Group Purchasing
Group Purchasing

A Guide to OT Security Best Practices

Practitioners responsible for OT security inherit a set of structural challenges that have no straightforward equivalent in IT.

Authored bySANS Institute
SANS Institute

Critical power grids, water treatment facilities, manufacturing lines, and oil pipelines were built to run continuously and reliably, often decades before the concept of network-based threat were relevant to their designers. Securing these control systems while they remain in active operation, is a complex and demanding problem. This blog offers a practical overview of OT security: what it is, how it differs from conventional IT security, the challenges practitioners face, the frameworks available to guide OT cybersecurity programs, and the practices that make the most meaningful difference.

What is Operational Technology (OT)?

Operational technology (OT) is the hardware and software that monitors and controls physical processes, industrial equipment, and critical infrastructure. While IT systems manage data, OT systems manage the physical world: opening a valve, adjusting the speed of a turbine, or triggering an alarm when a chemical threshold is exceeded. 

Industrial control systems (ICS) are a subset of OT, referring specifically to the control systems used in industrial environments, such as programmable logic controllers (PLCs), distributed control systems (DCS), and supervisory control and data acquisition (SCADA) systems. OT encompasses all technology that interfaces with physical processes, including building management systems and medical devices.

What is OT Security?

OT security is the practice of protecting the availability and integrity of the physical processes that OT systems control. The goal is to ensure that critical operations continue running safely and reliably, and that adversaries cannot manipulate, disrupt, or disable the physical processes that industries and people rely on. This is a meaningful distinction from how security is often framed in traditional IT contexts. In OT, a security failure is not just a data event, it is a physical event, with consequences that can include equipment damage, environmental harm, operational, disruption, and risk to human life.

OT Versus IT Cybersecurity

Practitioners moving from IT into OT security encounter a different set of priorities, constraints, and risks. Understanding these differences is foundational to working effectively in the discipline.

Objectives

IT security programs are typically organized around the CIA triad: Confidentiality, Integrity, and Availability, in that order. Keeping data private is the primary concern. OT security prioritizes differently. The governing framework is AIC: Availability, Integrity, and Confidentiality. Keeping systems running safely takes precedence over data privacy because an OT system that goes offline or behaves unpredictably can cause immediate physical harm.

Asset Lifespan 

IT equipment is generally refreshed on a three-to-five-year cycle. OT assets, however, routinely remain in service for twenty years or more. This means security teams are often working with hardware and software that were never designed to be patched, updated, or exposed to a networked environment.

Approach to Patching 

In IT, applying patches promptly and often is standard practice. In OT, patching is significantly more complicated. Many OT environments operate under an "always-on" requirement, where taking a system offline for maintenance carries operational and safety risks. As a result, OT environments may run with known vulnerabilities for extended periods, managed through compensating controls to avoid the risk of a patch unintentionally disrupting a critical process.

The Challenges of OT Cybersecurity

Practitioners responsible for OT security inherit a set of structural challenges that have no straightforward equivalent in IT.

Legacy Systems 

A significant portion of OT infrastructure still operating today was designed before internet-connected threats were a practical concern. These systems were built for reliability and longevity, not resilience against cyberattacks. Many lack built-in encryption, authentication mechanisms, or any capacity for security tooling. Legacy systems may also be difficult to replace with more modern equipment when they are embedded in physical infrastructure.

Protocol Diversity 

OT environments rely on a wide range of specialized industrial protocols, including Modbus, BACnet, and Profibus. Many of these protocols were designed for reliability and deterministic communication on isolated networks, without built-in encryption or authentication. This creates challenges for monitoring and detection, as standard IT security tools may not be able to interpret OT protocol traffic.

Visibility 

Asset visibility is a persistent challenge in complex OT environments. Many industrial facilities lack a current, accurate inventory of every connected device on the network. Without knowing what equipment is present and how systems communicate, it is difficult to establish a baseline for normal behavior and detect deviations.

Safety Risks 

The consequences of a security failure in OT are categorically different from those in IT. Manipulating the logic of a controller managing chemical dosing, grid voltage, or pipeline pressure can create dangerous conditions for workers, surrounding communities, and the environment.

Cybersecurity Frameworks for OT and ICS

Several established frameworks provide structure for building and maturing an OT security program.

NIST Cybersecurity Framework (CSF) 

The NIST CSF is widely regarded as a gold standard for cybersecurity risk management. Its five core functions, Identify, Protect, Detect, Respond, and Recover, provide a common language for discussing security posture and maturity. While the CSF was not designed specifically for OT, it is broadly applicable and frequently used to organize industrial cybersecurity programs.

