OT Security and Compliance Concerns? Where to Bolster Cybersecurity for Operational Technology
Operational technology (OT) outages can disrupt our everyday physical lives, impacting equipment at large-scale power plants, traffic lights, patient care equipment, and manufacturers and distributors meeting demand. The more critical the OT’s function, the more devastating the impact of an attack or outage.
OT cyberthreats don’t go away just because your industrial control system (ICS), IACS, SCADA, PLCs, and working parts are isolated and air-gapped. Attacks can still come from insiders, through peripheral devices, configuration errors, lapses in judgment, and undetected back doors introduced via the software supply chain. Neither OT nor IT environments should be left unmonitored or underprotected. This article explores many of the security controls required to keep OT secure, including knowing when a software setting changed through file integrity monitoring (FIM).
What Is Operational Technology (OT)?
Operational technology (OT) refers to the hardware, embedded firmware, and software systems that monitor, control, and automate physical devices, processes, and infrastructure, especially in industrial environments like manufacturing, energy, transportation, and medical. Building management is another common OT application, as in the automation of HVAC, elevator controls, security systems, and lighting in commercial and residential buildings. In extreme work environments such as space, salvage and rescue, OT is crucial directing robotic equipment to complete jobs that are impractical or extremely hazardous to humans (e.g., in deep ocean, collapsed structures, or the vacuum of space).
OT technology encompasses the subcategories of industrial control systems (ICSs), programmable logic controllers (PLCs), and supervisory control and data acquisition (SCADA) systems, enabling real-time data collection, process automation, and direct interaction with the physical world to optimize efficiency, productivity, and safety.
Beyond physical world security such as human guards, walls, and fences, OT security calls for real-time system monitoring, AV, intrusion detection, FIM), active response, network segmentation / firewalling, and dozens of additional security controls. These controls are specified in IEC 62443, NIST SP 800-82, and across other international and U.S. technology compliance standards, but individual and industry situations vary, as do results . . .
The Dark Side: Operational Technology (OT) Security Events
Despite existing security and compliance measures, some notable attacks have been successfully carried out on OT systems. Many of these high-impact attacks have struck government-operated facilities and critical infrastructure and utilities, revealing a shift from physical warfare to cyber warfare. The attacks—and the risk associated with future OT cyberattacks—demonstrate the need for enhanced intrusion prevention, detection and response to protect these OT systems from adversaries who would remotely seize control to inflict damage or extort money.
Examples of incidents in which OT systems have been hacked include:
Stuxnet. The Stuxnet cyberattack on a uranium enrichment facility in Iran in 2010 set a precedent for attacks on OT systems. The perpetrators used the Stuxnet worm to gain subtle control over the Natanz nuclear facility’s PLCs that controlled the centrifuges used for enriching uranium. The remote tampering destroyed an estimated 1,000 centrifuges.
Ukraine’s Power Grid. Repeated attacks on Ukraine’s power grid from 2015 to the present have knocked out substations and regional power distributors, causing a total of at least three blackouts, including one in 2022.
The Tata Power ransomware attack. Also in 2022, a ransomware-as-a-service group exploited vulnerabilities in outdated web server software, likely on an exposed device, to breach one of India’s largest power companies. Intruders compromised IT systems, but the power supply was reportedly unaffected. The incident underscored the need to better protect devices running unsupported and vulnerable software, especially web servers.
The Triton Incident. In 2017, perpetrators targeted safety systems at a Saudi petrochemical plant using malware referred to as Triton or Trisis. The attackers infiltrated the network, a workstation, and the safety controllers, until fail-safe controls kicked in. While nothing was destroyed and no lives lost, the two resultant shutdowns cost roughly two weeks of revenue and productivity at the plant.
The Oldsmar, Florida, water treatment attack. In the 2021 Oldsmar cyberattack, an intruder reportedly used TeamViewer remote desktop software to gain access and change the setpoint for sodium hydroxide, i.e., lye, to a dangerously high level. After a plant operator noticed suspicious cursor activities and the lye levels being increased, he reset the proper levels. Subsequently, the plant removed the remote access system it was using and disabled all unnecessary remote services. It also moved off legacy, end-of-life Windows 7, implemented MFA, and enhanced its system monitoring and logging to detect unusual activity.
Norway Dam Controls. Most recently, hackers breached the valve controls at Norway’s Lake Risevatnet in 2025 to increase the water flow for several hours prior to detection. Authorities think the intruders exploited a weak password for the facility’s web-based control panel to access the OT environment. The site, which serves mainly as a fish farm, isn’t connected to the power grid and the increase in water volume did not pose an immediate danger.
