OT cybersecurity is the practice of protecting the operational technology that runs a plant the PLCs, SCADA systems, drives, and networks that control physical machines, from cyber threats. It differs from IT security because a compromise here does not just leak data; it can stop a line, ruin product, or hurt someone. Safety and uptime come first.

As plants connect the floor to the network to get the data they need, they inherit risks the floor never had when it was isolated. This is a practical guide to what makes OT security different, what the IEC 62443 standard actually recommends, why patching is so hard on the plant floor, and how to start hardening an operation without breaking the lines that pay for it.

What is OT cybersecurity?

OT cybersecurity protects operational technology, the systems that sense and control the physical world of a plant, as opposed to IT, which protects information systems like email, files, and business applications. The distinction matters because the consequences are different in kind. When IT is attacked, data is stolen or encrypted. When OT is attacked, a valve opens, a motor overspeeds, or a safety system is disabled. The stakes are physical.

For decades OT was protected mainly by isolation: the control network was air-gapped, spoke old protocols like Modbus with no security of their own, and simply could not be reached from outside. That isolation is eroding as plants connect equipment for monitoring and analytics, and the protocols that were safe on an island are dangerously exposed on a network. OT security is the discipline that replaces "unreachable" with "defended."

How is securing OT different from IT?

The clearest way to see the difference is the priority order. IT security is usually framed as confidentiality first, then integrity, then availability, the classic CIA triad. OT inverts it: availability comes first, then integrity, then confidentiality. A plant would rather a competitor glimpse a temperature setpoint than have the line stop, because a stopped line is real money and sometimes real danger.

IT and OT invert the same priorities Same three priorities, opposite order IT 1 · Confidentiality 2 · Integrity 3 · Availability OT 1 · Availability 2 · Integrity 3 · Confidentiality
The inversion drives everything else: OT will accept a security trade-off IT never would if it keeps the line running safely.

That inversion cascades into every other difference. OT equipment lives for 15 to 30 years, not 3 to 5, so a plant runs operating systems long past their support dates. Downtime for patching is scarce and expensive, so systems go unpatched for years. And the top-priority outcome is safety, so any control that could interfere with a machine's safe operation is treated with deep suspicion. Security tools built for the office frequently do not fit the floor for exactly these reasons.

What does IEC 62443 recommend?

IEC 62443 (developed with ISA as ISA/IEC 62443) is the leading international standard for the cybersecurity of industrial automation and control systems. It does not prescribe products; it gives a risk-based method for organizing defenses, and three of its ideas are worth every plant's time.

The first is zones and conduits. You group systems that share security requirements into zones, and you control every communication path between zones through a defined conduit. Segmentation means that if one zone is breached, the attacker cannot simply wander into the critical ones, a conduit is where you inspect and restrict traffic. The second is security levels (SL 1 through SL 4), which let you assign each zone a target level matched to the threat it faces: SL 1 guards against accidental misuse, SL 2 against simple intentional attacks, SL 3 against sophisticated attackers with moderate resources, and SL 4 against well-resourced, determined adversaries. The third is the set of seven foundational requirements that define what "secure" means in concrete terms.

IEC 62443 zones and conduits Zones and conduits: contain the blast radius ENTERPRISEIT / businessSL 1 CONTROLSCADA / PLCSL 3 SAFETYSISSL 4 conduit conduit Each zone gets a target security level (SL). Traffic between zones is only allowed through a conduit, where it can be inspected and restricted, so a breach in one zone does not become a breach of all.
Higher-consequence zones get higher target security levels, and every path between them is a controlled conduit.

The seven foundational requirements are identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. You do not have to memorize them, but they make a useful checklist: for each zone, can you prove who is connecting, limit what they can do, detect tampering, protect sensitive data, restrict flows, respond to events, and keep the system available? Any honest OT assessment ends up answering those seven questions.

Why is patching so hard on the plant floor?