IEC 62443 

IEC 62443 is the definitive international standard for securing industrial automation and control systems (IACS). Unlike the NIST CSF, IEC 62443 was developed specifically for industrial environments and addresses the full lifecycle of an industrial control system, from design through operation. The framework provides detailed technical and process requirements and is often used as a compliance reference in regulated industries.

MITRE ATT&CK® for ICS 

MITRE ATTACK for ICS documents the tactics and techniques adversaries have used in real attacks against industrial systems. For practitioners focused on detection and response, it provides a structured way to understand how attackers move through OT environments, the tools and techniques they use, and where defensive controls are most likely to be effective.

Top OT Security Best Practices

1. Implement Network Segmentation

Separating the corporate IT network from the OT production network is among the most consequential precautions an organization can take. Attackers who gain a foothold in the IT environment should not have a clear path into OT systems. Firewalls and demilitarized zones (DMZs) are tools used to enforce this boundary. 

2. Establish Full Asset Visibility

Security programs cannot protect assets they cannot see, and manual spreadsheets are not a sustainable method for achieving this at scale. Automated passive monitoring tools can identify devices and help produce a current, accurate inventory of every PLC, HMI, and sensor connected to the environment. 

3. Enforce Strict Access Control and MFA

The principle of least privilege (PoLP) applies in OT just as directly as it does in IT: users and systems should have access only to the resources needed to perform their function. 

Remote access, in particular, represents a high-value entry point for attackers. Any remote connection, including those used by third-party vendors, must require multi-factor authentication (MFA). 

4. Continuous Threat Monitoring

Monitoring in OT environments requires a different orientation than in IT. Instead of identifying malware, the goal is to detect anomalies. Deep packet inspection can analyze traffic and flag commands that fall outside normal operating parameters, such as a “stop” instruction sent to a controller at an unexpected time. Establishing a reliable baseline of normal behavior is necessary for this kind of monitoring to be effective.

5. Formalize a Strategy for Patch Management

A patch management strategy must account for systems that cannot easily be taken offline for updates. Compensating controls, including virtual patching and increased monitoring of unpatched assets, are standard tools for managing risk in environments where direct, remediation is not immediately possible. 

Additional OT Security FAQs

What is the biggest threat to OT today?

One of the most significant threats is often attackers using valid credentials and legitimate engineering tools to blend into normal operations, rather than exploiting a known software vulnerability. Adversaries who gain access to an OT environment can cause significant disruption using the tools and access that already exist, which emphasizes the importance of monitoring for behavioral anomalies.

Can I use standard IT antivirus on OT assets?

Deploying standard IT endpoint security tools in OT environments may do more harm than good. OT systems might run outdated operating systems, have limited processing resources, or be unable to tolerate the scanning activity that endpoint tools generate. The disruption caused by a security tool behaving unexpectedly on a control system could create unsafe conditions. OT-specific security tooling exists and should be evaluated against the constraints of the environment.

I have a background in IT security. Will I be lost in an OT course?

An IT background is a versatile foundation, particularly for understanding networking, access control, and incident response. The transition into OT security involves learning how those principles apply differently when the assets being protected control physical processes with real safety consequences. The operational context, engineering mindset, and industrial protocols in use in OT environments are the areas where practitioners typically need additional training.

Is air-gapping still a valid security strategy?

Physically isolating an OT network from external connections was once considered a reliable control, but it is no longer sufficient on its own. In practice, the benefits of remote access, data integration, and vendor connectivity have introduced connections that make real isolation difficult or impossible. Even environments that maintain formal air gaps may not be aware of existing overlaps between IT and OT or attack vectors like insider threats, social engineering, or third-party compromise in the supply chain. Air-gapping remains a useful layer of defense, but it should not be relied upon as a standalone control.

ICS and OT Security Training

Working effectively in OT security requires specialization and unique skills. General cybersecurity experience, while a valuable baseline, does not fully prepare practitioners for OT cybersecurity. Practitioners in this field must understand industrial protocols, control system architecture, engineering and safety contexts of physical processes, and the ways adversaries operate in OT environments.

Demand is growing for practitioners with an OT security background as critical infrastructure operators work to mature their security programs. For professionals looking to build this expertise and secure OT systems as they operate, SANS ICS/OT security training is built around the real-world knowledge and applied skills the field requires.