Operational technology (OT) refers to the hardware and software that monitors or controls physical processes, devices, and infrastructure—think programmable logic controllers (PLCs), SCADA systems, distributed control systems (DCS), and industrial IoT sensors used in power grids, water utilities, pipelines, manufacturing plants, and transport networks. OT security is the discipline of defending these assets from cyberattacks, insider misuse, and accidental disruption.
OT security differs from traditional IT security in several ways. Availability and safety typically outrank confidentiality: a stopped turbine or a poisoned water supply has immediate physical consequences. Many OT devices run legacy firmware, cannot be patched without downtime, and use specialized protocols (Modbus, DNP3, OPC-UA, Profinet) that were designed without authentication or encryption. Network segmentation, asset inventory, anomaly-based monitoring, and strict change control are therefore central techniques. The Purdue Enterprise Reference Architecture is a widely cited model for separating enterprise IT from process-control layers.
Several incidents pushed OT security into the policy spotlight:
- Stuxnet (discovered 2010) damaged centrifuges at Iran's Natanz enrichment facility by manipulating Siemens PLCs.
- The 2015 and 2016 attacks on Ukraine's power grid, attributed by Western governments to Russian actors, cut electricity to hundreds of thousands of customers.
- The 2021 Colonial Pipeline ransomware incident in the United States, though striking IT systems, forced shutdown of fuel distribution across the East Coast.
Key reference frameworks include NIST SP 800-82 (Guide to Operational Technology Security), the IEC 62443 series of industrial cybersecurity standards, and sector-specific rules such as the U.S. TSA pipeline security directives and the EU's NIS2 Directive (2022), which expanded cybersecurity obligations for essential and important entities, including many OT operators. For MUN and policy researchers, OT security sits at the intersection of cybersecurity, critical infrastructure protection, international humanitarian law debates on attacks against civilian objects, and emerging norms on responsible state behavior in cyberspace.
Example
In May 2021, the Colonial Pipeline ransomware attack led the company to halt fuel deliveries across the U.S. East Coast, prompting the TSA to issue its first binding cybersecurity directives for pipeline operators.
Frequently asked questions
OT prioritizes safety and availability of physical processes over data confidentiality, deals with long-lived legacy equipment that is hard to patch, and uses industrial protocols that often lack built-in authentication.
Keep learning