IT security professionals moving into operational technology (OT) environments often discover that their frameworks, tools, and assumptions don't transfer well. The gap between IT and OT security is real, persistent, and frequently underestimated.
Understanding this gap is essential for anyone building or deploying technology in industrial environments.
Different Priorities
IT security prioritises the CIA triad in a specific order: Confidentiality, Integrity, Availability. Protect the data first, then ensure it's accurate, then keep systems running.
OT security inverts this: Safety, Availability, Integrity, Confidentiality. Keep people safe, keep systems running, ensure accuracy, then worry about data protection.
This isn't a philosophical difference—it reflects operational reality. In OT environments, a security control that takes systems offline might cause more damage than the threat it's protecting against.
The Patching Problem
IT security dogma: patch quickly, patch often. Unpatched systems are vulnerable systems.
In OT environments, patching is genuinely dangerous:
- Many OT systems run for years without reboots
- Patches may not be tested for specific industrial protocols
- Downtime for patching may cost millions or affect physical processes
- Vendor support may not cover patched systems
- Some systems literally cannot be patched without replacing hardware
The answer isn't "OT systems should patch more"—it's building security architectures that protect systems that can't be frequently patched.
Detection Limitations
IT security relies heavily on endpoint agents, network monitoring, and centralised logging. In OT environments:
- Many devices can't run endpoint agents
- Network monitoring may interfere with real-time protocols
- Centralised logging may not be possible in segmented networks
- Many OT protocols have no concept of authentication or encryption
Security monitoring in OT environments requires purpose-built approaches, not IT tools awkwardly adapted.
The Protocol Problem
IT protocols (HTTP, TLS, OAuth) were designed with security considerations. Many OT protocols (Modbus, DNP3, older proprietary protocols) were designed for reliability in controlled networks, with no security features.
Securing these environments means:
- Network segmentation that limits exposure
- Passive monitoring that doesn't interfere with protocols
- Understanding what "normal" looks like for industrial protocols
- Accepting that you can't retrofit security into protocols that don't support it
Vendor Relationships
In IT, you can often swap vendors or force security requirements. In OT, vendor relationships are different:
- Equipment lifespans of 20+ years
- Proprietary systems with sole-source support
- Warranty voiding if you modify systems
- Vendors who don't understand or prioritise security
Working with OT security means working with the vendor landscape as it exists, not as you wish it existed.
Building an OT Security Posture
Genuine OT security requires:
- Understanding that IT frameworks are starting points, not solutions
- Investing in people who understand both security and industrial operations
- Building detection capabilities that work with OT constraints
- Accepting that some IT security controls can't be directly applied
- Focusing on resilience and recovery, not just prevention
At Muon Group, we work in the spaces where IT and OT intersect. We understand both worlds and build for the reality of industrial environments, not the fantasy of environments that behave like IT infrastructure.