Four Key Practices to Begin an OT Security Strategy

June 30, 2023

Operational technology (OT) is way behind when it comes to security, especially compared to what’s going on in the corporate IT security world. As organizations start to think about trying to catch up, the big question becomes: Where do we even start?


OT security has become so top of mind the past couple years because of how it drives the physical world – and cyberattacks are getting more severe. In fact, in a recent survey from Barracuda Networks, over 90% of organizations said they experienced a security incident in the last 12 months. Think of the Colonial Pipeline incident – that was an OT security breach, which shut down gas on the east coast and caused a panic. It’s a public issue affecting many industries – which is why a number of them have made it a priority to address and strengthen their cybersecurity strategies.


So, how should OT organizations start to build out a security framework to address OT vulnerabilities? Here are four best practices to tackle first:


  • Start the Process of Network Segmentation – Many legacy security systems are still stuck in the past (old equipment that’s been running for years without being turned off or rebooted), which leads to a lot of cyber vulnerabilities and anomalies. In a best case scenario, these systems would be upgraded, but this might not always be possible.

  • In this situation (and even in modern environments), segmentation is the fastest way for organizations to reduce risk associated with legacy systems and technologies as well as their attack surface. Segmentation involves dividing a network into smaller sub-networks to deliver unique security controls and services individually. In OT environments, there are many different pieces that contribute to the business, but they don’t all have to be under the same security controls. For example, in a refinery, the conveyor belt doesn’t need to connect to the robotic automation system. If they are connected, it’s actually making the organization more vulnerable to an attack. Segmentation is so helpful because it limits an attacker’s ability to move laterally throughout the network, which, in turn, limits the amount of damage they can do.

  • Prioritize Identity Security – Identity security remains a challenge for many organizations. Not only are there the common risks such as shared group accounts, lack of identity authentication and employees possessing more access than they need, but there’s an ongoing education issue, too, as many employees aren’t aware of identity threats or trained on best practices to mitigate them.

  • Implement baseline identity and access management processes and protocols, such as access controls, multi-factor authentication, privileged access management and least privileged access. Zero Trust, which is founded on the concept, “trust no one and nothing,” also is an extremely effective way to lock down identity risks.

  • Get Visibility – Historically, an IT department’s knowledge of their OT network stopped at the firewall. This really didn’t cut it then, and it certainly doesn’t now. With the number of connected devices coming in and out of today’s facilities, a network can be breached before traditional barriers are even aware of potential vulnerabilities or anomalies.

  • It can’t be this way. There are asset inventory tools, in addition to OT-specific tools, which provide global visibility for a potential highly-localized security problem, e.g., threats and risks impacting a single plant.

  • The ability to see what’s on the network in real-time is key because it enables proactivity and prioritization. Getting that visibility allows for stronger buildouts of SOC teams and patch management programs, because all involved know what to protect and when.

  • Work on Collaboration Across the Business – Companies with a successful security strategy have a very collaborative partnership across departments – it’s not just the security team that’s all in. Between OT, IT, physical security, facilities, etc., the entire company needs to be committed to finding strategies and solutions that prevent OT cyberattacks. Otherwise, some departments may not be vigilant about upholding good cyber hygiene, which puts the entire organization at risk. This means teams will often have to compromise on certain issues to satisfy every department. But, this is a small price to pay to achieve the company-wide benefits of security.



OT is a Priority Across the Board

It's not just OT organizations that are prioritizing security. The White House’s recent Cybersecurity Strategy is defending critical infrastructure as well, which is a move in the right direction because it puts an emphasis on safety. Regulations are powerful, because it forces organizations to pay attention and often moves the needle in helping security teams get budget approval for security investments. As an industry, we should welcome this support and look forward to further federal involvement to encourage investment in people, process and technology for all critical industries.


Regardless of where things land from a regulation standpoint, it’s essential to protect OT networks now, before it’s too late. Following the four steps above will help you start your journey to a more secure and resilient organization.

Sean Tufts
Practice Director, Product Security - ICS & IoT | Optiv
Sean Tufts is the Practice Director for the OT/IoT business at Optiv. He's a former NFL Linebacker turned Critical Infrastructure security leader. Post NFL, he worked for utility operators and O&G hardware suppliers. Prior to his current leadership position at Optiv, Sean was on the Digital transformation team for General Electric focusing on security services for the O&G market. In 2012 he was honored by Forbes as a "30 Under 30" recipient. Sean has a bachelor’s degree and MBA from the University of Colorado, Boulder.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit