Operational Technology, or OT, is often described as the hidden side of modern industry. It is the part of the technology stack that controls physical processes, moves machinery, opens valves, fills bottles, cuts materials, monitors sensors, and keeps manufacturing lines running. For people coming from the IT world, it can feel familiar at first glance because there are computers, networks, servers, protocols and increasingly Ethernet connections. The deeper you go, however, the more you realise that OT follows a very different logic.
Davide "Skullb0y" Pala’s talk, The Shadow of Operational Technologies: A Journey into OT Security, is a useful introduction to this world because it avoids treating OT security as simply another branch of IT security. The big message is that in OT, the primary asset is not just data. It is the process. That process may involve production, safety, machinery, people, energy, water, chemicals, logistics or any other physical operation. If something goes wrong, the impact is not limited to a database, a laptop or a server. It can stop a factory, damage equipment, waste material, or in the worst case, create real physical danger.
One of the most memorable parts of the talk is the reference to old relay-based automation. Before programmable logic controllers, or PLCs, industrial automation often relied on complex relay logic. These systems were physical, electrical and sometimes poorly documented. The joke about fixing them with the handle of a screwdriver works because it captures something very real about many industrial environments. Plants are not always clean, modern, fully documented systems. They often contain decades of modifications, retrofits, temporary fixes and inherited design decisions that are understood by only a few people, or sometimes by nobody at all.
That is one of the biggest challenges in OT cybersecurity. The first step is not scanning for vulnerabilities or deploying tools. The first step is understanding what the plant actually does.
Modern industrial environments are usually a mixture of IT and OT. At one end, there are the familiar IT systems such as PCs, servers, databases and business applications. At the other end, there are sensors, actuators, motors, valves, controllers, PLCs, remote terminal units, human machine interfaces and SCADA systems. Between them are different layers of supervision, control and manufacturing systems that allow operators and business functions to interact with the physical process.
This layered view is often explained using the Purdue model, which separates the physical process, control layer, supervisory layer and manufacturing layer. It is not a perfect model for every modern deployment, but it remains useful because it forces people to think about functions, dependencies and boundaries. In OT security, those boundaries matter. Traffic should not be allowed everywhere simply because it is technically possible. A system that only needs to read sensor states should not automatically be allowed to write commands back into a controller.
This is where OT security starts to become very different from traditional IT security. In IT, controls are often built around protecting confidentiality, integrity and availability of information. In OT, availability and safety often come first. A PLC, RTU, HMI or SCADA system may have been designed to run for many years with minimal disruption. Applying patches, running aggressive scans or testing live systems in the same way as an enterprise IT estate can create unacceptable risk. A poorly planned test can itself become an outage.
The talk gives a good example of how process knowledge changes the security approach. In a simple conveyor system controlled by a soft PLC and monitored by SCADA, an attacker who compromises the SCADA machine may not need malware that looks suspicious. They can use legitimate industrial protocols and legitimate commands to interfere with the process. From a network perspective, the traffic may look valid. From a process perspective, it may be dangerous.
That distinction is crucial. If security only asks whether the packet is allowed by the firewall, it may miss the real issue. OT security also has to ask whether this command makes sense for this process, at this time, from this system. In the example, blocking unnecessary write operations from the SCADA layer to the process was a form of process hardening. It reduced the attack surface not merely by controlling network access, but by understanding what the process actually required.
This is highly relevant for private networks. Private 4G and 5G networks are increasingly positioned as reliable, deterministic and secure connectivity platforms for industrial sites. They can support mobility, segmentation, quality of service, device identity and better control over coverage and capacity. But connectivity alone does not solve OT security. A private network can provide a cleaner and more controlled communications layer, but it still needs to fit the operational reality of the site.
In a factory, port, utility, warehouse or energy facility, the private network may connect machines, sensors, vehicles, cameras, handheld devices and remote monitoring systems. Some of those systems may be modern. Others may be legacy assets that were never designed for IP connectivity. Some may depend on vendor access for maintenance. Others may be connected because of performance monitoring, predictive maintenance or contractual requirements. This means the private network must be designed with OT risk in mind from the beginning.
Remote access is a particularly important issue. Many industrial systems are maintained by third parties, integrators or equipment vendors. Machines may be rented, leased or supported remotely. These connections are often essential for troubleshooting and maintenance, but they can also become weak points if they are unmanaged, always-on or poorly monitored. The issue is not only whether a vulnerability exists. It is also whether anyone knows who connected, when they connected, what they changed and whether those changes were authorised.
This is why accountability matters as much as vulnerability management. A former employee, a supplier, a misconfigured switch, a wrongly powered-down storage device or a poorly segmented network can all create incidents. Some of these may not look like cyber attacks at all, but they still affect availability and operations. From the point of view of a plant manager, the difference between a malicious incident and a preventable outage may be less important than the fact that production stopped.
There is also a cultural gap. IT teams may not want to touch OT because the systems feel fragile, obscure and business-critical. OT engineers may not trust IT security teams because they fear downtime, delays and theoretical controls that do not respect the process. Bridging this gap requires more than technology. It requires shared language, trust and a willingness to learn from each other.
For IT and cybersecurity professionals, this means understanding industrial processes, not just networks. For OT engineers, it means understanding risk, remote access, segmentation, logging and accountability. For private network designers, it means working with both sides. The right architecture must support operational continuity while creating clear zones, conduits, monitoring points and access controls.
Standards such as IEC 62443 are useful in this context because they encourage thinking in terms of zones and conduits. Rather than assuming that everything inside the plant is trusted, they help define where communication should happen, what kind of communication is required and how the impact of compromise can be limited. This is especially important when long equipment life cycles are involved. Industrial systems may remain in service for 20 or 30 years, which means organisations cannot simply wait for all legacy protocols and devices to disappear.
The reality is that old and new will coexist for a long time. Ethernet-connected equipment will sit beside serial-based systems. Modern HMIs will interface with legacy PLCs. Cloud dashboards may depend on data from machines designed long before cloud monitoring became common. Private 5G may provide advanced connectivity to an environment where some assets still need very careful isolation. That is why OT cybersecurity is less about buying a single product and more about understanding the whole operational context.
The screwdriver joke is funny because it reminds us that industrial environments are practical, physical and sometimes messy. But it also carries a serious lesson. You cannot secure what you do not understand. In OT, understanding includes the machine, the process, the people, the history, the undocumented workarounds, the maintenance model and the consequences of failure.
As private networks become more common in industrial environments, this lesson becomes even more important. Reliable wireless connectivity can be a powerful enabler for automation, monitoring, robotics, worker safety and digital transformation. But if it is deployed without OT security thinking, it can also connect systems that were never meant to be exposed, monitored remotely or controlled in new ways.
The future of industrial connectivity will not be defined by private networks alone, or by OT cybersecurity alone. It will depend on bringing the two together properly. That means designing connectivity around the process, applying segmentation with purpose, monitoring remote access, limiting unnecessary commands, and making sure the people responsible for IT, OT and security are working from the same map.
Sometimes that map may still need a screwdriver nearby, not as a security control, but as a reminder that the physical world does not always behave like a neat network diagram.
The talk is embedded below:
Related Posts:
- Private Networks Technology Blog - IT and OT Convergence: Opportunities and Security Risks for Private Networks
- Private Networks Technology Blog: Understanding the Realities of OT Cybersecurity
Comments
Post a Comment