3 mistakes CISOs make in OT security and how to avoid them 

One of the most pressing challenges is the growing gap between the fast-paced transformation of industrial systems and the conservative nature of existing Operational Technology (OT) infrastructures.

While smart factories require real-time data exchange across all systems, critical industrial assets often run on legacy software with architectures that haven’t changed in decades.

Mistake 1: Applying IT Approaches to OT Environments

Mos tChief Information Security Officers (CISOs) are experienced in managing IT infrastructures, where priorities centre around data protection, confidentiality and system flexibility. However, IT security methods are often ineffective in OT environments due to fundamental differences in system purpose and architecture.

IT systems are designed to process large volumes of data, are highly scalable, frequently updated, and have relatively short life cycles (typically 3–5 years). However, OT systems control real-world physical processes in real time, such as opening a valve, starting a conveyor, or regulating voltage. These systems require high precision and reliability. OT hardware and software are often highly specialised and industry-specific, with life cycles ranging from 10 to 60 years. 

Mistake 2: Poor Collaboration with Operational Teams

CISOs and OT specialists often prioritise different outcomes. While CISOs focus on data security and compliance with IT standards, engineers are concerned with maintaining equipment uptime and operational continuity.

IT and OT teams frequently operate in silos. CISOs may lack the authority to implement changes within OT environments, and there certainly is a shortage of professionals who understand both cybersecurity threats and industrial protocols.

To bridge this gap, organisations should foster cross-functional collaboration. Joint working groups and ongoing communication are essential. Security standards such as UAE IAS and NCA ECC must be tailored to the industrial context to avoid introducing instability.

Mistake 3: Misjudging Risks

According to UDV Technologies practical experience,  copying IT controls such as multi-factor authentication or automated updates into OT environments can create a false sense of security, provided that such deployment is even possible. Meanwhile, real threats like unprotected Modbus and Profinet protocols traversing the network or outdated PLC firmware remain unaddressed.

Managing OT risk effectively requires using specialised assessment methods that focus not just on likelihood, but also on potential impact. Even low-probability scenarios can lead to catastrophic outcomes.

Robust protection demands the integration of cyber and physical security, taking OT specifics into account. As a simple example, instead of active network scanning, passive monitoring tools should be used to avoid disrupting sensitive systems.

How to avoid these mistakes

1. Embed OT security into production strategy

Clearly define how OT security objectives such as avoiding downtime, preventing accidents, and protecting equipment support production KPIs and strategic targets. Security spending should be factored into all modernisation and digital transformation budgets. It must be a part of the process from the very start, not added later.

2. A dedicated OT Security Manager (OTSM)

The OTSM should act as a strategic partner to both the CISO and production leadership. OTSM is at the junction of cybersecurity, OT architecture and business operations and is capable of aligning security goals with business targets. The OTSM should participate in strategic planning sessions, have the authority to propose changes in response to critical risks, and report to both technical leadership and executive stakeholders.

3. Establish operational coordination

Hold regular planning sessions with C-level executives (CEO, COO, CISO, Technical Director, OTSM). Include OT security KPIs in engineering teams’ performance evaluations.

4. OT Risks through a business lens

Go beyond vulnerability lists and consider the business consequences of a security incident: missed contract deadlines, downtime, market share loss, environmental harm, reputational damage, or regulatory penalties. Use localised frameworks such as NCA ECC and UAE IAS. OTSM reports to leadership should frame security risks in terms of operational and financial outcomes, not  technical details.

5. Invest in OT-specific technologies 

Simple tools like Data Diodes and OT-SIEM are not only protective measures. They are a foundation for safe data collection and analytics (AI/ML, predictive maintenance) and enable digital strategies. Strong OT security boosts credibility with partners and clients, especially in regulated sectors such as energy and oil & gas.

6. Strategic competence

Ensure senior leaders and production heads understand the basics of OT risks and how they affect business resilience. The OTSM should be not just tech-enabled,  but also have skills in project management, executive communication, and business impact analysis.

This article was authored by Andrew Ketov, senior cybersecurity consultant at UDV Tech. It has been slightly edited for brevity.