Most people working in cybersecurity spend their careers thinking about web apps, APIs, cloud infrastructure, and endpoints. That's where the money is, the tooling is mature, and the attack surface is well-understood. But there's a whole other world running underneath, one that controls power stations, water treatment plants, manufacturing lines, and hospital equipment. That's ICS/OT territory, and it operates by completely different rules.
I've been doing penetration testing work in OT-aligned environments recently, and the shift in mindset required is significant. This article is for security practitioners who know IT security well but haven't worked in industrial environments yet. No fluff, just what you actually need to understand.
Operational Technology (OT) is the hardware and software that monitors and controls physical processes. Think of a factory floor where machines are controlled automatically, or a water treatment plant where chemical dosing is managed by a system rather than a person turning dials manually. OT is what makes that work.
Industrial Control Systems (ICS) is the broader category of systems used in that context. Within ICS you'll find:
IoT sits adjacent to all of this. Modern industrial environments are increasingly connected, with sensors, edge devices, and gateways blurring the line between traditional OT and internet-connected devices.
This is the part that catches people out. The principles overlap but the priorities are almost inverted.
In IT security, the classic triad is Confidentiality, Integrity, Availability, in roughly that order of concern for most organisations. In OT environments, Availability comes first. A factory that goes down for unplanned maintenance loses money every minute. A power grid that goes down affects hospitals, homes, and emergency services. The cost of downtime isn't just financial, it can be physical and life-threatening.
This changes everything about how you approach security. You can't just patch aggressively. You can't restart services without a maintenance window. You can't run a noisy network scan without potentially triggering equipment failures. The standard playbook from IT pentesting can cause real damage in OT environments if applied without thought.
A basic Nmap scan with default settings sent to the wrong OT device has crashed PLCs in real environments. Understanding what you're scanning before you scan it is not optional in ICS work.
OT environments weren't designed with security in mind. Many of the protocols used, including Modbus, DNP3, Profinet, and EtherNet/IP, were designed for reliability and determinism, not for authentication or encryption. A device speaking Modbus will respond to commands from anyone on the same network segment. There's no authentication built into the protocol by design.
Common weaknesses you'll find during OT assessments:
This isn't theoretical. The attacks are documented and instructive.
Stuxnet (2010) remains the most sophisticated ICS attack ever analysed. It targeted Iranian uranium enrichment centrifuges by manipulating Siemens PLC logic to cause physical damage while reporting normal operation to operators. It set the template for what state-level ICS attacks look like.
Ukraine Power Grid (2015 and 2016) showed that attackers could cause blackouts affecting hundreds of thousands of people by compromising SCADA systems and remotely operating breakers. The 2016 attack used Industroyer, malware specifically built to speak industrial protocols.
Oldsmar Water Treatment Plant (2021) — an attacker remotely accessed an HMI via TeamViewer and attempted to increase sodium hydroxide levels to dangerous concentrations. An operator noticed the cursor moving on screen and intervened. The attack failed but the vulnerability was real.
These aren't ancient history. OT attacks are increasing as more industrial environments connect to corporate networks and the internet.
If you're moving into OT security work, two frameworks are essential reading:
IEC 62443 is the international standard for industrial cybersecurity. It defines security levels, zones and conduits for network segmentation, and security management requirements for industrial automation and control systems. When clients ask about compliance in OT environments, this is usually the reference point.
NIST SP 800-82 is the US government's guide to ICS security. It's comprehensive, well-structured, and freely available. It covers the unique characteristics of ICS environments and maps recommendations to the NIST Cybersecurity Framework.
The MITRE ATT&CK for ICS matrix is also worth bookmarking. It documents adversary tactics and techniques specific to industrial environments, which is useful both for understanding attacker behaviour and for structuring assessments.
If you're an IT security person looking at OT, here's the honest picture. Your technical skills transfer, including networking fundamentals, vulnerability assessment, understanding of authentication and encryption, and scripting. What doesn't transfer automatically is the operational context and the risk calculation that goes with it.
Before doing anything in an OT environment, you need to understand the process being controlled, what failure looks like, and what the blast radius of your actions might be. That's not scaremongering, it's the difference between useful security work and causing an incident.
The space is genuinely interesting. The combination of physical consequences, legacy technology, proprietary protocols, and poor security hygiene makes OT environments one of the more technically demanding areas of offensive security. If you're looking to differentiate yourself, it's worth investing time in learning it properly.
That's the foundation. Subsequent posts will go deeper into specific protocols, assessment methodology, and tooling for OT environments.