What is OT/ICS Security?

Why OT Security Differs from IT Security

OT systems are designed for reliability and availability rather than security. Industrial controllers that manage chemical processes, electrical generation, water treatment, or manufacturing lines are often 15-30 years old, running operating systems no longer receiving security updates, communicating on protocols designed before network security was a consideration, and cannot be patched or rebooted without operational disruption. The standard IT security approach — deploy patches promptly, implement endpoint security agents, segment systems aggressively — frequently cannot be applied to OT without risking operational failure.

The convergence of IT and OT networks — driven by industrial IoT, remote monitoring, and the business value of operational data — has created pathways between corporate IT networks and OT environments that did not previously exist. Attackers who breach the corporate IT environment now have potential pathways to OT systems that were historically air-gapped.

OT Attack Consequences

OT security incidents have consequences beyond data theft or financial loss. The 2021 Oldsmar, Florida water treatment facility attack involved an attacker briefly increasing sodium hydroxide concentration in the water supply to dangerous levels through a remotely accessible control system. The 2022 Ukrainian power grid attacks caused widespread power outages through malware that disabled grid management systems. Triton/TRISIS, deployed against a Saudi Arabian petrochemical facility, specifically targeted Safety Instrumented Systems designed to protect workers from industrial accidents.

Volt Typhoon and Critical Infrastructure Targeting

The most significant recent development in OT security is the sustained targeting of US critical infrastructure by Chinese state-sponsored group Volt Typhoon, disclosed publicly by CISA and NSA in May 2023 and confirmed in subsequent advisories. Volt Typhoon operators were found to have maintained persistent access to US critical infrastructure networks — water utilities, energy systems, transportation infrastructure — for periods of five years or more, specifically pre-positioning for disruptive attacks in the event of military conflict with Taiwan.

Volt Typhoon operated entirely through living-off-the-land techniques using legitimate tools present in the environment, making detection extremely difficult. The campaign's discovery came through sustained threat hunting by government and private sector analysts rather than automated detection. The scale and duration of the campaign — affecting hundreds of organizations across all critical infrastructure sectors — represents the most serious known OT security threat to US infrastructure.

OT Security Assessment Priorities

For PE sponsors with portfolio companies that include manufacturing, energy, utilities, or other industrial operations, OT security assessment should evaluate: Is there network segmentation between IT and OT environments, and has it been validated rather than just documented? Are remote access pathways to OT systems controlled and monitored? Are OT systems inventoried, including legacy systems with known unmitigatable vulnerabilities? Is there monitoring capability for OT network traffic that would detect anomalous communication patterns? Is there an OT-specific incident response plan that accounts for the safety implications of OT system disruption?

Real-World Example: Colonial Pipeline — IT Breach, OT Shutdown

The May 2021 Colonial Pipeline ransomware attack is the most consequential OT security incident in US civilian infrastructure history. The DarkSide ransomware encrypted Colonial Pipeline's IT billing and business systems — not OT systems. Colonial Pipeline proactively shut down the OT pipeline control system as a precaution because they could not confirm the breach had not spread to OT. The result: 5,500 miles of pipeline delivering 45% of East Coast fuel supply halted for six days, causing gas shortages across the southeastern United States. The IT breach caused OT disruption through the operational decision to shut down, not through direct OT compromise.