OT control is about more than security

Most organisations operating OT environments have a cybersecurity programme.

Far fewer have control.

And when we examine the most serious OT incidents of recent years, they rarely began with sophisticated malware or advanced attackers. More often, they started with something far more ordinary: unknown assets connected to the network, uncontrolled vendor access that nobody had followed up, unclear ownership between IT and OT, or incomplete visibility into systems that had been running for years without proper documentation.

Technology alone does not create control.

Control starts with visibility, governance, and structure.

What does “control” actually mean in an OT environment?

In traditional IT environments, control is often measured through access management, logging, monitoring, and incident response.

OT environments are different.

An OT environment with genuine control typically demonstrates four characteristics.

Visibility: You know what exists within the environment — not only the systems installed last year, but also the PLC that was commissioned fifteen years ago and never properly documented.

Structure: Roles and responsibilities are clearly defined. Everyone understands who owns systems, who approves changes, and who is accountable for security decisions.

Governance: Changes, vendor access, risk management, and operational procedures are handled systematically rather than through informal workarounds.

Compliance: Relevant standards and regulatory requirements are understood, prioritised, and incorporated into daily operations.

Many organisations have strong security technologies while still lacking control across these four areas.

Why OT control is different from IT control

Many cybersecurity approaches were originally designed for IT environments.

Industrial environments operate under fundamentally different conditions.

Long lifecycles and legacy systems. A PLC installed twenty years ago may still be essential for production. It may not support modern authentication. It may not be patchable. It may not even appear in an up-to-date asset inventory. Yet it remains business-critical.

Availability comes first. In IT, a service can often be taken offline for maintenance. In OT, downtime may mean halted production, environmental consequences, safety risks, or significant financial losses. Security controls must therefore be designed around operational requirements rather than purely technical considerations.

Vendor dependency is built into the environment. Many industrial systems rely heavily on specialised vendors for maintenance, support, and troubleshooting. Without proper governance, organisations can quickly lose visibility into who has access, when they are connected, and what changes they are making.

Ownership has historically been unclear. For decades, OT systems were considered an operational responsibility. Cybersecurity belonged to IT. The result is often a governance gap where neither function has full ownership of OT security — and where ownership is unclear, control is usually missing.

The three most common OT control challenges

Across manufacturing, energy, utilities, transportation, maritime environments, and critical infrastructure in the Nordics and beyond, the same challenges appear repeatedly.

1. Asset inventories that do not reflect reality

Most organisations maintain some form of asset register.

Far fewer maintain one that accurately reflects the current environment.

In power and energy companies, it is common to find field devices and RTUs that have been connected for years without appearing in any formal inventory. In manufacturing environments, temporary connections made for a maintenance visit have often never been removed. During assessments, we regularly discover devices running unknown firmware versions, assets without a designated owner, and equipment with unsupported software still connected to production networks.

Passive asset discovery and network monitoring often reveal a very different picture from what official documentation suggests.

Without accurate visibility, every other security initiative becomes more difficult.

2. Vendor access without adequate control

Vendors require access.

That is not the problem.

The problem arises when access is permanent rather than temporary, unmonitored, unlogged, unapproved, or provided through unmanaged remote access solutions.

In port and maritime environments, we regularly find vendor connections that have been open for years after the original maintenance work was completed. In industrial facilities, VPN credentials issued to a service technician during commissioning are sometimes still active a decade later — with nobody actively managing them.

At that point, the issue is no longer just cybersecurity.

It is a control problem: the organisation simply no longer knows who can access the environment.

3. Unclear ownership and accountability

Who approves changes to the OT network?

Who authorises new vendor connections?

Who handles incidents that impact both IT and OT systems?

These questions often produce different answers depending on who is asked. In many Nordic industrial organisations, IT believes OT belongs to operations, while operations assumes cybersecurity belongs to IT.

The result is a governance vacuum.

And governance vacuums rarely remain empty for long.

Risk accumulates unnoticed.

The five building blocks of OT control

Control is not created by a single technology platform.

It is built through a combination of governance, processes, operational discipline, and continuous oversight.

