I Stood Up an OT Security Program. Here's What the Vendor Brochures Don't Tell You.
Most writing about OT security is written by people who sell OT security tools.
That's not necessarily wrong. Vendors know their products. But the things that actually make or break a deployment aren't in their brochures. They're in the conversations nobody documents and the politics nobody warns you about until you're standing in the middle of it.
I've spent the last several months close to a real OT security deployment. Vendor-neutral, industry-neutral version below. These are the patterns I keep seeing — and the things I wish someone had told me before I started.
The numbers that should make every leader pay attention
Before the lessons, the context. OT security is no longer a theoretical risk:
22% of organisations reported a cybersecurity incident affecting OT systems in the past year. 40% of those incidents caused operational disruption — four times higher than the industry target of <10%. (SANS 2025 ICS/OT Survey)
$8.7 million is the average total cost of a ransomware incident in manufacturing. System downtime alone accounts for 37% of the cost — far exceeding the ransom payment itself. (IBM, 2024)
$125,000 per hour. That's how much unplanned downtime from a cyber breach can cost a manufacturing company. (IBM)
64% of manufacturers are already using an OT security platform. Another 32% plan to within five years. The market is moving. (SMC, 2025)
27% of organisations reported breaches caused directly by workforce skills gaps in OT. The threat is technical. The constraint is human. (SANS 2026)
These are not edge cases. These are the new baseline. With that context, here's what I've learned.
Lesson one: the technology is the easy part
Picking a tool, deploying sensors, getting telemetry into a dashboard — that's the straightforward part. Modern platforms have largely solved the visibility problem. You can stand up monitoring across an industrial network in weeks if conditions are right.
The hard part is everything around the technology.
The OT team at most organisations has been running these systems for decades, often with a culture that treats outsiders including the IT security team at their own company with suspicion. They have legitimate reasons. Bad changes to OT systems don't just cause downtime. They can cause physical harm.
The deployment isn't really a technology project. It's a trust project. And trust takes longer than the vendor's implementation timeline assumes.
Lesson two: IT and OT teams don't speak the same language
This is the one I underestimated. The two teams are optimising for completely different things, and both are correct in their context.
Dimension | IT Security thinks in... | OT Security thinks in... |
|---|---|---|
Primary goal | Confidentiality of data | Availability of systems |
Patching cadence | Days to weeks | Months to years (sometimes never) |
Acceptable downtime | Inconvenient | Catastrophic — can cause physical harm |
Default posture | Scan everything, alert on everything | If it's working, don't touch it |
Tools | Modern, frequently updated | Often decades old — and that's a feature, not a bug |
Risk metric | CVE scores, breach probability | Process safety, regulatory continuity |
The first ninety days of any OT security program is, in practice, mostly translation work, getting both sides to a shared vocabulary, a shared understanding of risk, and a shared definition of success.
Skip this and try to deploy first, and you'll spend the next year fighting fires that didn't need to start.
Lesson three: the network you find is not the network you expected
Every OT environment has surprises. The diagram on the wall is from three years ago. The asset inventory is incomplete. There are systems running that nobody remembers installing. There are vendors with remote access nobody documented.
This isn't because OT teams are sloppy. It's because OT environments evolve over decades through acquisitions, vendor changes, and quick fixes that became permanent. The documentation degrades faster than the equipment does.
The first thing any OT monitoring deployment does, before anything else, is force you to confront what's actually there. That confrontation is uncomfortable. It also turns out to be the single most valuable output in the early months.
Stat to sit with: Only 22% of OT incidents are remediated within 48 hours. The industry target is 75%. That gap exists because most organisations can't act quickly on threats they can barely see. (SANS 2025)
If you're funding one of these programs, set expectations accordingly. The first six months produce visibility, not security wins. The security wins come from what you do with the visibility.
Lesson four: AI is changing the threat picture faster than the defence picture
OT systems have always had a security advantage , they're often custom, often obscure, and traditionally required deep domain expertise to attack. That barrier is collapsing. AI tools can now reverse-engineer industrial protocols, identify common misconfigurations, and craft targeted attacks against OT systems in ways that didn't exist eighteen months ago.
OT defence, meanwhile, is moving slowly. The platforms are adding AI features, which is good. But the security operations teams running these tools are mostly still organised around traditional alert-and-respond workflows.
This is the conversation OT leaders should be having with their boards right now. Not "what tools do we need," but "how does our defensive posture hold up against AI-augmented attackers in the next 24 months?" Most don't, because the answer is uncomfortable.
What I'd tell anyone starting one of these programs
Three things, framed as the trade-offs that matter:
If you over-invest in... | At the expense of... | The result |
|---|---|---|
Technology and tooling | People and trust-building | Shelfware in 18 months |
Speed of deployment | Asset discovery accuracy | Detection blind spots that won't surface until an incident |
Current threat models | AI-augmented threat scenarios | A program that's already obsolete the year it's deployed |
In simpler words:
Budget for the people work, not just the technology work. Half your project plan should be communication, training, and trust-building. If your plan is 80% technology, you'll learn the hard way.
Treat asset discovery as the deliverable, not the prerequisite. The honest map of what's actually in your OT environment is more valuable than any feature in any tool. Build it carefully. Maintain it ruthlessly.
Plan for the AI threat curve, not the current threat curve. What worked for OT defence in 2024 won't be enough in 2027. Choose tools that are improving fast. Choose partners who take AI threats seriously today, not in some future roadmap.
The bottom line
OT security is one of the most under-discussed and under-invested areas in cybersecurity right now. The numbers tell the story: more than one in five organisations had an OT incident last year, and 40% of those incidents disrupted operations. The cost of a single bad day in this category averages $8.7 million. The defence is improving slowly. The attack surface is widening.
If you're a leader thinking about OT security, the most important thing I can tell you: it's not a procurement problem. It's an organisational discipline problem. The tools matter, but the harder work doesn't show up in the contract.
If your organisation hasn't started yet, the answer to when should we begin is now. Not because the threat is theoretical. Because it isn't.
