Smart Factories, Hidden Dangers: 6 Steps to Secure OT
Written By: AKATI Sekurity Insights Team | Cybersecurity Consulting & MSSP Experts
Reading Time: 6 minutes
In Brief: Factories, power plants, and water treatment facilities worldwide are connecting their industrial machinery to the internet for efficiency and remote monitoring—creating a dangerous blind spot. These operational technology (OT) systems were never designed for cybersecurity, yet attacks on them can cause explosions, blackouts, and environmental disasters. This guide explains what OT security means, why it matters to everyone (not just factory owners), and the six critical steps to protect industrial systems before attackers cause real-world physical harm.
The Day a Hacker Nearly Poisoned a City's Water Supply
February 5, 2021. Oldsmar, Florida. A water treatment plant operator noticed something strange on his computer screen. The cursor was moving by itself. Someone else was controlling his computer remotely. As he watched, the intruder accessed the system that controls chemical levels in the city's drinking water. The hacker increased the sodium hydroxide (lye) content to dangerous levels—111 times higher than normal. Enough to poison 15,000 residents. Fortunately, the operator immediately reduced the levels back to safe ranges and alerted authorities. The city's water supply was never in real danger because the operator caught it quickly and backup systems would have triggered alarms before poisoned water reached homes. But the attempt was real. The access was real. And it exposed a terrifying reality: the systems that control our physical world—water treatment, electrical grids, manufacturing plants, transportation—can be hacked just like computers, except the consequences aren't stolen credit cards or leaked emails. The consequences are explosions, blackouts, chemical spills, and deaths.
This wasn't a sophisticated nation-state attack requiring years of planning. The hacker used a legitimate remote access tool that the plant used for troubleshooting. Someone—possibly a former employee, possibly an outsider who obtained credentials—simply logged in. No elaborate hacking required. They had a password. They had access. They nearly poisoned a city. This is the world of Operational Technology security—or OT security—a term most people have never heard, protecting systems most people don't think about, preventing disasters that would make headlines around the world. If you run a business with any kind of industrial equipment, manufacturing systems, or physical infrastructure controls, this applies to you. If you're a citizen who depends on electricity, water, transportation, or manufactured goods (which is everyone), this affects your life. Let's break down what OT security means, why it's suddenly become an urgent problem, and what's being done to prevent the next water poisoning attempt—or worse.
What Is Operational Technology and Why Should You Care?
Let's start with basics. When most people think "cybersecurity," they picture protecting computers, servers, websites, and data. That's Information Technology—IT for short. The computers in your office running email, spreadsheets, and business software. The servers storing customer data. The website where people buy your products. IT security protects digital information and business operations. But there's another whole category of technology that most people never consider: Operational Technology, or OT. These are the computers and control systems that run physical processes in the real world. The systems that open and close valves in water treatment plants. The controls that regulate temperature in pharmaceutical manufacturing. The automated machinery assembling cars. The systems monitoring pressure in oil pipelines. The computers running power grid distribution. The building automation systems controlling HVAC, elevators, and access doors.
Here's why OT is different from regular IT, and why that difference creates massive security problems. Most OT systems were designed 20, 30, even 40 years ago when nobody imagined they'd be connected to the internet. They were closed systems, isolated in factories and plants, accessed only by engineers walking up to control panels. Security wasn't a consideration because attackers would need physical access—they'd have to break into the facility to cause harm. The systems run on old, often custom software that can't be updated easily. Patch a regular computer and if something breaks, you restart it. Patch a system controlling a chemical process and if something breaks, the factory shuts down, costing hundreds of thousands per hour in lost production. So OT systems rarely get updated, sometimes running the same software for decades. OT systems prioritize availability and safety above everything else. A factory floor control system must run 24/7 without interruption. Real-time response matters—delays of even seconds can cause quality problems or safety issues. This makes traditional security measures difficult to implement.
