OT Security Best Practices: 12 Essential Controls

Control 3: Deploy OT-Specific Continuous Monitoring

Only 52% of organizations have adopted OT-specific monitoring tools (SANS Institute, 2025), leaving nearly half operating blind to what is happening on their industrial networks. Passive, protocol-aware monitoring is the standard approach: it captures all network traffic, decodes industrial protocols like Modbus, DNP3, and OPC-UA, and alerts on communications that deviate from established baselines. It does this without sending any traffic that could disrupt control systems.

Monitoring must cover all levels of the OT network, not just the IT-OT boundary. Attackers who gain entry through the enterprise network often move laterally within OT for weeks or months before executing their attack. Monitoring within OT zones is necessary to detect this lateral movement early, before the attacker reaches critical systems. End-to-end visibility from Level 0 to Level 4 of the Purdue Model is the target state.

Alert quality matters as much as coverage. An OT monitoring deployment that generates thousands of low-quality alerts per day will be ignored by operators, defeating its purpose. Tuning monitoring tools to the specific communication patterns of each OT environment reduces false positives and ensures that genuine anomalies receive attention. This tuning process takes weeks or months after initial deployment and should be planned for explicitly.

[CHART: Bar chart - percentage of organizations with OT monitoring by sector: energy 71%, manufacturing 49%, water 38% - source: SANS ICS Survey 2025]

Control 4: Control and Audit All Remote Access

Remote access to OT systems expanded dramatically during 2020 and has remained elevated since. Every remote access path is a potential attack vector: vendor maintenance connections, operator home access, and cloud management interfaces all represent entry points that attackers actively exploit. A 2025 Claroty report found that 70% of OT security incidents involved remote access credentials. Controlling remote access is among the highest-impact OT security investments available.

Best practices for OT remote access include: requiring multi-factor authentication for all sessions, routing all sessions through a dedicated privileged access workstation or jump server, recording all session activity for audit and forensic purposes, limiting vendor access to specific assets during specific time windows, and revoking access immediately when the business need ends. Many organizations still grant persistent, unconstrained remote access to dozens of vendors, representing a significant unmanaged risk.

Zero Trust principles apply to OT remote access, though their implementation must account for OT constraints. Continuous verification, least-privilege access, and session monitoring are achievable. Hard network boundaries and vendor-specific access policies can be enforced through OT-aware privileged access management (PAM) solutions. Some PAM vendors now offer products specifically validated for industrial environments.

Control 5: Enforce Strong Identity and Access Management

Shared accounts and default credentials remain alarmingly common in OT environments. A 2025 Tenable survey found that 54% of OT organizations still had default credentials on at least some devices. Default credentials are publicly known for every major industrial device and are the first thing attackers try. Eliminating them is low-cost, operationally straightforward, and should be treated as an immediate action item rather than a long-term project.

Role-based access control should limit what each user and system account can do in OT environments. An operator who needs to read process data does not need to modify PLC logic. An engineer who programs PLCs does not need administrative access to the historian. Least-privilege principles, consistently applied, limit the damage from compromised credentials, whether from phishing, insider threat, or credential reuse from IT systems.

[IMAGE: Diagram showing role-based access control layers in OT environment - search terms: OT role based access control industrial cybersecurity diagram]

Control 6: Develop an OT-Aware Patch Management Process

OT patching cannot follow IT patch schedules. Vendor validation requirements, operational maintenance windows, safety certification constraints, and legacy system limitations all shape what is actually achievable. An OT-aware patch management process starts by categorizing assets by patchability: which assets can be patched, which require compensating controls, and which must be replaced. This categorization drives realistic risk prioritization rather than futile patch demands on unpatchable systems.

For patchable assets, establish a formal process that includes vendor validation confirmation, pre-production testing where feasible, change management approval, operational window scheduling, and post-patch validation. This process will be slower than IT patching, but it must be repeatable and documented. Regulatory auditors in sectors like energy and chemicals expect to see evidence of a patch management process, even where full patch compliance is not achievable.

Compensating controls for unpatchable systems include network isolation, application whitelisting, protocol-level filtering, and enhanced monitoring. Document these compensating controls explicitly in your asset risk register. When a new vulnerability is disclosed for an unpatchable system, having pre-established compensating controls means you already have a defensible response.

IEC 62443 standard for OT security

Control 7: Manage the OT Supply Chain

OT supply chain attacks have surged in sophistication and frequency. Attackers compromise OT software vendors, automation integrators, and hardware suppliers to reach their ultimate targets through trusted channels. The CISA's 2025 advisory on ICS supply chain threats identified firmware tampering, malicious software updates, and compromised remote support tools as the primary vectors. Eighty-eight percent of organizations increased OT security spending by more than 10% in 2025 (Dragos), partly in response to supply chain concerns.

Vendor risk management for OT suppliers requires specific questions: Does the vendor have a secure software development lifecycle? How do they test firmware for vulnerabilities before release? What is their process for notifying customers of security issues? Do they provide software bills of materials (SBOMs) for their products? These questions help distinguish vendors who take security seriously from those who do not.

Verify the integrity of software and firmware before deploying it in OT environments. Check hashes against vendor-published values; do not assume that software downloaded from a vendor website has not been tampered with in transit. Where possible, use an isolated test environment to observe the behavior of new software before deploying it to production systems.

Control 8: Implement Application Whitelisting on OT Endpoints

Application whitelisting prevents unauthorized software from executing on OT engineering workstations, HMIs, and historian servers. Unlike traditional antivirus, which tries to detect known malicious code, whitelisting only permits explicitly approved applications to run. In OT environments, where the set of legitimate applications changes rarely, whitelisting is both technically feasible and highly effective. It blocks malware, ransomware, and attacker tools regardless of whether they have been seen before.

Deployment must be preceded by careful baseline documentation. Every legitimate application, script, and service must be catalogued before whitelisting is enforced, or operations will be disrupted when legitimate software is blocked. The initial documentation exercise takes significant effort but is typically completed once; ongoing maintenance requires change management discipline rather than continuous heavy lifting.

Control 9: Secure and Test OT Backups

Ransomware targeting OT environments increasingly destroys or encrypts backups before triggering the main attack, knowing that backup availability is the primary alternative to paying the ransom. Dragos reported that ransomware attacks on OT are growing 40% annually. OT backups must be stored offline or in an air-gapped environment that ransomware cannot reach. Network-connected backup systems that use the same credentials as production systems are not sufficient protection.

OT backups must include everything needed to restore operations: PLC logic, HMI configurations, historian data, engineering workstation configurations, and network device configurations. Many organizations discover during incident response that they have backups of some components but not others, making full restoration impossible. A recovery drill, conducted at least annually, is the only reliable way to confirm that backup procedures actually work.

Recovery time objectives (RTOs) for OT systems must be established by the business, not assumed by the security team. A production line RTO of 4 hours requires very different backup and recovery architecture than an RTO of 72 hours. Align backup procedures with these RTOs and test them explicitly to confirm they are achievable.

[CHART: Rising bar chart showing 40% annual growth in ransomware attacks targeting OT - source: Dragos 2025]

Control 10: Develop and Test OT Incident Response Plans

OT incident response differs fundamentally from IT incident response. Containment decisions that are routine in IT, such as isolating a system or shutting down a service, can cause physical harm or production loss in OT. Response actions must be pre-approved by engineering and operations management, with clear authority chains that do not require real-time approval during a crisis. Pre-approved response playbooks, developed jointly between security, engineering, and operations, enable faster and safer incident response.

Tabletop exercises that simulate OT-specific scenarios are the most cost-effective way to test and improve OT incident response capability. Exercises should include realistic OT scenarios: ransomware spreading from IT to OT, a compromised vendor remote access session, anomalous PLC commands detected during peak production. Each exercise reveals gaps in playbooks, communication plans, and decision-making authority that can be addressed before a real incident occurs.

