How can I ensure that my Operational Technology is secure? 

Operational Technology security is about protecting people and business operations before anything else. 

The UK’s National Cyber Security Centre is clear: connectivity between Operational Technology (OT) and IT is unavoidable, but it must be carefully designed and managed so safety and uptime are never put at risk. The reality is that attackers are now exploiting industrial systems with the same intensity as IT networks, and frameworks such as NIST, SP 800-82 and IEC 62443 show what “good” looks like in practice. 

That means starting with a complete inventory of your OT assets, mapping risks with a safety lens, segmenting networks with the Purdue model and IEC zones and conduits, enforcing least-privilege access, brokering remote access safely, monitoring for adversary behaviours using MITRE ATT&CK for ICS, and making offline backups and recovery drills non-negotiable. It also means aligning governance with the likes of NIS2, DORA and the CER Directive in Europe or the NCSC’s Cyber Assessment Framework in the UK. 

If you want a clear, vendor-agnostic blueprint for OT security that protects your systems without disrupting operations, our team can help. 

Speak to our specialists today: Contact us. 

Key Takeaways 

• Anchor your OT programme in NIST SP 800-82 and IEC 62443 for clear, proven guidance on controls and architecture. 
• Use the Purdue model and zones and conduits to enforce segmentation and stop lateral movement across networks. 
• Maintain a living OT asset inventory to know what you are defending and where the greatest risks lie. 
• Enforce least-privilege access and control all vendor remote access through monitored, brokered solutions. 
• Monitor using passive network visibility, allow-list policies and anomaly detection to respect fragile OT systems. 
• Detect behaviours in the MITRE ATT&CK for ICS matrix, such as Lateral Movement, Inhibit Response Function and Impair Process Control. 
• Make offline, immutable backups and recovery exercises mandatory to withstand ransomware. 
• Evidence governance through the NCSC CAF in the UK or NIS2 obligations in the EU.
  

For a tailored roadmap and support in implementing these measures, explore our cyber services and threat monitoring services. 

Whole-System Context and Asset Inventory 

OT security must be treated as a security discipline. The UK’s National Cyber Security Centre stresses that controls should always protect safe operation first, with connectivity between OT and IT managed as a deliberate risk rather than an afterthought. 

The foundation of this approach is a complete OT asset inventory. You cannot protect what you do not know exists. A living inventory should record each asset’s type, version, location, criticality and owner, giving operations and security teams a shared picture of the environment. 

Passive discovery methods such as network taps or SPAN ports help build this view without disrupting fragile equipment, while targeted onsite checks add context. Once established, the inventory guides segmentation, access control and monitoring, and allows risks to be prioritised by their safety and operational impact. 

With this visibility in place, organisations can show measurable assurance against frameworks like the NCSC CAF or NIS2, and move towards truly resilient, whole-system OT security. 

Risk Assessment with an OT Lens 

A good risk assessment in OT looks different to one in IT. Confidentiality and data loss are important, but they are not the primary concerns. In OT, the biggest risks often relate to safety, environmental harm, and downtime that halts business operation or disrupts essential services. NIST SP 800-82 Rev. 3 and the NCSC Cyber Assessment Framework both underline this broader perspective. 

The assessment should begin by mapping out critical functions and defining what happens if each is compromised. What would be the consequences if a controller failed or a process was manipulated? How long could a system or application be down before the damage becomes unacceptable? This approach ensures that controls are targeted where they make the greatest difference. 

By weighting risks in this way, you can prioritise maintenance windows, establish contingency plans, and decide where manual fallback procedures may be required. It also helps demonstrate to regulators that security decisions are grounded in operational reality rather than abstract IT risk scores. 

Network Segmentation with the Purdue Model 

Flat networks are one of the most common weaknesses in OT environments. 

When every system can communicate freely, attackers who gain an initial foothold can move laterally, spread ransomware, or access safety-critical devices without obstruction. Engineers often only discover the problem once an incident has already escalated. 

The Purdue model provides a proven structure to break this pattern. It divides the environment into clear levels: enterprise IT systems at the top, operations and supervisory functions in the middle, and process control and field devices at the bottom. Each level has defined boundaries, with traffic only allowed through controlled interfaces. 

In practice, this means separating Levels 0–2 (sensors, actuators, controllers) from Level 3 (operations and supervisory systems), and both from Level 4 (business IT). 

Demilitarised zones, firewalls and unidirectional gateways act as choke points, enforcing rules and allowing only essential communication. This structure limits the blast radius of any compromise and supports safe, predictable operation, even during a cyber incident. 

