You Can’t Secure What You Don’t Understand

Operational technology environments carry constraints that fundamentally change how security needs to be approached. These aren’t edge cases or exceptions, they’re the norm across manufacturing, utilities, logistics, and critical infrastructure.

Legacy systems that cannot be patched without a production outage are one of the most common challenges. Some OT assets have operational lifespans of 15 to 30 years, they were designed and commissioned long before cyber security was a consideration, and in many cases they simply cannot be updated without full re-validation. Network scanning tools that are perfectly safe in IT environments can cause PLCs and controllers to behave unpredictably or fail entirely in OT. And unlike IT, there are often no maintenance windows: you cannot take down a water treatment plant, a power grid, or a continuous manufacturing process to apply a security update.

Then there’s the protocol challenge. OT environments frequently rely on proprietary and legacy protocols, Modbus, DNP3, BACnet, PROFINET, that modern security tools weren’t designed to understand. A SIEM built for IT won’t give you meaningful visibility into traffic between a PLC and an HMI. An endpoint agent designed for Windows servers may be incompatible with a real-time controller. The tools aren’t wrong, they’re just built for a different world.

Asset visibility is the foundation of any security programme. You can’t protect, monitor, or recover systems you don’t know exist. Yet across industrial environments, visibility remains one of the most persistent gaps. The 2025 SANS State of ICS/OT Cybersecurity Survey found that while 49% of organisations report having OT-specific detection capabilities, only 1 in 8, just 12.6% have full visibility across the entire ICS kill chain, from initial IT compromise through to potential impact on PLCs, SCADA systems, and physical processes.

The picture gets starker the deeper you look into the operational environment. At the supervisory control level, SCADA and HMI systems, just 10% of organisations report full visibility. At the basic control level, the PLCs and RTUs that directly govern physical processes, coverage is even thinner. These are the systems that, if compromised, can halt production, disrupt supply chains, or create genuine safety risks. And in most organisations, they’re the least visible to security teams.

Meanwhile, the Fortinet 2025 State of OT and Cybersecurity Report found that as organisations mature, their confidence in having complete visibility of OT systems has actually decreased, not because things are getting worse, but because better tooling is revealing just how many assets, connections, and exposures were previously invisible. Growing awareness of what you don’t know is progress, but it’s uncomfortable progress.

Visibility isn’t only about technology. It’s about knowledge, understanding the operational environment well enough to make security decisions that actually work.

This is where OT security becomes genuinely specialist. A security recommendation that is technically correct can be operationally impossible, or actively dangerous, in an OT context. Recommending network segmentation is sound advice, but implementing it in a live process control environment without deep knowledge of how those systems communicate with each other could disrupt production, trigger safety systems, or cause equipment damage.

Engineering teams who manage OT environments exceptionally well may have no visibility of their cyber risk profile. Conversely, cyber security teams with strong IT skills may have no understanding of the operational consequences of the changes they’re recommending. Good OT security requires both disciplines working together and most organisations have one, the other, or neither.

“Knowing you have a vulnerability and knowing what to do about it in an OT environment are two very different things.”

One of the most important findings from recent threat intelligence is that the majority of incidents affecting operational technology don’t begin in the OT network itself. According to Dragos’s 2026 OT Threat Landscape report, attackers typically gain initial access through IT systems, engineering workstations, SCADA infrastructure, virtualisation platforms and then move laterally into OT. The path is already established because IT and OT environments are more interconnected than many organisations realise.

In 2025 alone, Dragos tracked 119 ransomware groups affecting more than 3,300 industrial organisations worldwide, nearly double the number from the previous year. Many of these incidents were classified as IT events even when the compromised systems directly supported industrial operations. If the assets underpinning your OT are exposed or poorly secured, attackers don’t need to breach the OT network directly. Understanding these attack paths requires visibility across both IT and OT — not one or the other in isolation. This is exactly why our exposure management service looks at the full picture, including the internet-facing assets and external exposure that give attackers their way in.

Securing OT environments effectively starts with accepting that the approach must be different, not weaker, not less rigorous, but adapted to the constraints and priorities of the operational world. That means several things in practice.

Passive, non-intrusive asset discovery that works within OT constraints. Active scanning can destabilise controllers and disrupt processes. Effective OT visibility requires approaches that can map assets, connections, and communications without introducing operational risk.

Unified IT and OT detection that understands both environments. Monitoring IT and OT separately creates blind spots at the boundary — precisely where most attacks transition from initial access to operational impact. A managed SIEM or MDR/MXDR capability that correlates signals across both environments dramatically improves detection speed and accuracy.

Incident response and recovery plans tested specifically for OT, not adapted from IT playbooks. A ransomware scenario that affects a data centre looks very different from one that shuts down a manufacturing line or disrupts a utility. Incident response in OT requires understanding of safety systems, physical process dependencies, and recovery sequences that don’t exist in IT.

Risk reported in language the board can act on, with OT included alongside IT. As the UK Government’s Cyber Security Breaches Survey showed, only 31% of businesses have a board member who takes explicit responsibility for cyber security. In organisations where OT risk isn’t even part of the board-level conversation, the gap is wider still. Our blog on who actually owns cyber risk explores why this governance gap matters and how to close it.

The instinct in most organisations is to start with what you can control, strengthen the defences you already have, tighten the policies you’ve already written. That’s reasonable, but it misses the point. The most impactful step an industrial organisation can take is to understand where its blind spots are: the assets it doesn’t know about, the connections it hasn’t mapped, the attack paths it hasn’t considered, and the gaps between what IT sees and what OT sees.

That’s exactly what our Industrial Threat Insight Report is designed to do. It’s a free, OT-focused cyber risk assessment built specifically for manufacturing and industrial organisations. It combines an external threat intelligence view showing how your organisation appears to attackers, including exposed assets, leaked credentials, and active threat groups targeting your sector, with a NIST CSF 2.0 aligned review of your IT and OT security controls across governance, identity, segmentation, detection, and recovery.

The output isn’t a generic report. It’s a clear, prioritised view of where your exposure and readiness gaps are and practical recommendations for what to do about them. Because you can’t secure what you don’t understand, and understanding starts with the right assessment.

Our free Industrial Threat Insight Report combines external threat intelligence with a NIST CSF 2.0 aligned assessment of your IT and OT security controls, giving you a clear picture of where exposure exists, what attackers can see, and where your readiness gaps are.

Request Your Free Industrial Threat Insight Report