Integration with IT incident response is equally important. The 96% of OT incidents that originate from IT compromises mean that IT and OT incident response teams will regularly work the same incident from different angles. Joint exercises that include both teams, with realistic IT-OT attack scenarios, build the coordination skills and mutual familiarity needed for effective joint response.

Control 11: Train OT Staff on Cybersecurity Awareness

Operations staff who interact with OT systems are a critical security layer. A phishing email that compromises an engineer's laptop becomes an OT security incident if that laptop connects to the OT network. USB devices brought from home into control rooms bypass network-level security controls entirely. Personnel-focused security awareness, tailored to OT-specific risks and scenarios, addresses threats that technical controls cannot fully mitigate.

OT security awareness training differs from standard corporate security awareness. It should use scenarios drawn from the industrial environment: suspicious USB drives found near a control room, a vendor asking for unusual remote access permissions, a phishing email mimicking an automation vendor's software update notification. Relevance to the actual work environment dramatically improves training effectiveness and knowledge retention.

Control 12: Measure and Report OT Security Metrics

OT security programs that cannot demonstrate their value are vulnerable to budget cuts. Metrics must translate technical security activities into business outcomes that operations and executive leadership understand. Useful OT security metrics include: percentage of critical assets covered by monitoring, mean time to detect anomalies, number of unpatched critical vulnerabilities, and percentage of remote access sessions audited. These metrics show program progress and enable informed investment decisions.

Regular reporting to senior leadership, including plant management and the board where appropriate, builds organizational support for the OT security program. Leaders who understand the threat landscape and can see evidence of program progress are more likely to sustain investment during budget pressure. For organizations building or maturing their OT security program, Opsio's OT security services provide both the technical capability and the reporting frameworks to demonstrate measurable progress.

Frequently Asked Questions

Which of the 12 controls should I implement first?

Asset inventory (Control 1) and network segmentation (Control 2) provide the highest combined impact for organizations starting from low maturity. You cannot protect what you cannot see, and flat networks allow attacks to spread without resistance. Remote access control (Control 4) should follow immediately, given that 70% of OT incidents involve remote access. These three controls address the most common attack paths and provide a foundation for everything else.

How do I apply these controls to legacy OT systems that cannot be modified?

Compensating controls are the answer for legacy systems. Network isolation prevents attackers from reaching vulnerable devices. Protocol-level firewalls block commands that the device should not receive. Enhanced monitoring detects anomalous access attempts. Application whitelisting on connected workstations prevents attackers from uploading malicious logic. Document these compensating controls in your risk register with explicit justification for why patching or replacement is not currently feasible.

How long does it take to implement all 12 controls?

A realistic implementation timeline is 18-36 months for organizations starting from low maturity. Some controls, like eliminating default credentials and documenting remote access paths, can be completed within weeks. Others, like full network segmentation and comprehensive monitoring coverage, require significant planning, capital, and operational coordination. Prioritize by risk impact and operational feasibility, not by what is technically easiest.

Do these controls align with IEC 62443?

Yes. All 12 controls map to IEC 62443 requirements, primarily across the IACS Fundamental Requirements: Identification and Authentication (FR 1), Use Control (FR 2), System Integrity (FR 3), Data Confidentiality (FR 4), Restricted Data Flow (FR 5), Timely Response to Events (FR 6), and Resource Availability (FR 7). Organizations using IEC 62443 as their compliance framework will find these controls directly applicable to their security level targets.

Conclusion

These 12 controls form a comprehensive but achievable framework for OT security. They address the primary attack vectors: IT-OT network connections, remote access abuse, legacy system vulnerabilities, supply chain risks, and the persistent challenge of limited visibility. Implementing them in priority order, with operational constraints respected at every step, builds real-world resilience rather than paper compliance.

The 88% of organizations that increased OT security spending by more than 10% in 2025 are investing in exactly these capabilities. The 60% that experienced incidents are the ones that had not yet deployed them. The evidence for action is clear.

---

Author: Opsio Security Practice | Published: April 2026 | Last updated: April 2026