Zones and Conduits 

IEC 62443 takes segmentation further by introducing the concept of zones and conduits. 

Zones are groups of assets with similar security requirements, such as safety systems, critical business systems, engineering workstations or production lines. 

Conduits are the controlled pathways that link them, with policies that strictly define what traffic can and cannot flow. 

Each zone is assigned a target security level, and operators must ensure that controls such as authentication, use control, and data integrity meet those requirements. For instance, a safety instrumented system may sit in its own zone with a very high security level, connected to the wider control network only through a tightly monitored conduit. 

This approach reduces the chance that an intrusion in one part of the environment will spread elsewhere. It also makes security measurable: operators can map which assets sit in each zone, what conduits connect them, and what controls are in place. This clarity helps both in daily operations and in demonstrating compliance with regulators under standards such as NIS2 or the UK’s CAF. 

Least-Privilege Access 

Access control in Operational Technology is about making sure that every user and system only has the rights strictly needed to perform their role. Shared accounts and over-privileged access remain common in many business and industrial environments, but they create blind spots and make it far too easy for attackers to escalate once inside. 

The principle of least privilege means enforcing strong identity management for operators, engineers, contractors and vendors. Every account should be named, auditable and time-bound. Multi-factor authentication should be standard for all privileged access, particularly where remote sessions are involved. 

On the network side, inter-zone firewalls should be configured with default-deny rules, allowing only the specific protocols and destinations needed for safe operation. When combined, these measures create an environment where misuse is more visible, and attackers find fewer pathways to exploit. 

Secure Remote Access 

Remote access is often essential for maintenance and vendor support, but it is also one of the highest-risk activities in OT. Direct connections into control networks or always-on VPNs are dangerous because they give attackers the same visibility and control as trusted engineers. 

The safer model is to broker access through jump hosts or bastion services placed in a dedicated OT demilitarised zone. Sessions should be time-limited, approved in advance, and fully recorded for audit. Strong, phishing-resistant multi-factor authentication ensures that only authorised personnel connect, while network segmentation contains the session within the right boundaries. 

Internet-exposed connections should be avoided wherever possible. Private links or brokered connections are far more secure, and ingress and egress traffic should be monitored for anomalies. By following these principles, organisations can balance the operational need for remote support with the security imperative of protecting safety-critical systems. 

Change Control that Protects Safety 

In OT, even small changes can have major consequences. A configuration update, firmware patch or logic change that might seem trivial in IT can interrupt a critical process, cause downtime, or even create safety risks. This is why NIST SP 800-82 highlights configuration and change control as core practices. 

A robust process requires every change to go through formal review, with business operations signing off on timing and safety checks. Changes should be scheduled during safe operating states, tested on representative systems where possible, and always have a rollback plan. Golden images and checksum-verified backups of controllers and engineering workstations ensure that systems can be restored quickly if something goes wrong. 

This discipline makes patching and system updates far less risky, while giving both engineers and security teams confidence that changes are predictable and reversible. 

Threat Detection Mapped to MITRE ATT&CK for ICS 

Understanding how adversaries behave in business and industrial environments helps you focus monitoring where it matters most. The MITRE ATT&CK for ICS framework provides a structured way to map tactics and techniques to real-world detection and response needs. 

Key behaviours to prioritise include Lateral Movement, where attackers pivot across dual-homed devices or shared credentials; Inhibit Response Function, where safety systems are tampered with or disabled; and Impair Process Control, where controllers are manipulated to alter setpoints or logic. Each of these aligns directly with high-consequence risks such as process disruption or safety compromise. 

Detection strategies should therefore include monitoring for unusual authentication attempts, unexpected mode changes on controllers, new or modified logic, and communication patterns that do not match the established allow-list. Mapping these to ATT&CK techniques ensures that both operations and security teams are speaking a common language, making collaboration smoother and improving response. 

Backup and Recovery for Ransomware Resilience 

The study of previous Ransomware attacks has shown that IT and OT are no longer separate risk domains. 

Once inside an organisation, attackers will often seek to lock up Human-Machine Interfaces, historians, or engineering workstations, with the result that business operations grind to a halt even if process controllers remain untouched. 

The only reliable counter is to maintain offline, immutable backups of critical OT systems and configurations. These should include PLC logic, HMI projects, historian databases, and engineering workstation images. Copies should be encrypted, stored in multiple locations, and regularly tested to ensure they can be restored within agreed recovery time objectives. 

A 3-2-1 approach works well: three copies of data, stored on two different media types, with one kept offline or offsite. Regular restoration exercises are vital because backups that cannot be restored quickly are no backups at all. By treating backups and recovery rehearsals as non-negotiable, operators build resilience against ransomware without depending on attackers’ goodwill. 

