Why IT security tooling fails in OT environments

Dave Burley
Placeholder for Dave BruleyDave Bruley

Dave Burley , Senior OT Security Consultant

2 min. read
Placeholder for Why IT security tooling fails in OT environmentsWhy IT security tooling fails in OT environments

Share

Most organisations securing Operational Technology (OT) environments start in the wrong place. They take the tools that work in IT, such as asset inventory software, vulnerability scanners, EDR agents and SIEM platforms, and deploy them into Operational Technology (OT) environments.

The reality is very different. OT environments have distinct priorities, technologies and operational requirements. Applying traditional IT security approaches without understanding those differences can create disruption, increase risk and in some cases, impact production.

During a recent Nomios webinar, Senior OT Security Consultant David Burley explored why organisations continue to fall into this trap, the challenges it creates, and what you should focus on instead.

We still see organisations taking the same security tools they use in IT and deploying them into OT, assuming they'll deliver the same results. In reality, OT environments are completely different. The wrong approach can impact performance, create downtime and, in some cases, introduce more risk than it removes. The first step is understanding the environment and adopting security controls designed specifically for OT.

David Burley, Senior OT Security Consultant at Nomios

OT is not IT

Operational technology controls physical processes. When something goes wrong, the impact extends beyond the network.

While confidentiality sits at the centre of most IT security strategies, OT environments prioritise availability and safety. A production outage can halt operations immediately, while a security incident has the potential to affect both business continuity and the people working within that environment.

Understanding that difference is essential. Security strategies that work successfully in corporate networks are not automatically suited to industrial systems.

Where IT tooling breaks down

There are four areas where applying standard IT tools to OT environments creates serious problems.

Active scanning

Run a vulnerability scan on an OT network and you risk taking PLCs offline. These devices are highly sensitive to latency and unexpected network queries. When they enter a fault state, many cannot be reset remotely. Someone must physically attend the device to restore operations.

Security agents

Legacy OT systems often do not have the processing capacity required for modern EDR agents. These agents introduce latency, consume resources on already constrained hardware, and can quarantine processes that are entirely legitimate in an OT context, causing operational disruption and potential downtime.

Protocol blindness

IT tools are built for IT protocols. OT environments often run on entirely different protocols. Tools that cannot interpret that traffic cannot detect threats within it. Instead, they can generate false positives that keep SOC teams busy while genuine threats go undetected.

Shadow remote access

During the COVID-19 pandemic, third parties needed rapid access to OT equipment. Many organisations implemented whatever solutions worked at the time, often basic remote access tools with no MFA and no approval process. When restrictions were lifted, much of that access remained in place. In many OT environments, it is still there today.

Where to begin

One of the biggest challenges in OT security is that organisations often lack a complete understanding of their environment.

Connected assets accumulate over time, systems are inherited through acquisitions, and temporary workarounds become permanent fixtures. Before risks can be prioritised, they first need to be identified.

That is why effective OT security starts with visibility. Passive asset discovery provides insight without disrupting operations, while OT-native tools provide the context needed to understand industrial environments properly. An ISA/IEC 62443 risk assessment can then help organisations assess their security posture, prioritise improvements and establish a roadmap for reducing risk.

Remote access should also form part of this process. Understanding who has access, how that access is secured and whether appropriate controls are in place often reveals risks that have gone unnoticed for years.

Just as importantly, these activities can be carried out without impacting production. For many organisations, that is the concern that stalls progress. When implemented correctly, improving visibility and understanding risk does not require operational downtime.

Watch the webinar

Learn more about securing OT environments

Understanding your assets, identifying hidden risks and adopting controls designed specifically for operational systems are the foundations of effective OT security. The challenge is knowing where to start and how to improve security without disrupting production.

In our webinar, Why IT Security Tooling Fails in OT Environments, David Burley explores these challenges in more detail, sharing practical examples from the field and outlining the steps organisations can take to improve OT security maturity with confidence.

Updates

More updates