7 Critical Controls For World Class OT Cybersecurity. How and why O.T. is different. How to protect ?

Master ICS/OT cybersecurity: SANS' 5 critical controls +2 overlooked: OT-Specific IR Plan, Defensible Architecture, Visibility & Monitoring, Secure Remote Access, Risk-Based Vuln Mgmt, Physical Security. Key tips to protect people, assets, and environment from real-world threats.

7 Critical Controls For World Class OT Cybersecurity. How and why O.T. is different. How to protect ?

Introduction

Incident response, architecture, monitoring — the fundamentals of cybersecurity carry over from IT into OT. But how they are applied, prioritized, and executed is completely different, and that difference is the whole point of this article.

The SANS Institute's Five Critical Controls for ICS/OT environments are the foundation. I've added two more. Together, here is what I consider the seven pillars of world-class OT cybersecurity:

  1. OT-Specific Incident Response Plan
  2. Defensible Architecture
  3. Visibility & Monitoring
  4. Secure Remote Access
  5. Risk-Based Vulnerability Management
  6. Physical Security
  7. Third-Party Risk Management (TPRM)

Below, I've tried to explain each of these in brief. Let's start.


01 — OT-Specific Incident Response Plan

Incident response in OT is a completely different game from IT. In IT, you're focused on the CIA triad, but confidentiality rarely matters as much in OT — if someone leaks how many gallons of product you produce, it usually doesn't matter. What matters in OT comes down to three things:

  • Protecting the people,
  • Protecting the physical assets, and
  • Protecting the environment.

A cyberattack on IT may cost you money or reputation through downtime or data loss. A cyberattack on OT can cause real-world damage.

For example: Imagine an explosion at a nuclear or thermal power plant, a complete shutdown of a manufacturing plant, or a chemical leak. There could be human life losses. Things can go really bad, really fast — that's how critical this is.

OT includes IT systems plus physical components like valves, IEDs, PLCs, RTUs, DCS, and SCADA, where timing and safety are everything. You can't just bring in IT tools like EDR or SIEM as-is — many OT systems are old, fragile, or vendor-controlled, and their protocols are different.

If something goes wrong, it's the operations team that owns the response — not just cybersecurity. You can't isolate or restart systems without working closely with plant operators who understand the process side. It's a completely different approach from IT incident response.

To do it right, you need the right mix of people — folks who understand both cybersecurity and industrial environments, and who know the operation well. Train teams together, set clear procedures for detection, containment, and recovery, and coordinate closely with vendors for support.

Preparation is key. Set up IR rooms, keep tools and logs ready, and use a Collection Management Framework so you know exactly what data you need during an emergency.
Communication is critical. Have escalation paths and backup communication methods ready. Run tabletop exercises regularly to find gaps and keep safety front and center — so if a real emergency hits, everyone already knows their role and no one is left guessing.

02 — Defensible Architecture

Second, focus on a defensible architecture — one that can actually be defended. Start by locking down the environment.

Device-Level Security

  1. Shut down unused ports on switches and enable port security.
  2. Deploy a Network Access Control (NAC) solution that blocks unauthorized or rogue devices. Use NAC that handles AAA (Authentication, Authorization, and Accounting) — ideally with TACACS+ support for device control, so only authorized users can run approved commands on network devices.
  3. Change all default passwords and set strong ones for every device. Avoid easy-to-guess passwords like "Admin123."
  4. Keep Industrial Automation Control System (IACS) devices in read-only mode. Switch to Read/Write only when needed, then switch back to Read-Only.
  5. Use a Domain Controller (Active Directory) and join endpoints such as Engineering Workstations (EWS) and Operator Workstations (OWS) to the domain.
  6. Apply least privilege to both EWS and OWS.
  7. Choose a good XDR (anti-virus) that can analyze user and file behavior and take action against abnormal activity.
  8. Block unused external media and USB ports using the XDR. Cut off unnecessary access points.
  9. Create an application whitelist in the XDR policy — only whitelisted applications can run on EWS and OWS; everything else is blocked by default.

