Making OT Cybersecurity Practical
Over the past weeks I have made the case that OT cybersecurity is an engineering design problem, not an IT department problem. This article makes that case practical: what does an OT security assessment actually involve, what does it produce, and what does it mean for the way a project is designed and delivered?
What an OT Security Assessment Is
An OT security assessment is a structured evaluation of the cybersecurity posture of an operational technology environment. It covers the systems that control physical processes — PLCs (Programmable Logic Controllers), SCADA systems (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), SIS (Safety Instrumented Systems), HMI workstations (Human Machine Interfaces), and the network infrastructure that connects them.
For infrastructure projects, the most relevant international framework is IEC 62443 — the international standard for industrial automation and control systems security. In Saudi Arabia, the NCA’s Operational Technology Cybersecurity Controls (OTCC) establish the regulatory baseline. These two frameworks overlap significantly and together define what good OT security looks like in this region and market.
Scope of a Comprehensive OT Assessment
Asset inventory and identification is the starting point. This sounds simple; it rarely is. Most operational facilities do not have an accurate, current inventory of their OT assets — what controllers they have, what software versions they run, how they are connected, who has access to them. Building that inventory is a prerequisite for everything else. Without it, you cannot assess vulnerability, cannot prioritize mitigation, and cannot demonstrate compliance.
Network architecture review examines how the OT network is structured and how it relates to the corporate IT network and external connectivity. The fundamental principle of OT network security is segmentation — the OT network should be separated from the IT network by a defined boundary (typically a demilitarized zone) that controls and monitors the flow of information between them. Many operational facilities, particularly those built before OT cybersecurity became a serious design consideration, have flat network architectures where IT and OT systems are on the same network segment. This is the condition that made the Triton attack possible: the attackers could reach the safety controllers from the corporate network because the segmentation boundary did not exist.
Vulnerability assessment identifies specific known vulnerabilities in the OT assets identified in the inventory. OT systems run specialized software, including real-time operating systems, controller firmware, and HMI applications that often run on versions of Windows that are no longer supported by Microsoft — because the OT vendor’s engineering software has not been updated to run on current Windows versions and the vendor’s update schedule is not aligned with Microsoft’s. This creates a patching problem that is fundamentally different from IT security: in IT, the answer to an unpatched operating system is to update it; in OT, the update may break the process control application, and the update cycle is measured in years, not months.
Access control review examines who has access to OT systems and how that access is managed. Remote access — used by controls vendors for monitoring and support — is one of the most significant and most undercontrolled access paths in OT environments. Many OT systems have remote access channels installed by vendors during commissioning that remain active, unmonitored, and without multi-factor authentication for the life of the system.
Incident response assessment covers the organization’s capability to detect, respond to, and recover from OT security incidents. In most OT environments, this capability is underdeveloped or absent. There is no OT-specific incident response procedure. There is no OT network monitoring that would alert operations staff to anomalous activity. The water treatment attack in Oldsmar, Florida succeeded in reaching the SCADA system because there was no monitoring that would have detected the intrusion — it was caught by a human who happened to be watching.
Assessment Output and Project Integration
A properly scoped OT security assessment produces a risk-ranked findings report, a gap analysis against the applicable framework (IEC 62443 and/or NCA OTCC), and a remediation roadmap that prioritizes findings by risk level and provides specific technical and procedural recommendations for each.
For projects in design or construction, the assessment findings translate directly into design specifications. Network segmentation requirements become network architecture drawings. Access control requirements become commissioning standards. Monitoring requirements become scope items for the control system integrator.
This is where the design stage timing matters most. Incorporating OT security requirements into the design scope costs a fraction of retrofitting them after commissioning. A network segmentation architecture specified at 30% design becomes a standard part of the control system procurement. The same requirement identified after a system has been commissioned requires physical network modifications, software reconfiguration, and often a controls vendor engagement that costs 10-20 times what the original specification would have cost.
Concept Dash’s OT cybersecurity team offers complimentary gap assessments for infrastructure operators in Saudi Arabia. If your facility or program has not addressed OT security in the design scope, reach out before the design is committed — not after.
Leave a Reply