The collision between IT and OT started innocently enough. Companies wanted better efficiency and monitoring. Instead of engineers physically checking gauges on factory equipment, why not connect sensors to the network so supervisors can monitor from offices? Instead of manually recording production data on clipboards, why not have systems automatically log everything to databases? Remote troubleshooting saves money—experts can diagnose problems from headquarters instead of flying to remote facilities. Cloud connectivity enables predictive maintenance—analyze machine data to predict failures before they happen. These are all genuinely good ideas that save money and improve operations. The problem: these connections create pathways for attackers to reach systems that were never designed with security in mind. When you connect your factory floor to your corporate network to enable remote monitoring, you've also connected it to the internet, email systems, and everything else. When attackers compromise an employee's laptop through a phishing email, they're now one step away from industrial control systems that can cause physical damage.
Step 1: Discover What OT Systems You Actually Have (Most Organizations Don't Know)
The first step in OT security sounds embarrassingly basic: figure out what OT systems you have and where they're connected. You'd think every organization would know this. You'd be wrong. Most companies have far better visibility into their IT systems (laptops, servers, applications) than their OT environment. Walk into a manufacturing facility and ask "What systems control production here?" You'll get vague answers. "There's the SCADA system that monitors everything." "Each production line has its own controllers." "Building automation is separate, I think." Nobody has a comprehensive inventory.
Here's why this happens. OT systems accumulated over decades. A factory built in 1985 had one control system. Expansions in 1992, 2001, and 2015 added equipment with their own controllers. Different vendors, different technologies, different management. When IT departments started pushing network connectivity for monitoring and efficiency, they connected these systems without fully documenting what they were connecting to. Some OT systems got connected to corporate networks directly. Others went through "industrial DMZs" (supposedly isolated network zones). Some remain air-gapped (completely disconnected from other networks). But nobody has a complete map showing exactly what exists, where it's connected, what it controls, and what happens if it fails or gets compromised. Creating this inventory requires walking factory floors with network scanning tools, interviewing engineers who've worked there for years, reviewing old installation documentation, and tracing physical network cables to understand connections. It's tedious, unglamorous work that often reveals uncomfortable truths: systems thought to be isolated are actually connected, critical safety systems have network access nobody knew about, and outdated equipment with known vulnerabilities still runs production processes because replacing it costs millions.
Step 2: Separate OT Networks from Corporate IT Networks (Create Protective Barriers)
Once you know what OT systems you have, the next critical step is network segmentation—creating barriers between your OT environment and your regular corporate IT network. Think of it like firewalls in buildings. If fire breaks out in one section, firewalls contain it and prevent spread. Network segmentation does the same for cyber attacks. The goal isn't complete isolation (that would prevent the legitimate monitoring and remote access that provides business value). The goal is controlled connectivity—allowing necessary communication while preventing attacks from spreading freely between environments.
The Purdue Model provides a widely-used framework for OT network architecture that creates these protective layers. Level 0 and 1 contain physical processes and control systems—the actual machinery, sensors, and controllers on factory floors. These should be the most isolated, with strictly limited connectivity. Level 2 includes supervisory controls and local monitoring—systems that oversee production but don't directly control physical processes. Level 3 contains site operations and monitoring—databases, historians, and management systems. Level 4 represents business planning and logistics—systems that don't need direct access to control systems. Level 5 is the corporate enterprise network. The principle: traffic should flow through each level with inspection and controls, not jump directly from Level 5 (corporate network) to Level 0 (physical controls). When someone's laptop on the corporate network gets infected with malware, proper segmentation prevents that malware from reaching factory control systems.
Implementation requires industrial firewalls designed for OT environments (different from regular IT firewalls), intrusion detection systems that understand industrial protocols, data diodes for one-way information flow where appropriate, and secure remote access solutions that don't expose OT systems directly to the internet. Many organizations resist segmentation because it creates friction—engineers can't remote into factory systems as easily, monitoring requires going through additional access layers, and implementing these controls costs money while producing no visible output (prevention is invisible; you never see the attacks that didn't happen because barriers worked). The resistance evaporates after the first serious OT security incident. Better to implement barriers before attacks than scramble to add them after damage is done.