Network-Level Security

  1. Deploy a strong firewall as your perimeter defense. Use two firewalls in High Availability for redundancy — Active-Passive or Active-Active.
  2. Eliminate single points of failure; the OT network itself should be redundant.
  3. Segment the network inside OT. Use the Purdue Enterprise Reference Architecture (PERA) as your design model. Segmentation is critical because it gives you granular control over OT — create multiple zones with different VLAN IDs assigned to different subnets, and allow communication between zones only where necessary.
  4. IT and OT networks should each connect only to the DMZ (Level 3.5) — never directly to one another.
  5. IT or any external network should reach the OT DMZ only from a fixed IP. Allow inbound connections to the DMZ only from specific static public IPs or IP ranges, through an IPSec tunnel, MPLS, VSAT, microwave, or fiber. The firewall should block every connection request from a source not explicitly defined in policy.
  6. Any system that needs direct internet access or access to an external network from OT — antivirus server, patch server, jump host, PAM, historian — belongs in the DMZ.
  7. If IT or an external network needs access to a historian or other database, place a replica of it in the DMZ. Never allow direct external connections into OT devices, or from OT devices out.

Document Everything

  1. Avoid giving full admin privilege to a single person. Split privileges among multiple people, and document how they're split — Segregation of Duties (SoD) matters.
  2. Maintain policies, procedures, and guidelines for every process to raise your security maturity. For example: an Employee Leaving Policy that requires all access to be revoked before an employee's last working day, with a checklist assigned to someone — security or HR — who must confirm completion. If it isn't followed, the responsible person should be held accountable. Security auditors should review compliance half-yearly or yearly and report violations to management.
  3. Likewise, maintain password policies and access policies for EWS/OWS, and documented guidelines for every process, operation, and activity — not limited to just these examples.
  4. Train users on every policy that applies to them, and verify understanding with a knowledge check.
Please note: Security is not a one-time setup. It's a continuous process. You need skilled people to identify gaps and fix them over time.

Buying expensive technology doesn't guarantee security if it isn't configured correctly. In many cases, a simple, well-configured tool performs just as well as an expensive one.

In the end, it's not just the setup — it's the people, processes, and technology that keep it secure over time. Ongoing resources are needed to adapt to new threats. Security is a constant effort to stay ahead: keep it simple, clean, documented, and strong.


03 — Visibility & Monitoring

You can't protect or defend something you don't see.

Visibility and monitoring are critical. You can't protect something you're not even aware of — a single blind spot can be dangerous. Keep an up-to-date asset inventory, map vulnerabilities to fix plans, and watch network traffic for trouble. Automate repetitive tasks wherever possible.

Monitoring checks whether your architecture actually holds up, spots threats early enough for automated response in large networks, and highlights weak spots. Standard IT tools don't understand industrial protocols like Modbus, DNP3, IEC 104, or PROFINET, so this is where OT-specific platforms come in — for example Nozomi Networks, Claroty, or Dragos, Inc. They're built for exactly this: they scan industrial networks in passive mode — mirroring a switch port and listening to packets without disturbing communication — build a behavioral baseline, flag anomalies, and turn that into actionable insight.

A Note on Dragos

Dragos offers advanced services and sharp threat intelligence, including Neighborhood Keeper, a free, opt-in collective-defense service that shares threat intelligence at machine speed across industries and regions. By participating, each organization's defensive capability becomes stronger than what it could achieve alone.

Dragos also offers premium services, including:

  • WorldView — Dragos's threat intelligence product, used in SOCs, boardrooms, and the physical facilities of electric grids, oil and gas pipelines, water treatment plants, and manufacturing sites. It delivers insights tailored to OT and ICS environments, helping practitioners stay ahead of emerging adversary activity.
  • OT Watch — A managed service where Dragos's own analysts and threat hunters operate the Dragos Platform on your behalf: enhancing visibility, identifying threats, and tuning your posture continuously, without adding to your team's workload.

Dragos offers other professional services specific to ICS/OT environments as well — a strong choice if you want a guided, step-by-step path to a safer facility. I recommend Dragos because it was built by OT cybersecurity practitioners, for practitioners; they know the pain points firsthand, and their visibility and monitoring capability reflects that. (This is my personal opinion — I am not sponsored by anyone to say this.)


04 — Secure Remote Access

This is huge in OT, where people frequently connect from outside the plant — especially during firmware updates, patching, or vendor-involved work. Make sure every remote connection goes through a VPN and a Privileged Access Management (PAM) solution.

A simple win here is multi-factor authentication — a classic IT trick that works just as well in OT, with very little added friction. Roll it out across systems for an extra layer of protection. If MFA isn't feasible on a given system, use closely monitored jump hosts instead.

The key idea: Watch the connections going into and out of the OT network — not the traffic inside it.

