Organisations are realising the importance of securing their operational technology (OT) environments, however many are also finding out that spending alone does not guarantee resilience. Despite adopting new tools and frameworks, core issues persist, these being limited visibility, alert fatigue, and incident response strategies that fail to reflect the operational reality. The reason? Too many approaches are built on IT-centric assumptions.
Working closely with operators of critical infrastructure, we at Dragos frequently encounter well-intentioned security programmes that simply don’t work in practice, because they weren’t designed with OT in mind. It’s no longer a question of why OT security matters. The focus now must be on how to implement it effectively. That begins with thinking differently, and understanding what OT-native security truly looks like.
OT is not just another IT environment
OT environments operate under distinct constraints and priorities. IT security is generally centred on protecting data and managing user access. However, OT security is about maintaining uptime, operational continuity, and safety. A disruption in IT—whether caused by an outage, cyber threat, or unscheduled maintenance— might result in productivity loss. In OT, it could shut down production, essential services such as power and water, or compromise safety systems.
The systems underpinning many OT assets, ranging from programmable logic controllers (PLCs) to SCADA networks, are often decades old and not built with cybersecurity in mind. Many use bespoke protocols, proprietary technologies, and complex hardware combinations that traditional IT tools cannot effectively interrogate.
Vulnerability management must reflect operational constraints
In IT, patching is often the default response to a discovered vulnerability. In OT, it’s rarely that simple. Many industrial systems require months of planning before updates can be deployed. Unplanned downtime is costly and, in some sectors, dangerous.
A more pragmatic approach is required: risk-based vulnerability management that accounts for operational context. Where patching is not immediately feasible or optimal, strategies such as network segmentation, access control, and enhanced monitoring offer mitigations that maintain both uptime and protection.
OT threat detection must be purpose built
Generic anomaly detection, common in IT, produces a high volume of alerts. Many of these alerts are irrelevant in an OT context. This leads to alert fatigue and wasted effort. OT-native detection tools, by contrast, are built around known attacker tactics, techniques and procedures (TTPs) specific to industrial environments.
By focusing on high-fidelity indicators of malicious activity, rather than raw anomalies, these tools enable faster, more decisive responses and help security teams concentrate on what genuinely matters.
OT and IT security must be integrated, but equitably
It is increasingly important for organisations to bring their OT and IT security functions into alignment. But this must be done in a way that respects the unique requirements of each. Too often, integration efforts are driven from the IT side alone, applying unsuitable tools and processes to OT environments.
Successful integration depends on mutual understanding, ensuring that IT and OT teams collaborate on policies, incident response, and risk prioritisation, while still maintaining the protections and performance requirements that OT systems demand.
As cyber threats targeting critical infrastructure become more sophisticated, so too must our response. Many of the most common OT security pitfalls stem not from lack of investment, but from misplaced assumptions – treating OT as an extension of IT, rather than a domain in its own right.
A critical, and often overlooked, component of successful integration is the development of a dedicated OT Incident Response (IR) plan. OT environments have unique operational, safety, and continuity requirements that demand tailored response strategies. Simply adapting existing IT IR plans to OT contexts is insufficient and potentially dangerous. Instead, organisations must invest in OT-specific response plans that account for industrial processes, asset criticality, and the real-world consequences of downtime or missteps.
True resilience
True resilience depends not only on these dedicated OT IR plans, but also on their seamless integration with existing IT incident response processes. This means establishing clear communication protocols, joint playbooks, and shared situational awareness between IT and OT teams—while respecting the specialised requirements of each environment. Policies, risk prioritisation, and incident escalation procedures must be developed collaboratively to avoid gaps or conflicting actions during a crisis.
However, having plans on paper is not enough. The effectiveness of both OT and integrated IT/OT incident response plans hinges on regular validation through realistic exercises, such as tabletop simulations. These exercises expose gaps, foster mutual understanding, and build confidence among cross-functional teams. They are essential for preparing personnel to respond quickly and appropriately to complex cyber-physical scenarios.
At Dragos, we see this reality every day. The organisations best positioned to withstand future threats are those adopting security practices designed with their operational context in mind. These practices prioritise visibility, safety, and continuity, as much as they do compliance.
- Cybersecurity