What do these incidents have in common? In most cases, the attack chain involved all or some of the following:
- Increased IT / OT convergence. Hackers can leverage the connectiveness of IoT and remote access and other convergent IT / OT points to gain access using compromised credentials and third-party vendor tools. Then, the intruder often pivots into OT systems through shared IAM credentials.
- Exploitation of weak security or legacy systems or both. Many OT environments use outdated or unpatched hardware and software. They often lack modern security features such as encryption, strong authentication, and regular patching, as well as strong passwords. This makes them especially vulnerable to attacks. (Learn how Atomicorp software can secure legacy systems.)
- Poorly segmented networks that allow attackers to leverage credential dumping and “pass the hash” to move laterally from IT to OT, or from one OT system to another.
- Everyday attack methods. Frequent initial attack vectors used in OT cyber-strikes were phishing and compromised emails. Other vectors used were remote access services, default credentials, and vulnerabilities in publicly accessible OT devices.
- Lack of visibility through software monitoring. Visibility is critical in IT, and the same is true for OT security. However, many organizations have limited visibility into OT network activity, making it difficult to detect, respond to, or even recognize attacks in progress.
- An attack that impacts physical processes. These actions can range from shutting down power grids and sabotaging manufacturing to attempting to poison water supplies or disable safety systems.
- Nation state action and financial gain. Nation-state actors operate perpetually, and AI and automation use can make their attacks even more sophisticated and ubiquitous. Often, they seek strategic advantage or to disrupt or destroy, while others are financially motivated, using ransomware to extort money, predominantly cryptocurrency.
- Insufficient security awareness and training. OT security training isn’t always as comprehensive as IT security training. Training on the basics can go far to eliminate human and process vulnerabilities, such as shared system credentials and insufficient AV or malware detection on server, workstation, and appliance OSs. Fortunately, there are compliance standards that provide a framework for OT security compliance.
Common Compliance Requirements Drive and Reinforce OT Security
Though there is overlap between IT and OT compliance requirements, OT systems have some distinct security requirements due to their integration with physical processes and critical infrastructure. These requirements are largely defined by standards like IEC 62443 and NIST SP 800-82, which emphasize reliability, safety, and resilience alongside cybersecurity and risk management.
Other OT standards overlap with NIST 800-82 and IEC 62443. For example, NERC CIP and ISO 27001 with their system integrity and risk-based security controls map to NIST 800-82 (which itself is largely based on NIST 800-53). However, individual controls can be specific to an industry or the nature of the OT environment.
Below, we cover 11 OT control families that, through software, can provide the framework for OT security compliance.
Key OT Compliance Control Families to Address With Software
Access Control and Authentication: IEC 62443 FR1 and NIST 800-82 IA provide guidance for securing access to OT environments through identity management and authentication functions such as MFA. IEC 62443 FR2 focuses on use control, least privilege, separation of duties, RBAC, and appropriate privilege assignment. NIST 800-82 covers use control concepts across multiple control families, particularly NIST 800-82 AC and IA, including account management, least privilege, and role-based access control (RBAC) enforcement.
System Integrity and Availability: This category involves real-time monitoring to detect anomalies and malware, and controls to maintain functionality during an attack. IEC 62443 FR3 and NIST 800-82 SI require system integrity checks, implemented through integrity verification tools, host-based or log-based intrusion detection systems (HIDS/LIDS), file integrity monitoring (FIM), and anti-malware solutions. IEC 62443 FR7 on resource availability calls for a secure boot, the selection of a trusted platform module (TPM), and FIM to protect against resource drain and DoS attacks that could impact OT and physical processes.
Configuration Management: The NIST 800-82 CM control family includes and requires management and control over changes to OT system configurations to prevent unauthorized alterations that allow attacks to gain a foothold. The IEC 62443 configuration management guidance is included in the IEC 62443-4-1 section on secure product development lifecycle requirements, where it prescribes policies and procedures, and secure design and development of industrial control systems.
Maintenance: Maintenance is addressed in IEC 62443 FR7 on resource availability (RA), which ensures continuous operation and resilience of industrial automation and control systems (IACSs) against disruptions like denial of service (DoS) attacks. NIST 800-82 MA covers both hardware and software maintenance, including patch management, update validation, and secure remote maintenance using VPNs and encryption.
System and Communications Protection: IEC 62443 FR4 and NIST SP 800-82 SC address data confidentiality and encryption, protecting sensitive OT information from unauthorized access and disclosure. NIST 800-82 also references proper handling of PII. Together, these controls help manage data flow and reduce PII breach risks in OT environments.