05 — Risk-Based Vulnerability Management

Know your weak points. Know your crown jewels. Have a plan to manage risk based on priority — this is core to a defensible setup.

Patching in OT isn't like updating a laptop. Shutting down a plant carries a real cost. It's a high-stakes balancing act.

Stay on top of vulnerabilities with accurate risk information, and use compensating controls to reduce exposure while operations keep running. Test vendor patches in a safe, isolated setup first, then deploy when it makes sense — sometimes that means waiting for the next scheduled maintenance window, which could be months, or even a year, away.


06 — Physical Security

I'm not sure why this gets overlooked so often, but it's the control that ties everything else together. BYOD doesn't work inside an OT network the way it does in IT. Let me explain.

The vendor owns the proprietary engineering software required to configure, calibrate, or program specific industrial assets — PLCs, RTUs, HMIs, or smart instrumentation.

These software suites — Siemens TIA Portal, Rockwell Studio 5000, Schneider EcoStruxure, and similar — are notoriously expensive and heavily licensed. Vendors typically keep these licenses tied to their own corporate engineering laptops, and the software often requires very specific OS versions, legacy Java runtimes, or custom drivers to talk to physical serial ports or specialized NICs.

When a critical asset fails, or during a scheduled shutdown or turnaround, every minute counts — production is halted and time is money. Vendors often plug their laptops directly into the asset to modify ladder logic, push firmware updates, adjust setpoints, or pull raw diagnostic logs directly from a controller when central visibility isn't enough. During Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT), vendor laptops are used the same way, to validate systems before handover.

What Risk Is Involved?

When that laptop bridges into your OT environment, it effectively bypasses your perimeter defenses and introduces real risk.

The vendor engineer may have travelled from another site, stayed in a hotel, and connected that same laptop to hotel Wi-Fi, an airport network, or their own corporate network just hours earlier. That laptop can unintentionally carry IT ransomware, or even OT-specific malware, straight into an environment where many systems still lack modern Endpoint Detection and Response (EDR) coverage.

Another common risk: vendors leave a Wi-Fi adapter or cellular hotspot active while simultaneously connected to the OT Ethernet network. This can accidentally create an unmonitored bridge between the internet and the plant's critical process control network, quietly bypassing every control you've put in place.

How to Mitigate This Risk

In a perfect world, vendors wouldn't need to bring physical machines at all. In the real world, many plants still lack the infrastructure to support secure alternatives. Ideally, the plant provides dedicated, hardened, on-site Engineering Workstations with all required vendor software pre-installed; if the plant can't provide one, the vendor brings their own. Similarly, if the plant lacks a secure, MFA-protected jump host or a properly designed Industrial DMZ (IDMZ) for remote engineering access, physical presence becomes the only practical option.

Since vendor work can't be eliminated entirely, strong compensating controls are what reduce the risk:

Isolated Vendor VLANs — If a vendor must connect to the network, place them in a highly restricted, temporary VLAN that only permits communication with the specific IP addresses of the assets they're servicing — not the entire plant network.
Dedicated On-Site Engineering Assets — Move toward a model where vendors use plant-owned, hardened engineering laptops that never leave the site, or provide access through a tightly monitored Virtual Desktop Infrastructure (VDI) hosted inside the IDMZ.
Verify Firmware — A plant automation engineer should over-the-shoulder monitor the entire session. If firmware is being pushed, insist that the binary hash (SHA-256) is verified against the official OEM release notes before it's loaded.
Physical Port Security — Disable unused switch ports, lock network cabinets, and physically secure engineering access points to prevent unauthorized connections.

Physical access control for people matters just as much — you have to control who gets in and out of the facility, and make sure nothing sneaks out either.

Without this, you risk a Stuxnet-style attack. Cyber defenses are useless if someone can tamper with equipment inside the facility.

In OT, physical security is non-negotiable — think locks, badges, device checks, and policies to stop insider or external breaches.


07 — Third-Party Risk Management (TPRM)

No matter how secure your home is, it's very important to know who is getting into it. One vulnerable third party can become the entry point to your next breach.

The same principle applies to Operational Technology environments.

Today, organizations outsource a significant share of their critical operations to external vendors, system integrators, OEMs, managed security providers, cloud service providers, and maintenance contractors. These partnerships bring specialized expertise and operational efficiency, but they also introduce one of the largest attack surfaces in any critical infrastructure environment.

