We are surrounded by technology, not just in what we carry but in nearly every aspect of our daily lives. For many, the term Operational Technology (OT) is largely unknown and even less is the understanding of how it works. Many perceive manufacturing to be what OT is all about. Though this is true, OT is also essential in sectors such as energy, transportation, utilities, and entertainment, to manage the automation of complex operations for machinery, power plants, and transportation systems (e.g., subways). I recently had the opportunity to create and teach a course (Professionally Evil ICS & OT Fundamentals) on this topic. For those that have written any subject matter course, among the first thoughts is likely “where do I start”. In almost any topic, and especially OT, there is truly a lot to share, learn, and understand. So, let's start on a comparison between IT and OT, since many readers may have an understanding of the first.
IT vs. OT: Understanding Some Key Similarities and Differences
Though OT does have its uniqueness from traditional IT (Information Technology), there are similarities between the environments. Some examples of similarities are:
- Dependence on data integrity, availability, and security to function effectively.
- Secure and reliable networking to support their ecosystems.
- Strong controls to prevent unauthorized access, cyber-attacks, and disruptions.
As penetration testers, we often have to evaluate both IT and OT systems, analyze how they interact and where potential vulnerabilities and attack vectors exist. One of the simplest ways to understand the key difference is:
IT systems are designed to manage data and applications, where OT Systems integrate hardware and software to directly monitor, control, and automate physical process, ensuring safety, reliability, and efficiency in critical environments.
Unlike IT systems, which operate in data-driven networks, OT operates on real-time control principles of physical infrastructure where safety and response times are critical. OT systems include the devices that monitor (e.g., sensors) and command (e.g., Programmable Logic Controllers) other devices (e.g., motors, valves, elevators, robotic arms) to run safely and as intended. Many OT networks use specialized industrial protocols such as Modbus, Profinet, and DNP3 (Distributed Network Protocol) instead of traditional TCP/IP-based IT infrastructure.
Automation and the Role of OT in Everyday Life
Human safety is the primary objective in all systems, but is even more significant when building and operating an OT environment. This is due to the fact that OT systems literally control automated systems to ensure physical devices operate as designed. Through the automation of OT processes, there is improved safety, productivity, and system uptime. OT also plays a foundational role in the Industrial Internet of Things (IIoT) by connecting systems and devices with digital technologies for smart operations and data-driven decision-making. There is little doubt that some of you reading this can check on your home when a package is delivered or turn on the lights from their smartphone while away. Controlling security systems and door locks, outlets and lighting, temperature control, and even furry family member feeders have all now become part of the ‘smart-home’ ecosystem.
Going further with this example, the smartphone itself has become a control system for the smart-home. However, while smart-home automation shares similarities with OT in terms of control, consumer IoT (Internet of Things) lacks the rigorous safety, intentional operation, and regulatory standards required in industrial OT environments.
Consider the scenario of a fall day that starts out relatively cool, even more than expected. You make the decision that it’s time to turn the heat on to take the chill from your home. You leave home to run errands and enjoy the day. By mid-day the outside temperatures begin to climb higher than what was forecasted. Shocker, right? Realization hits that, even though the thermostat will shut off the heat accordingly, the weather has now become very warm and the house will be uncomfortably warm when you return. No worries though, your smart thermostat can be controlled through a smartphone app that allows you to change from heating to A/C with a few taps. It’s amazing how the dream of a great, big, beautiful tomorrow is no longer a dream away.
Though a basic example of a consumer HVAC system, it serves as a concept to build on. Consider having a home that has multiple zones from the first to second floors. Now scale this consumer home model to office buildings. Multiple floors and rooms generally have their own thermostats that connect to sensors which then interact with automated airflow dampers and fan speeds, adjusting airflow dynamically. A simple design has grown in complexity that has been made more efficient by automation, that goes largely unnoticed, yet allows us to have comfortable living and working environments. Much like a smart thermostat automates home and office comfort, OT in industrial environments ensures large-scale efficiency, safety, and reliability.
The Absence of Automation: A Case Study in Risk
OT’s impact extends beyond factories and power plants to unexpected places, like theme parks. Let’s first discuss an amusement park with minimal, or no, controls and automation…
In the northeast, there was a recreational area, for the purposes of this discussion, I'll refer to as "Activity Playground" (not its real name). This venue offered thrill seekers a mostly non-automated and controlled venue for their amusement. From waterslides and go-karts, to a ‘hill’ where you slid down on a mat and could catch serious air by being launched from rollers in the slope. The rides were designed to be thrilling, fast, and mostly free from control, and safety was not a primary objective. This was the draw. Unfortunately, this was also a recipe for injury and more. There are many stories of broken limbs and more serious casualties.
In contrast, consider another famous destination amusement park-which I'll call "Magical World" to protect its identity.