Step 3: Monitor OT Networks for Abnormal Activity (Detect Attacks Before Damage)
Network segmentation creates barriers, but determined attackers will find ways through. The next layer is detection—monitoring OT networks for signs of attacks, unauthorized access, or abnormal activity. This is harder in OT environments than IT environments for several reasons. First, OT systems use specialized industrial protocols that regular security tools don't understand. Modbus, DNP3, BACnet, Profinet—these aren't protocols your standard network security tools recognize. You need OT-specific security monitoring that understands industrial communications. Second, OT networks have predictable, repeating patterns. The same commands get sent to the same equipment on regular schedules. A packaging line might run identical processes every 47 seconds for 16 hours daily. This predictability is actually advantageous—any deviation from normal patterns indicates potential problems.
OT security monitoring looks for specific indicators: unauthorized devices appearing on the network, communication to/from unexpected IP addresses, changes to controller configurations or logic, unusual commands being sent to industrial equipment, abnormal timing or sequencing of operations, or attempts to access systems from unauthorized accounts. Unlike IT environments where you might get thousands of security alerts daily, OT environments typically generate relatively few alerts—but each alert demands immediate investigation because the stakes are physical safety and operational continuity. Organizations implement this through OT-aware Security Information and Event Management (SIEM) systems, industrial network monitoring appliances positioned at key points, anomaly detection systems that learn normal behavior and flag deviations, and asset management platforms that maintain inventory of all OT devices and track configuration changes.
The monitoring must be passive—meaning it watches network traffic without interfering. You can't risk security tools disrupting time-sensitive industrial communications. Traditional security approaches like active scanning or penetration testing (deliberately trying to hack your own systems to find weaknesses) must be done incredibly carefully in OT environments, typically during planned maintenance windows with engineering staff present to handle any problems.
Step 4: Patch and Update (But Carefully, Because Downtime Costs Millions)
In regular IT environments, patching is straightforward. Microsoft releases security updates monthly. You test them briefly, deploy to computers, maybe restart systems overnight. If something breaks, you roll back and try again. Downtime of a few hours isn't ideal but won't destroy the business. OT environments can't work this way. Many industrial systems run 24/7 with production schedules that allow only brief maintenance windows quarterly or annually. Shutting down a refinery for unplanned maintenance costs $500,000-$1,000,000+ per day. A chemical plant can't simply restart production after stopping—there are complex warmup procedures taking days. An automotive assembly line operates on just-in-time manufacturing where even hours of downtime cascades through entire supply chains.
Yet OT systems desperately need patching. Many run ancient operating systems—Windows XP, Windows Server 2003, even older Unix variants—with decades of known vulnerabilities. These vulnerabilities aren't theoretical. Attackers actively exploit them. The solution requires balancing risk: identify which OT systems are internet-exposed or connected to corporate networks (these need patching most urgently), test patches exhaustively in lab environments that mirror production before deploying anywhere near real systems, schedule updates during planned maintenance windows even if that means waiting months, implement compensating controls (like network segmentation and monitoring) for systems that can't be patched, and have rollback procedures ready if patches cause operational problems. Some organizations maintain completely patched parallel systems in hot standby mode—if primary systems fail during patching, they instantly switch to backups.
Step 5: Control Remote Access (The Biggest Attack Vector)
Remember the Oldsmar water treatment hack? The attacker used TeamViewer, a legitimate remote desktop tool. The Colonial Pipeline ransomware attack in 2021 that caused gas shortages across the US East Coast? Attackers entered through a VPN account. Remote access represents the number one attack vector into OT environments. Organizations implement remote access for good reasons: vendors need to troubleshoot equipment remotely, engineers support operations from home or headquarters, and traveling to every facility for routine maintenance wastes time and money. But every remote access path is a potential attack path.
Securing remote access requires multiple controls: Multi-factor authentication (MFA) on all remote access—passwords alone aren't sufficient, zero-trust network access that verifies every connection rather than assuming anyone with VPN credentials should access everything, time-limited access where remote sessions automatically expire after defined periods, monitoring and recording of all remote sessions to detect suspicious activity, vendor access management ensuring third-party technicians only access specific systems they need to service, and removing or disabling remote access tools when not actively needed. Some organizations implement "jump boxes"—secure intermediary systems that vendors remote into, which then connect to OT systems, creating an inspection point and preventing direct internet-to-OT connections.