Building block 1: OT governance

Governance defines ownership. It answers fundamental questions: who owns OT security, who approves changes, how are risks escalated, and how are responsibilities divided between IT and OT?

Without clear governance, every other control becomes difficult to sustain. OT security should not be treated as an isolated operational concern — it should be part of the organisation’s broader risk management strategy.

Building block 2: Asset lifecycle management

Control requires visibility throughout the entire lifecycle of an asset — from procurement to decommissioning. This includes maintaining accurate inventories, tracking firmware and software versions, assigning ownership, and planning for end-of-life replacement.

Asset inventories should be continuously validated against the actual environment. What exists on paper should match what exists on the network.

Building block 3: Management of change (MOC)

In OT environments, changes introduce risk. A seemingly minor configuration change can disrupt production, create vulnerabilities, or impact safety-critical processes.

Effective change management requires risk assessments before implementation, formal approval processes, testing where possible, documentation, and rollback procedures. Management of change has long been a cornerstone of industrial operations. It is equally important for cybersecurity.

Building block 4: Vendor management

Vendor access should be treated as a controlled business process — not an administrative afterthought.

That includes approval workflows, time-limited access, secure remote access solutions, activity logging, and supplier security requirements.

Under NIS2 and similar regulations, supply chain security is no longer optional. Organisations must be able to demonstrate that third-party risks are identified, assessed, and managed.

Building block 5: Vulnerability and patch management for OT

Patching in OT is fundamentally different from patching in IT. Operational requirements often prevent immediate updates. Some legacy systems cannot be patched at all.

A practical OT approach includes:

• Identifying known vulnerabilities against the actual installed asset base
• Prioritising based on operational risk and potential consequence
• Coordinating patching with planned maintenance windows
• Implementing compensating controls where patching is not immediately possible
• Applying virtual patching — using network-level controls such as IDS/IPS rules or firewall policies to block exploitation of a known vulnerability, without touching the underlying system

Virtual patching is particularly relevant in OT environments where legacy systems cannot be taken offline, where vendor support restrictions prevent direct updates, or where patching would require an unacceptable operational risk. It is not a permanent solution, but it is a recognised and effective interim measure.

The objective is not patch compliance — it is risk reduction.

How standards support OT control

A common question is: “Which framework should we follow?”

The answer is usually a combination of several.

IEC 62443 is the leading international cybersecurity standard for industrial environments. It provides detailed technical and architectural guidance and introduces concepts such as zones, conduits, and security levels.

ON104, widely used within the Norwegian energy and petroleum sectors, provides a practical maturity framework that helps organisations assess their current capabilities and prioritise improvements.

ISO 27001 provides the governance structure — risk management, documentation, audits, and continual improvement. While originally developed for IT environments, it provides an important management framework for OT when adapted appropriately.

Together, these frameworks provide governance and management structure (ISO 27001), technical OT security requirements (IEC 62443), and maturity measurement and prioritisation (ON104). They are complementary rather than competing approaches.

Why visibility and governance come before SOC

Many organisations want to begin with monitoring and detection.

That is understandable — and a modern OT SOC can provide significant value: continuous monitoring, incident detection, and expert analysis across both IT and OT environments.

However, a SOC delivers limited value if the fundamentals are missing.

If asset inventories are incomplete, ownership is unclear, vendor access is unmanaged, and operational processes are undefined, analysts spend more time investigating noise than responding to genuine threats.

The path to effective OT monitoring is therefore:

Visibility → Governance → Control → Detection

When the first three are established, a SOC becomes significantly more effective. It transforms security from a periodic activity into a continuous capability — and makes the investment deliver its intended value.

Three questions every organisation should ask

1. Do you know which vendors currently have access to your OT environment — and what systems they can reach?
2. Is ownership of OT security clearly defined and understood across the organisation?
3. Do you understand which standards and regulatory requirements apply to your operations — and what they mean in practice?

If any of these questions are difficult to answer, you are not alone.

But it is probably where your OT control journey should begin.

[Read part 1: From Purdue to modern OT security] | [Read part 3: From assessment to compliance]

NetNordic helps organisations establish real control in OT environments — from asset visibility and governance to SOC integration, vendor management, and regulatory compliance.