Patching is hard because the floor cannot stop and the equipment cannot be trusted to survive a change. A patch on an office laptop is routine; a patch on a controller that runs a filling line is a validated change to a system that may not reboot cleanly, may void a vendor warranty, and can only be applied during a scheduled shutdown that might be months away. So known vulnerabilities linger not out of negligence but out of physics and economics.

This is why OT security leans so heavily on compensating controls rather than patching alone. If you cannot patch a vulnerable PLC you shrink its exposure instead, put it in a tightly controlled zone, restrict what can talk to it, and monitor it closely. Segmentation buys safety for the systems you cannot fix, which is most of them, most of the time.

What are the IT/OT convergence risks?

The core convergence risk is that connecting the two worlds imports IT's threats into OT's fragile, long-lived, hard-to-patch environment. A phishing email that would merely annoy the office can become a path to the control network if the two are flatly connected. Malware that is trivial for a modern IT system to shrug off can crash a decade-old HMI. And the same connection that lets you finally read machine data for monitoring, the very link that helps collapse data silos is, if left unsegmented, a road an attacker can travel in the other direction.

The answer is not to abandon connectivity, the data is too valuable, and isolation is already breaking down. The answer is disciplined, deliberate connection: read-only where possible, segmented always, monitored continuously. Getting data off the floor and securing the floor are the same project done well, not competing priorities.

A defended plant network is layered, not flat. The widely used reference for this is the Purdue model, which stacks the plant from Level 0 (the physical sensors and actuators) up through control and supervisory levels to the business systems at the top, with a demilitarized zone (DMZ) between the control network and the enterprise. The DMZ is where data is handed up and commands are filtered, nothing passes straight from the office to a controller. Modern data movement respects that layering: an edge device reads the floor and publishes upward through protocols like MQTT so the business gets its data without a direct line into the control zone.

A layered plant network with a DMZ Layered, not flat: the DMZ guards the seam ENTERPRISE / IT · business systems DMZ · data handed up, commands filtered SUPERVISORY · SCADA / HMI CONTROL · PLCs / drives PROCESS · sensors / actuators IT world the boundary OT world Nothing passes straight from the office to a controller. The DMZ is the only door.
The Purdue-style layering keeps the office and the controllers apart, with the DMZ as the single guarded crossing.

How do you start securing an OT network?

You cannot defend what you cannot see, so OT security starts with visibility and works outward. This sequence follows the grain of IEC 62443 without requiring a full program on day one.

  1. Inventory everything. Build an accurate list of every device, its firmware, and how it connects. Most plants are surprised by what is actually on their network.
  2. Map the flows. Document what talks to what. You cannot draw zones until you know the real traffic, including the connections nobody remembers making.
  3. Segment into zones and conduits. Separate enterprise, control, and safety systems, and force every path between them through a controlled conduit. This is the highest-leverage single step.
  4. Assign target security levels. Give each zone an SL matched to its consequence, so effort concentrates where a breach would hurt most.
  5. Add compensating controls where you cannot patch. For unpatchable legacy gear, restrict access and monitor closely instead of leaving it exposed.
  6. Monitor and rehearse. Watch OT traffic for anomalies and practice your response, because timely detection is one of the seven foundational requirements for a reason.

By the numbers

ISA/IEC 62443 is the recognized international series for industrial control system cybersecurity, defining four security levels (SL 1-4) and seven foundational requirements, maintained by ISA and the IEC (ISA/IEC 62443 series). Threats to industrial systems are not theoretical: CISA publishes hundreds of Industrial Control Systems advisories each year across more than 200 vendors and 700-plus products, and has pushed critical-infrastructure operators to remove control systems from direct internet exposure (CISA: Industrial Control Systems and its ICS advisories). Where Harmony fits: Harmony is an AI-native operating system for manufacturing that connects to plant systems through read-first, segmentation-friendly patterns, so a plant can get the data it needs off the floor without flattening the boundaries OT security depends on. See the network context in IIoT the control layer in SCADA or how CLS unified its floor.