cannot produce an accurate inventory of their OT assets and the communication flows between them. Passive monitoring — observing traffic without touching the devices — is how that inventory and behavioral baseline get built without introducing operational risk.
Segmentation is the primary control. Because the devices themselves often cannot be hardened, the most powerful protection is controlling what can reach them. Separating OT from IT, and segmenting within the OT environment so that a compromise in one zone cannot propagate to another, contains the blast radius in a way that device-level hardening cannot.
Remote access has to be deliberate and controlled. The convergence that connected OT also created remote-access pathways that are frequently the softest point of entry. Governing who can reach operational systems remotely, through what mechanism, with what authentication and monitoring, closes one of the most commonly exploited gaps.
Security and safety teams have to operate as one. OT security cannot be designed in the security function and imposed on operations. The people who run the plant understand the consequences of a control in ways the security team does not, and the security team understands the threat in ways operations does not. Neither perspective is sufficient alone.
Executive Framework
| Dimension | IT environment | OT environment |
|---|---|---|
| Top priority | Confidentiality and integrity | Availability and safety |
| Patching | Routine, frequent | Constrained, sometimes impossible |
| Asset lifespan | Years | Decades |
| Visibility method | Active scanning, endpoint agents | Passive network monitoring |
| Primary control | Harden the endpoint | Segment and control access |
| Worst-case outcome | Data loss, breach | Downtime, physical and safety impact |
What CISOs Should Do Next
- Build a passive visibility capability before anything else — you cannot defend an OT environment you cannot see, and active discovery is not a safe way to see it.
- Map the IT/OT boundary honestly, including every connection and remote-access pathway that leadership assumes does not exist. The air gap is almost always more porous than believed.
- Make segmentation the centerpiece of the strategy, prioritizing the separation of OT from IT and the isolation of the most critical operational zones.
- Govern remote access deliberately — who connects, through what, authenticated how, monitored by whom — and treat it as the high-probability entry point it is.
- Build OT security in partnership with operations and safety engineering, with shared accountability rather than an imposed mandate.
- Plan for resilience over prevention, because in an environment that cannot always be patched or hardened, the ability to detect, contain and recover from a compromise matters more than the assumption it can be kept out.
Board-Level Questions
- Do we have an accurate inventory of our operational technology assets and the connections between our IT and OT environments?
- If a compromise occurred in our corporate network, could it reach the systems that run our physical operations — and how do we know?
- How do we secure equipment that cannot be patched or replaced on a modern timeline?
- Are our security and operations teams aligned on how to defend the plant without introducing operational or safety risk?
Final Executive Takeaway
Operational technology was engineered, over decades, to do something other than defend itself. It was built to be available, deterministic and safe — and it has performed those jobs admirably, often far longer than anyone expected. The mistake security leaders make is assuming that the absence of built-in defense can be corrected by importing the tools and instincts of IT security into an environment those tools were never designed for.
It cannot. Defending OT means starting from what the environment is — its priorities, its constraints, its consequences — and building protection around it: visibility that does not disturb it, segmentation that contains it, access governance that controls it, and resilience for the moments when prevention fails.
The systems that run the plant were never built to be defended. The job of the modern security program is to defend them anyway — without breaking the very thing it is trying to protect.
*To be continued...*
