The operating environment for defence and security has changed fundamentally in recent years. Alongside physical capabilities, a digital layer now guides, connects and enables an ever-growing share of operations. This digital layer is critical to ensuring that the structures and solutions of modern society function as intended. As such, cybersecurity in operational technology sits at the very core of overall resilience – yet there is still considerable work to be done.
The convergence of information technology (IT) and operational technology (OT) brings clear benefits: sensors, situational awareness systems, command and control solutions, and networked platforms form an ecosystem where data collection, monitoring and industrial process automation become possible. At the same time, this convergence introduces new types of cyber threats into OT environments.
Digital solutions are no longer limited to a supporting role. They are an integral part, and in many cases, the most critical enabler of performance. As systems extend beyond organisational boundaries and become part of broader ecosystems, the need to understand how these entities operate, how they are managed, and how their continuity is secured in both normal and exceptional circumstances becomes increasingly important.
Focus must therefore shift towards systems that directly connect digital control with the physical operating environment. It is precisely within these OT environments that cybersecurity, operational capability and human safety are most tightly interlinked.
The focus must shift to systems that directly connect digital control with the physical operating environment.
In IT and OT cybersecurity, resilience is built already at the design stage
In IT environments, cybersecurity typically focuses on ensuring the confidentiality, integrity and availability of information. In OT environments, the emphasis extends beyond these to include physical safety and operational reliability: systems must control physical processes correctly, predictably and safely – even in disruptions. For this reason, OT cybersecurity is closely linked to risk management, lifecycle management, and the continuity of operations.
Crucially, in OT environments, many of the defining decisions are made long before deployment. Architecture, integrations, technologies and network connections largely determine how manageable and secure the system will be years down the line. In IT/OT environments, the question is not only about protection but also about building systems that can withstand change, crises, and exceptional situations.
In IT/OT environments, the question is not only about protection but also about building systems that can withstand change, crises, and exceptional situations.
How to lead system development in a reality where systems are layered on top of one another?
In practice, reality is often more complex than the ideal. In many organisations, IT and OT systems have been built at different times to meet the needs of their era, and new development is layered on top of these existing structures. Building secure and crisis-resilient systems requires a clear roadmap. Prioritisation is key, as is the ability to implement improvements in a controlled manner, on terms that respect production and operational continuity.
Below are three key challenges – and approaches to addressing them.
Challenge 1: Lack of situational awareness and strategic direction
The first step in securing critical systems is building understanding and forming a clear situational picture. In many environments, this overview is not fully transparent: devices, technologies, connections and integrations have accumulated over time, and their interdependencies are not always comprehensively documented. Organisations must deepen their understanding of their operating environment – what is happening within it, what devices and connections are in use, how data flows, and what constitutes normal behaviour.
However, understanding alone is not enough. Without a clear view of how security should be built in practice, it is difficult to respond effectively to security needs. A sound strategy should answer what security aims to achieve, and what requirements, objectives, characteristics and threat scenarios must be addressed. A well-defined situational picture, combined with a derived strategy, provides a clear and prioritised roadmap for building security.
Challenge 2: Disruption to operations
As understanding grows, the next challenge lies in implementing changes without disrupting operations. In OT environments, systems are often critical and continuously in use, thus they cannot be stopped or updated in the same way as IT systems.
This means cybersecurity must be built incrementally: network segmentation is introduced in a controlled manner, access management is refined, and monitoring is extended where it has the greatest impact. Every change requires planning, testing, and often practical compromises.
Challenge 3: Aligning IT and OT environments
Beyond technical solutions, a significant challenge lies in operating models and responsibilities. IT and OT have traditionally operated separately, with partly differing objectives. As cyber resilience is developed, these interfaces become central. A shared language, clear roles, and an understanding of responsibilities are essential – particularly in situations where anomalies occur.
At the same time, access management and monitoring become critical. Not all usage is equal, and not all traffic needs to be permitted. When access rights and visibility are under control, deviations can be detected and managed quickly and effectively.
Frameworks support, but should not define thinking
Cybersecurity in critical systems is often discussed in terms of requirements, standards, and compliance. This is understandable since regulations have tightened and the operating environment has evolved.
Standards and frameworks such as NIST, IEC 62443, ISO 27001 and KATAKRI provide a strong foundation for developing OT cybersecurity. They help structure the work and ensure that key areas are addressed. However, for leading organisations, they are a starting point – not the destination.
One important perspective is often missing from the conversation: what if cybersecurity were pursued not merely at a sufficient level or because it is required, but because we genuinely want to do things better?
What if cybersecurity were pursued not merely at a sufficient level or because it is required, but because we genuinely want to do things better?
In defence and security, this shift in mindset is particularly relevant. The focus moves from pure risk management to strengthening overall capability – and ultimately, the security of supply. When OT cybersecurity and preparedness for crisis and exceptional situations are seen not as obligations but as deliberate choices and sources of competitive advantage, they begin to shape how systems are designed, built and operated.
For organisations responsible for society’s critical functions, this ultimately comes down to trust. Trust that systems work, that decisions are based on accurate information, and that operations continue even as the environment changes.
Build secure and crisis-resilient digital solutions
Operational Technology (OT) environments refer to systems that monitor and control physical processes, such as manufacturing equipment, energy networks, logistics, and other critical functions where digital control directly affects the physical world.
At their core are often Industrial Control Systems (ICS), such as SCADA and DCS solutions, which collect data, control processes and enable operational continuity.
In the context of defence and security, OT cybersecurity means ensuring the safe operation of systems and protecting against the vulnerabilities and attack surfaces introduced by IT/OT convergence. It ensures that control functions operate correctly, processes remain under control, and operations continue predictably even in changing conditions. A key priority is also to ensure that human safety is never compromised in the event of disruptions.