Incident Response that includes OT 

Traditional incident response plans often focus on IT systems and overlook the unique requirements of OT. In reality, an effective plan must cover both. OT incident response must account for process safety, regulatory reporting, and the fact that some standard IT containment steps may not be safe in a live industrial environment. 

Plans should include roles for control engineers, safety officers and original equipment manufacturers (OEMs), alongside the cybersecurity team. Isolation and containment steps need to be pre-approved to avoid unsafe shutdowns, and manual fallback procedures should be documented so operators know how to maintain control if digital systems are compromised. 

Regular exercises are key to making this real. 

At least once a year, organisations should run joint IT–OT scenarios based on realistic threats such as ransomware or the ATT&CK behaviours most relevant to their environment. This ensures that when an incident does occur, teams can respond quickly, safely and with confidence. 

Governance and Compliance for UK and EU Operators 

Strong OT security is not only about best practice; it is also a regulatory requirement. In the EU, the NIS2 Directive mandates that operators of essential entities implement risk management measures and report significant incidents. This regulation is enhanced and broadened by DORA and the CER Directive. 

It applies to banking and financial services, energy, transport, water, health, and data centre and digital infrastructure providers, among others. By October 2024, Member States must enforce NIS2 through national legislation, and organisations must be able to evidence compliance. 

The UK, while outside NIS2, has its own regime under the Network and Information Systems Regulations. The NCSC Cyber Assessment Framework (CAF) provides a structured way to measure outcomes, covering governance, risk management, asset resilience and incident response. Regulators expect operators of essential services to evidence continuous improvement against CAF objectives. 

Using frameworks like NIST SP 800-82 and IEC 62443 as the technical backbone makes it easier to demonstrate alignment with both CAF and NIS2. This not only satisfies regulators but also strengthens assurance for boards, insurers and customers. 

Learn more about our Policy and Procedures services 

Metrics that Matter 

Security must be measurable, or it risks becoming just a set of intentions. The most effective organisations define joint KPIs for operations and security teams, ensuring shared ownership. 

Practical metrics include: 

• Percentage of OT assets recorded in the inventory with confirmed owners and dependencies. 
• Number of inter-zone connections with enforced allow-lists compared to detected unauthorised flows. 
• Percentage of privileged OT accounts with multi-factor authentication and time-limited access. 
• Mean time to revoke stale vendor or contractor accounts. 
• Frequency and success rate of backup restoration tests. 
• Percentage of detection rules mapped to MITRE ATT&CK for ICS techniques that have associated runbooks. 
  

These metrics give leadership visibility of progress, highlight gaps, and keep both engineering and security accountable for maintaining resilience. 

When to get Independent Help 

Designing OT security controls that protect safety without disrupting operations is not straightforward. Frameworks provide direction, but every plant and system has unique constraints. This is where independent expertise can make a difference. 

Independent, vendor-agnostic specialists can help scope zones and conduits, design remote access solutions, and deploy passive monitoring without creating process risks. They can also assist with board briefings, regulatory evidence packs, and translating technical controls into business language. 

For many organisations, independent support accelerates implementation, reduces the risk of bias from vendors, and gives assurance that solutions are tailored to their operational reality. 

If you need that perspective, CornerStone’s OT security team is ready to support you: Contact us. 

Useful References 

• NCSC Operational Technology guidance collection – practical UK context on managing OT connectivity and safety. 
• NIST SP 800-82 Rev. 3 Guide to OT Security – comprehensive, standards-aligned guidance for securing industrial environments. 
• IEC 62443 family – internationally recognised standards for zones, conduits and security lifecycle. 
• Purdue model – a widely adopted framework for layered OT network segmentation. 
• MITRE ATT&CK for ICS – adversary behaviour matrix for prioritising monitoring and response. 
• StopRansomware guidance – best practices for backup, recovery and resilience against ransomware. 
• NIS2 Directive and UK NIS/CAF – regulatory frameworks for operators of essential services in the EU and UK. 
  

Building resilience into Operational Technology security 

Whole-system OT security is about more than technical controls. It is about protecting safety, sustaining uptime, and giving boards and regulators confidence that risks are managed. 

By anchoring your programme in NIST 800-82, IEC 62443, Purdue segmentation, ATT&CK-informed monitoring and rigorous backup practices, you create a blueprint that is both defensible and practical. 

If you want an independent roadmap that fits your business, your sector and your regulator, CornerStone can help. Our consultants specialise in designing OT security strategies that protect operations without disruption. 

Speak to us today: Contact us.