In OT, your security posture is no longer defined only by your own controls — it's also determined by the security of every third party that connects to your industrial environment. A compromised vendor can quickly become the entry point into your plant.

Common OT Services Frequently Outsourced

  • OEM & System Integrator Support — Vendors maintain proprietary engineering software, licenses, PLC/DCS programming, and specialized automation expertise through Long-Term Service Agreements (LTSAs).
  • Predictive Maintenance & Industrial Analytics — Plant telemetry is sent to cloud platforms where AI and machine learning models predict equipment failures before they occur.
  • Managed OT Security (MSSP / MDR / ISOC) — Continuous monitoring of industrial networks using platforms such as Nozomi, Dragos, or Claroty is often outsourced, since running a 24/7 in-house OT SOC requires highly specialized expertise.
  • Plant Turnarounds & Commissioning — During shutdowns and major upgrades, organizations rely on external engineering teams for equipment replacement, commissioning, calibration, and large-scale maintenance.
  • Industrial Network & Telecom Management — Management of industrial firewalls, routing, switching, wireless infrastructure, and IDMZ environments is frequently handled by specialized network service providers.

The Core Risks of OT Outsourcing

Unlike IT, where an outsourcing incident might mean data loss or application downtime, failures in OT can mean equipment damage, environmental impact, production outages, or even loss of life. Here are six of the most common risks:

1. Persistent Remote Access Vendors often need remote connectivity for diagnostics and maintenance. The real risk is usually not the vendor itself but the compromise of the vendor's own corporate environment — if an attacker steals a vendor engineer's credentials, they may inherit that same trusted access into your industrial network. If remote sessions terminate directly into the Control Network instead of an Industrial DMZ, attackers can gain direct access to critical systems.

2. Compromised Engineering Workstations Vendor engineers typically use portable engineering laptops. If these devices connect to the plant network while remaining connected to Wi-Fi, VPN, or cellular, they unintentionally bridge secure OT environments with external networks — bypassing the segmentation you built.

3. Software & Firmware Supply Chain Attacks Every firmware upgrade, PLC logic change, or software update carries an element of trust. If a vendor's software repository or development environment is compromised — as demonstrated by SolarWinds or NotPetya — malicious code can be introduced directly into industrial control systems.

4. Cloud Telemetry & Intellectual Property Exposure Predictive maintenance platforms collect enormous amounts of operational data: process values, production trends, equipment performance, operational behavior. Even when configured as one-way traffic, if that data is compromised, attackers gain insight into proprietary manufacturing processes and critical production assets — more than enough for a reconnaissance phase.

5. Loss of Internal Knowledge Excessive dependence on external vendors gradually erodes internal engineering expertise. When experienced contractors leave or are unavailable during an emergency, the organization becomes dependent on vendor availability — directly affecting recovery time and operational resilience.

6. Fourth-Party Risk Many organizations carefully assess their direct vendors but overlook who those vendors rely on. Without proper governance, subcontractors can gain access to sensitive systems without ever being evaluated by the asset owner — an unmanaged, additional layer of supply chain risk.

How to Mitigate These Risks

The following checklist helps reduce both cyber and operational risk associated with third-party access to industrial environments.

1. Secure Remote Access (mitigates: Persistent Remote Access Risk)

  • ✅ Route all vendor remote connections through an Industrial DMZ (IDMZ) using dedicated jump servers.
  • ✅ Never allow direct VPN connectivity into Level 2 or Level 3 industrial networks.
  • ✅ Implement Just-In-Time (JIT) remote access with automatic expiration.
  • ✅ Require Multi-Factor Authentication (MFA) for every remote session.
  • ✅ Record and monitor all privileged vendor activity using a Privileged Access Management (PAM) solution.

2. Secure Vendor Engineering Devices (mitigates: Compromised Engineering Workstations)

  • ✅ Require vendor laptops to be managed through corporate MDM or equivalent endpoint management.
  • ✅ Prevent simultaneous Ethernet, Wi-Fi, VPN, Bluetooth, or cellular connectivity (dual-homing).
  • ✅ Scan all laptops and removable media through a dedicated "Sheep Dip" station before connecting to plant assets.
  • ✅ Protect switch ports using 802.1X, Sticky MAC, or equivalent network access controls.