Step 6: Train Operations Teams to Recognize OT-Specific Threats
Final piece: human awareness. Most cybersecurity training focuses on IT threats—phishing emails, malicious websites, password security. These matter for OT personnel too, but they also face unique threats. Social engineering targeting industrial employees is increasingly common. Attackers research facilities on LinkedIn, identify control system engineers, and craft targeted phishing messages: "Your vendor provided an updated firmware file for the [specific equipment model]. Please download and install from this link." Engineers unfamiliar with these tactics click malicious links or open infected attachments.
USB drives represent another OT-specific vector. Contractors visit facilities and plug USB drives into control systems to transfer files or configure equipment. Those drives might be infected—sometimes deliberately (like the Stuxnet attack on Iranian nuclear facilities), sometimes accidentally (the contractor's corporate laptop was infected, which infected their USB drive). Field technicians need training on: verifying identities before granting facility access or remote access credentials, questioning unexpected requests even from apparent vendors or management, using only company-controlled USB drives that are scanned before use in OT systems, reporting unusual activity immediately, and understanding that OT security is about physical safety, not just data protection. When factory workers understand that cybersecurity mistakes can cause explosions, chemical releases, or equipment damage that endangers lives, they take training more seriously than abstract warnings about data breaches.
AKATI Sekurity: Protecting Industrial Operations from Digital Threats
Operational Technology security requires specialized expertise that most organizations don't possess internally. OT environments use different protocols, technologies, and operational constraints than traditional IT. Security approaches that work perfectly for corporate networks can cause disasters when incorrectly applied to industrial controls. AKATI Sekurity's Cybersecurity Consulting team specializes in OT security assessments for manufacturing, utilities, transportation, and critical infrastructure. We map OT assets and network connectivity, assess risks based on both cyber threats and safety implications, design segmentation architectures that protect operations while maintaining functionality, and develop practical security roadmaps that respect production schedules and operational realities.
Our 24/7 Managed Security Services include OT-specific monitoring using industrial protocol-aware detection systems that recognize attacks on SCADA, DCS, and PLC environments without disrupting time-sensitive communications. Our analysts understand the difference between IT incidents (primarily financial and reputational risk) and OT incidents (potential for physical damage, environmental harm, and safety risks). Through Penetration Testing and Red Team services, we safely test OT security controls during planned maintenance windows, identifying vulnerabilities before attackers exploit them. Our testing follows industry standards for OT security assessment, minimizing risks to operational systems.
For ASEAN organizations operating critical infrastructure, we understand regional requirements including Malaysia's Cybersecurity Act mandates for National Critical Information Infrastructure (NCII), Singapore's Critical Information Infrastructure (CII) protection requirements, and sector-specific regulations for energy, water, and transportation. For US organizations, we align OT security programs with CISA guidance for critical infrastructure protection, NERC CIP requirements for electrical utilities, and FDA cybersecurity guidance for medical device manufacturers.
Protecting operations requires understanding both cybersecurity and industrial processes.
Contact AKATI Sekurity at hello@akati.com for more information.
About the Author: This article was developed by AKATI Sekurity's OT security and critical infrastructure protection specialists with experience securing manufacturing facilities, utilities, and industrial operations across ASEAN and North America.
Related Services: Cybersecurity Consulting | 24/7 Managed Security (MSSP) | Penetration Testing | Security Posture Assessment
Key Terms Explained:
Operational Technology (OT): Computer systems that monitor and control physical industrial processes and infrastructure
SCADA: Supervisory Control and Data Acquisition - systems that monitor and control industrial processes
Industrial Control Systems (ICS): Computer-based systems that control industrial processes like manufacturing and utilities
Air-Gapped: Systems physically isolated from other networks with no connections
References:
FBI Cyber Division Public Service Announcement on Oldsmar Water Treatment Facility Intrusion (2021)
CISA ICS Advisory Database: https://www.cisa.gov/uscert/ics/advisories
NIST Special Publication 800-82: Guide to Industrial Control Systems Security