Network Segmentation and Access Control: This category is covered by IEC 62443 FR5 and NIST 800-82 SC, which describe the use of zones, boundary protection, restricted flows, and conduits to isolate OT from IT and external threats. These functional requirements and controls include network segmentation, boundary protection, firewall rule engines, virtual LAN (VLAN) configurations, and industrial DMZs.
Incident Response and Recovery: IEC 62443 FR6 and NIST 800-82 IR tackle incident response. These controls are implemented through automated response actions including backup and system recovery and forensic analysis tools. Incident response and recovery involve a plan of action for when an attack occurs and should include secure backups and redundancy for rapid OT recovery.
Contingency Planning: NIST 800-82 CP provides comprehensive guidance for preparing OT systems for disruptions, emphasizing safety and operational continuity beyond data recovery. It addresses OT-specific challenges such as real-time processes, legacy hardware, and physical impacts. IEC 62443 FR7 covers resource availability and recovery, while FR6 addresses incident response. NIST 800-82 CP offers broader and more detailed planning, testing, and training, particularly for U.S. federal compliance, complementing IEC 62443’s resilience objectives.
Secure Firmware and Software Management: This key category involves validating software and firmware updates via secure channels, digital signatures, and encryption, as well as detecting and patching vulnerabilities. IEC 62443 addresses these via Part 62443-2-3 (Patch Management) and its FR3 (System Integrity). These aid in the management of outdated OT/IoT components. NIST 800-82 SI-7 requires detecting unauthorized firmware changes, ensuring authenticity and trusted sources, preventing unauthorized firmware execution, and performing routine integrity checks during operation and bootup.
Audit and Accountability (AU): NIST 800-82 AU provides guidance for audit and accountability controls, which are crucial for detecting and investigating security events and for many compliance standards. These AU controls are implemented through log aggregation tools, SIEM data, and anomaly detection algorithms. IEC 62443 doesn’t have a control family for AU, but IEC 62443 FR6 calls for timely response to events, made possible through continuous monitoring of security events and conditions as well as audit log change detection and controls to prevent log tampering.
Risk Assessment and RBAC: Risk-based security controls are central to OT standards like IEC 62443 and NIST 800-82. These frameworks require risk assessments to identify, analyze, and address OT-specific risks. Resulting controls often include RBAC, least privilege, and secure information flow. IEC 62443-3-2 details a risk assessment workflow for industrial systems. In NIST 800-82, RBAC is addressed in AC and supported by IA, with risk management integrated throughout the control selection and implementation process. This risk-based approach also underpins NIST CSF, NERC CIP, and ISO 27001.
Bolster OT Security with Atomicorp
Atomicorp, an XDR and compliance solution provider, helps to address many of the NIST 800-82 and IEC 62443 security controls achievable through software. Our intrusion prevention solution, Atomic OSSEC, enables organizations and federal agencies to secure their OT systems and IT / OT convergence points and address OT security controls in compliance standard control families such as configuration management, system integrity, audit and accountability, firmware protection, and real-time monitoring and protection.
Don’t let a lack of visibility and cyberprotection over your OT environment leave you at risk, particularly if you are using old equipment and unpatched OS software. Atomicorp provides:
- Built In-Compliance Controls: Meet foundational and specific OT security controls through software, including AC (least privilege, RBAC), AU (event logging, audit records, compliance reporting), SI (AV, FIM, anomaly detection, vulnerability management), timely response (automated rules, alerts, forensics), configuration management (least privilege, deny by default, system and configuration hardening), and network segmentation.
- Multiplatform Support: OT environments require critical security features such as AV, malware prevention, vulnerability scanning, FIM, and defense-in-depth features such as firewalls. Our log analysis works across Linux, Windows, AIX, Solaris, HP-UX, and additional operating systems to answer the crucial question of what changed. We can do this through on-device agents, or via an agentless deployment that can protect vulnerable end-of-life operating systems.
- Defense in Depth: Even with Internet access blocked and OT facilities isolated, adversaries can still infiltrate for financial gain or to target high-value assets. Atomic OSSEC layers security and contingency measures, including malware memory analysis to detect fileless malware hiding in memory, AV and firewalling capabilities to block lateral movement, and data loss prevention (DLP). Atomicorp’s Atomic WAF complements internal intrusion prevention by protecting the web application layer, including web apps, APIs, websites, hosting panels, acceleration engines, and overall web presence.
- An Attractive Price: Protect your OT / IT systems and points of convergence with a versatile security solution that works across new, legacy and EOL versions of Windows, Linux, AIX, Solaris OSs, and embedded Linux systems such as Linux IoT. The Atomic OSSEC XDR and compliance solution is available for as low as $5 per month per agent, or as an agentless deployment. Like with all Atomicorp products, you get professional support to assist with use, system optimization, proper configurations, and maintenance.