Operational technology is not enterprise IT with a different brand of switch. The protocols are older, the traffic is predictable, the uptime requirements are absolute, and a control you would apply without thinking on the corporate network can take a plant offline. That is why the OT security advice that gets copied from IT playbooks fails in the field. The controls below are the ones that hold up, applied in a way that respects how industrial systems actually run.
Zones and conduits, not a flat plant
The foundational control is segmentation, but the OT version of it is more deliberate than VLANs on the corporate side. IEC 62443 frames it as zones and conduits: group assets by function and risk into zones, define exactly what is allowed to cross between them through controlled conduits, and default to deny. The Purdue model gives you the layers to start from. A flat plant network where the historian and the safety system share a broadcast domain is the single most common and most dangerous OT finding.
Put an iDMZ between the plant and the business
IT and OT have converged whether anyone planned it or not, and the question is whether the boundary is controlled. The control is an industrial DMZ: nothing on the business network talks directly to the plant. Data that has to move, like historian replication or remote views, moves through brokered services in the iDMZ, so a compromise on the corporate side hits the DMZ and not the controllers. If a business-network machine can open a socket straight to a PLC, you do not have a boundary, you have a label.
Know the protocols, because they will not defend themselves
Modbus, DNP3, S7, EtherNet/IP, and OPC have little or no authentication by design. You cannot patch that away, so the control is to account for it: protocol-aware segmentation, deep packet inspection where it earns its keep, and a clear answer to what each conduit is allowed to carry. Treating industrial protocols like HTTP is how IT-style controls break OT.
Monitor passively, because active scanning breaks things
The vulnerability scanner that is routine on the corporate network can knock an old PLC offline just by probing it. The OT control is passive monitoring: tap the traffic, baseline what normal looks like, and alert on the deviation, without ever sending an unsolicited packet to a control device. You get visibility into the 200 devices nobody inventoried without being the reason the line stops.
Make remote access deliberate
Vendors and operators need in, and the default of a flat VPN into the plant or a forgotten cellular modem on a panel is how the quiet, patient intrusions get their foothold. The control is brokered, monitored, time-boxed remote access through a jump host in the iDMZ, with multi-factor on the way in and a recording of what was done. Convenient back doors are how state-linked actors live off the land inside critical infrastructure for months.
Patch on the plant’s terms, and compensate when you cannot
OT patches lag for real reasons: a reboot is a production event, vendor certification takes time, and some systems will never be patched because the vendor is gone. Pretending otherwise is not a plan. The honest control is a patch cadence tied to maintenance windows for what you can patch, and compensating controls, tighter segmentation, monitoring, and access restriction, around what you cannot. An unpatchable system behind a tight conduit is defensible. An unpatchable system on a flat network is an incident waiting for a date.
Keep safety systems separate
Safety instrumented systems exist to bring a process to a safe state, and they do not belong on the same network as everything else. Physical or logical separation of the SIS from the basic process control system is not a nice-to-have, it is the line between a security incident and a safety incident. Keep it.
Own it across the boundary
The hardest part of OT security is not a control, it is the seam. The plant team owns uptime, IT owns the network, and security owns policy, and the OT network falls in the gap between them. Someone has to own the security of the converged environment end to end, with the authority and budget that go with it, named before the next integration, not discovered during the incident review. Unowned infrastructure does not get secured, and on a plant network the cost of that is measured in more than data.
None of these controls require breaking the process to secure it. They require understanding the process well enough to secure it the way it actually runs, which is the whole job.