When I ask clients how they're solving for OT security, the two most common answers are "we have firewalls between IT and OT" and "we're air-gapped." Both sound reasonable. Both leave significant exposure. Firewalls don't protect PLCs with default passwords. And true air gaps are rare; most OT environments have evolved to include remote access, ERP integrations, and analytics platforms.
What OT Security Actually Means
In plain terms, OT security is about protecting physical outcomes. While IT security is focused on protecting data, keeping information confidential, intact, and accessible. OT security focuses on systems that make things happen in the physical world.
These systems can stop your factory from running if disrupted. The goal is not to prevent a data breach; the goal is to ensure that a digital compromise never becomes a physical disruption.
Where Executives Get This Wrong
We ask almost every client the same question early on, "How are you solving for OT Security today?" The two most common answers we hear reveal the core of the problem.
The first is, "We have firewalls between our IT and OT Networks." This sounds reasonable, but it does not address the full picture. Firewalls don't protect PLCs and industrial controllers that have hardcoded or default passwords. They don't account for legacy systems running unsupported operating systems, which are very common inside OT environments. They don't govern third-party remote access, which many PLC manufacturers require to manage and upgrade firmware. A firewall at the perimeter doesn't protect what's already inside.
Second, "We're air-gapped." An air-gapped network (meaning no physical connectivity to the internet or other networks) sounds like the ultimate protection. The problem is that true air gaps are rare today. Most OT environments have evolved to include third-party remote access. They connect to MES and ERP systems, and they feed into on-premises or cloud-based analytics platforms. The air gap that existed five years ago no longer exists in the same form. Shadow OT makes this even more complex: systems are deployed, integrations are configured, network devices are installed, and none of it goes through central governance. It happens quietly and outside of your visibility.
Risk Looks Different Here
In IT, risk conversations tend to center on data loss. What was compromised? What was exposed? In OT, those questions are almost secondary. The right questions in an OT environment are:
For many manufacturers, a single day of unplanned downtime can exceed their entire annual cybersecurity budget. That's not a hypothetical; it's a financial reality that makes OT security one of the highest-leverage investments a business can make.
And the threat is real. Nation-state actors have been targeting critical infrastructure for years. Stuxnet and Operation Olympic Games aren't just cybersecurity lore; they're proof that digital threats can produce physical consequences at scale. Bad actors understand manufacturing economics. They know the pressure that downtime creates, and they use it.
Trends Worth Watching
The landscape is shifting fast. A few things we're paying close attention to:
First, the convergence of IT, OT, and IoT is accelerating. As more devices and systems connect from the plant floor to the cloud, the attack surface grows. Managing that convergence proactively is no longer optional.
Second, regulatory frameworks such as the NIST CSF are getting serious attention. For a long time, compliance was treated as a box to check. Today, we're seeing companies genuinely invest in aligning to these frameworks and building the technology stack to support them. That shift in mindset is encouraging.
So, Where Do You Start?
I always say: you cannot secure what you cannot see. The first step is visibility. Passive network monitoring. Asset discovery. Mapping IT-to-OT connections. Identifying unsupported or end-of-life systems. You need to know what's on your network before you can make intelligent decisions about how to protect it.
From there, the conversation moves to segmentation, controlling remote access through Zero Trust Network Access (ZTNA), and aligning governance between IT and OT teams, which, in most organizations, have historically operated in silos. On the supplier side, companies like Claroty and Dragos have become well-known names in this space for good reason. But one company I'd call a hidden gem is Phosphorous.io. Their patented technology is purpose-built for discovery, physical devices, operating systems, firmware versions, credential management, and more. The feedback I've received from clients using Phosphorous has been consistently strong, and it's the kind of foundational capability that makes everything downstream more effective.
Let's Talk
OT security is a space where the stakes are high, and the window to act is narrowing. If your organization is starting to ask these questions or if you're not sure where to begin, I'd welcome the conversation.
Reach out directly or connect with me on LinkedIn. Sometimes the most valuable thing is just a 30-minute call to understand where you stand.
Jason Bourque | C3 Technology Advisor | 22 Years in IT Engineering