3. Protect Industrial Data (mitigates: Cloud Telemetry & Data Exposure)

  • ✅ Share only the minimum operational data required.
  • ✅ Remove or anonymize sensitive production information whenever possible.
  • ✅ Encrypt all telemetry using TLS 1.3 with Mutual TLS (mTLS).
  • ✅ Verify that vendors maintain recognized certifications such as ISO 27001 or SOC 2 Type II — with evidence.

4. Preserve Internal Capability (mitigates: Vendor Dependency)

  • ✅ Require complete engineering documentation before project closure.
  • ✅ Include formal knowledge transfer and hands-on training for plant personnel.
  • ✅ Define clear Recovery Time Objectives (RTOs) and response SLAs within vendor contracts.

5. Control Fourth-Party Risk (mitigates: Unauthorized Subcontracting)

  • ✅ Require written approval before any subcontractor is engaged.
  • ✅ Ensure all subcontractors meet the same cybersecurity, compliance, and personnel screening requirements as the primary vendor.
  • ✅ Maintain an approved list of authorized subcontractors.
A note on trust: In security, there is unfortunately no place for "trust." Technical controls are only effective when they are continuously verified.

Identity & Access Management

  • Issue accounts only to named vendor personnel.
  • Prohibit shared or generic vendor accounts.
  • Apply least-privilege access and Just-In-Time provisioning.

Right to Audit

  • Include contractual rights to audit vendor personnel, remote access logs, engineering changes, and system activity.
  • Periodically verify that only approved personnel are accessing critical infrastructure.
  • Review vendor compliance against contractual cybersecurity requirements.

Third-party vendors are an essential part of modern industrial operations, but every connection they establish extends your attack surface. Effective Third-Party Risk Management isn't about eliminating vendors — it's about making sure every connection, every engineer, every device, and every software update is secure, verified, monitored, and controlled before it reaches your critical infrastructure.


References & Sources

This article was developed through an extensive review of academic journals, peer-reviewed research papers, technical reports, industry publications, and professional guidance covering operational technology (OT), industrial control systems (ICS), smart grids, and critical infrastructure protection.

Key reference material includes publications from SANS — The Five ICS Cybersecurity Critical Controls.

Disclaimer

This article is intended solely for educational and awareness purposes. It consolidates information from multiple publicly available academic and technical sources together with the author's professional experience in industrial cybersecurity and critical infrastructure protection. While every effort has been made to ensure technical accuracy, some concepts have been simplified to improve readability for a broader audience. Readers should consult OT cybersecurity professionals, vendor documentation, and authoritative guidance before making engineering, operational, or security decisions.

AI Assistance Disclosure

To improve readability, grammar, sentence structure, and overall clarity, AI writing tools were used as an editorial assistant. The technical concepts, interpretation, structure, and final technical review were performed by the author. AI was not used as a primary source of technical information or research.


About Author:
Abu Saleh Md. Zakaria B.S. Computer Science, University of Pune, India Security Researcher — Protecting Critical Infrastructure (Smart Grids, Water, Aviation, Telecom, Banking) SANS GIAC x4 · CCIE (Security) · PCNSE · SABSA · ISO 27001 LA/LI · ASIS PSP Google Scholar: 300+ Citations

Published on ICSCyberpro.net — a non-profit, vendor-neutral initiative to learn, secure, and collaborate

Download the PDF Version of this here:

7 Critical Controls For World-Class OT / ICS Cybersecurity
Operational Technology (OT) security is not IT security with different acronyms, it’s a fundamentally different discipline where the priority is protecting people, physical assets, and the environment, not just data. In this article, ICS/OT security researcher Abu Saleh Md. Zakaria builds on the SANS Institute’s Five Critical Controls for ICS/OT environments, adding two controls he considers essential but frequently overlooked: OT-specific incident response planning and third-party risk management. The article walks through all seven controls in practical detail, defensible architecture (device-level, network-level, and documentation controls), visibility and monitoring (including a look at platforms like Nozomi Networks, Claroty, and Dragos), secure remote access, risk-based vulnerability management, physical security (including the real-world risks vendor engineering laptops introduce to a plant), and a full third-party risk management framework with actionable mitigation checklists. Drawing on hands-on experience securing smart grids, water systems, aviation, telecom, and banking infrastructure, this is a field-level guide for anyone responsible for defending critical industrial environments, not a theoretical overview.

Download PDF File


If you found this article useful, share it, comment — it motivates me to write more. If you have questions or want to share your thoughts, I'd love to hear from you. Feel free to email me at sec[dot]asmz[at]gmail[dot]com.