IT and OT Are Not Equal. IT Can Fail. Your OT Cannot.

When we visit a hospital, or walk through an airport, Operational Technology (OT) cyber security pros may take a moment to consider the possibility and consequences of a critical cyber incident in these environments. Blackouts, grounded planes, medical equipment malfunction.

This is a natural consequence of doing what we do and knowing what we know. We understand how reliant we are on technology every day. We know all technology has its flaws, that organizations don’t always prioritize security, and that people make mistakes. We also know that these are the environments where cyber security and uptime really matter.

The stakes for IT cyber security and OT cyber security are worlds apart. And that’s why it’s so frustrating to work in an industry where IT cyber security is still the default, and OT cyber security is often the afterthought.

There are still so many industrial and critical infrastructure businesses giving off-the-shelf IT cybersecurity training to their staff, with no OT cyber security modules whatsoever. And no practical training that relates to their role, industry, or the threats they will actually face. OT security awareness isn’t optional, it’s mission critical.

It’s high time that OT cyber got the attention and investment it deserves.

Grave Consequences

In the corporate environment, the consequences of an average IT data breach may include stolen personal data, being locked out of devices, or systems not working. This can lead to other negative outcomes, such as financial penalties, lost revenue, reputational damage.

All of these scenarios are bad but rarely are human lives or critical systems in danger. Most IT data breaches cause very little harm to anyone. Frankly, they pale into insignificance compared to all the ways in which OT systems can fail. Which can put critical processes and human lives at risk.

Now imagine being in an industrial or critical infrastructure environment. The potential consequences if any of these processes fail are enormous. Financially, even an hour’s downtime on a site like a factory or mining site can cost millions of pounds.

Human lives are at risk every single day, and not just in hospitals. A mining engineer works day-to-day with explosives, autonomous vehicles, and dangerous chemicals used for processing. Factory workers are increasingly working side by side with incredibly powerful robots. Many of these processes have been digitalized, and old legacy machines have been retrofitted to connect to the internet, and even AI.

This has helped operators improve efficiency, but it has also opened them up to a new wave of threats and new ways to fail.

Defaulting to IT

Despite the potentially grave consequences of a data breach in OT environments, OT cybersecurity is still often bundled in with IT security. This persists because of the people buying and selling cyber security services.

Employees in OT environments are still given standard IT cybersecurity training. A technician working in the energy sector is often given the exact same training as their colleague in HR, despite their jobs and threats being so different.

We would never give them the same health and safety training, because one works from their home office, while the other fixes high-voltage overhead power lines. But cyber, sure, it’s all the same right?

From the side of businesses, OT cyber security is simply not on their radar, and it’s not budgeted for. Employees won’t ever ask for it.

Likewise, OT cyber security has been ignored by much of the cyber security industry. There are a lot of cyber security training providers that give the same modules to every sector and tell them that this is ok. Most businesses accept this at face value.

Yes, there are some highly specialized OT cybersecurity training providers, but many of these courses are costly. Businesses see it as an optional luxury expense, especially when other training providers are offering a cheaper generic option.

There is also a reluctance to sideline these employees, who work in critical industries and roles, so that they can spend a day or a week on an expensive cyber security course.

Change Needed Faster

IT and OT are not equal, and they are not interchangeable. A change in mindset across all key stakeholders is long overdue.

We need to talk about OT cyber security and the potential risks facing industrial and critical infrastructure environments more. Businesses and employees need educating on OT breaches, especially as these sectors digitize, and become a bigger target for cyber criminals.

We also need specialization triumph over generalization. I would love to see the end of the jack of all trades, master of none, training providers. Explaining how to spot a phishing email to a technician who spends 90% of their time on-site and out of the office is not good enough.

OT cyber security needs to be individually tailored to the role and the industry, with practical elements, not abstract and generic IT training. We also need to ensure this training is affordable and practical for critical industries that can’t afford to lose staff for expensive and lengthy courses. There’s a balance to be found.

I’m seeing signs of change, and OT cyber security becoming a bigger part of the cyber security conversation, but it’s happening too slowly. I’m impatient for change but also excited about the future of the OT cyber security sector.

IT and OT Are Not Equal. IT Can Fail. Your OT Cannot

Aaron Singleton-Martin

Grave Consequences

Defaulting to IT

Change Needed Faster

You may also like

London's New Cyber Resilience Centre Set to Fight Cybercrime in the Capital

UK Government Cybersecurity Advisory Board Applications Now Open

Trump's 2020 Budget Asks for $11bn for Cyber-Defense

Crafting and Refining a Strategic 2025 Cybersecurity Budget

Sellafield Accused of Covering Up Major Cyber Breaches

What’s Hot on Infosecurity Magazine?

Hackers Exploit Compromised Enterprise Identities at Industrial Scale, Warns SentinelOne

TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise

Iran-Linked Pay2Key Ransomware Group Re-Emerges

US: FCC Bans Foreign-Made Routers Over National Security Concerns

Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals

Experts Sound Alarm Over “Prompt Poaching” Browser Extensions

How to Recover From a Cyber-Attack: A Step-by-Step Playbook

Expanded Identity Attack Vectors: From Document Fraud to Signal Manipulation

Europol Cracks Down on Global Child Abuse Network “The Com”

How to Manage Large PST Files in Microsoft Outlook

Most Cybersecurity Staff Don’t Know How Fast They Could Stop a Cyber-Attack on AI Systems

Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation

How to Maintain the Intelligence Edge in a Disrupted Threat Landscape

How to Recover From a Cyber-Attack: A Step-by-Step Playbook

How To Enhance Security Operations with AI-Powered Defenses

Securing M365 Data and Identity Systems Against Modern Adversaries

The Invisible Frontline: Proactive Approaches to Browser Defense

Revisiting CIA: Developing Your Security Strategy in the SaaS Shared Reality

Exclusive Interview with OpenClaw's Security Advisor

How Allianz Cyber Educator Daria Catalui Puts People First to Build a Human Firewall

The Cloud Risk Nobody Talks About: Why Resilience‑Focused Cloud Design Is Your Best Defense Against Modern Attacks

AI Security and Governance Virtual Summit

High-Tech Sector Overtakes Finance as Top Target for Cyber-Attacks, Mandiant Reports

Tycoon2FA Phishing Service Resumes Activity Post-Takedown

IT and OT Are Not Equal. IT Can Fail. Your OT Cannot

Written by

Grave Consequences

Defaulting to IT

Change Needed Faster

You may also like

What’s Hot on Infosecurity Magazine?