Unlike Activity Playground, Magical World operates a highly controlled, technology-driven experience, with largely unnoticed integration of OT and IT systems delivering guest safety, experience personalization, and operational efficiency.
OT and IT in Theme Parks: Managing the Guest Experience
Magical World is powered by its own power generation facility, uses dams and bridges for water and transportation management, water and waste treatment facilities, and uses IT and OT systems extensively. For example, the park has systems that perform crowd level monitoring and ride line movement.
In just one ride facility - which is a distributed control system (DCS) within the park, let’s call it the Steeple of Shock, there are IT systems to monitor ride eligibility and access, while OT systems monitor (through long-range RFID) guests’ time spent and movement through line queues. This information is then fed to backend IT analytics systems to predict wait times. This information is then processed by OT control systems that dynamically adjust ride operations, by either opening more ride system tracks to manage the crowd capacity or reducing dispatch times for improved efficiency. Which, in turn increases the guests’ enjoyment, all while going mostly unnoticed.
Throughout this immersive experience, and once seated within the ride cab, there are OT controllers, PLCs (Programmable Logic Controllers), which are the primary devices for controlling the multitude of processes (lighting, video) and actions (position, speed) the ride system and cab goes through. The PLCs monitor the ride system and cab sensors for awareness and management of ride cab position, movement, and safety. The sensor information is also fed back to the primary ride control panel where ride operators are provided details of ride capacity (how many guests are in the ride cab to how many ride cabs are in operation), whether safety mechanisms such as guest safety restraints and ride cab locking mechanisms are enabled, where within the experience the individual ride systems are located at any time, ride cab direction of moment and speed, what stage of the ride the ride cab is in, to how many and speed of drops will be experienced. There is even video recording provided by an on-ride camera which can associate the guests with their specific video based on picking up a RFID (Radio Frequency Identification) signal from a band that is worn by the guest and delivered to their IT-based guest photo service account. All of this is going on mostly unnoticed, except for the timely clicking of a locking mechanism becoming ‘unlocked’ before the ‘drop’.
Operational Technology has long been believed to only live within the confines of a refinery or manufacturing facility. Though we know it is out there, its use within our everyday lives is to the point that we go about the day consciously unaware, and maybe unappreciative, of the impact and luxury it provides. Many may take time to ‘unplug’ from IT devices, yet would be hard-pressed to say ‘just turn it off’ when it comes to elevators taking us to the 13th floor or life-saving medical devices and services.
Cybersecurity Challenges in OT Systems
While OT provides numerous advantages, its integration with IT introduces new security risks. Historically, OT environments were air-gapped (physically isolated from IT networks), but today, digitization and remote monitoring have exposed them to cyber threats.
Real-world examples include:
- Triton (2017) – A targeted attack on an industrial safety control system, attempting to disable automated fail-safes in a petrochemical plant.
- Colonial Pipeline (2021) – A ransomware attack that disrupted fuel distribution along the U.S. East Coast.
- Medusa Ransomware (2021) – A ransomware attack victimizing critical infrastructure sectors including industries such as medical, education, legal, manufacturing, and technology.
These incidents highlight the urgent need for security assessments. Unprotected OT systems are potential targets for ransomware, sabotage, and cyber-physical attacks, which can lead to significant safety and operational risks.
The Importance of Securing IT-OT Ecosystems
With how intertwined OT has become a part of our everyday lives and lifestyle, organizations must proactively assess vulnerabilities. This includes:
- Conducting security assessments and penetration testing
- Ensuring IT and OT network segmentation
- Implementing access controls and anomaly detection
Understanding deficiencies within the OT / IT ecosystem and the potential for its misuse is critical for safe operation. At Secure Ideas we specialize in consulting and advisory services, security assessments, vulnerability management and penetration testing services that help provide our clients visibility into what goes unnoticed. Whether securing Industrial Control Systems, Critical Infrastructure, or Entertainment venues, our objective is to help clients understand hidden risks and ensure safe and resilient operations.
Conclusion: OT’s Invisible Impact on Daily Life
OT has long been associated with industrial settings. Today it extends into everyday experiences, from smart homes to amusement parks. Many people seek to “unplug” from IT devices, yet would be hard-pressed to disconnect from OT. The role of OT ranges from convenience to critical in our everyday lives. In some cases it’s directly in front of us and quite visible, while other times its systems operate nearly invisibly as we are drawn into an immersive experience. Cyber and physical security must always be considered from the planning stage and throughout the entire build process to being fully operational, ensuring its safe, intended, and efficient use.
About The Author:
Giovanni Cofré joins Secure Ideas with 25+ years of IT experience, specializing in network security for corporate, OT, and e-commerce environments since 2000. He's committed to mentoring security professionals and promoting security awareness. His expertise spans multiple industries in both private and public sectors, where he's implemented security frameworks based on CIS CSC, HITRUST, PCI, and NIST standards. Giovanni excels in vulnerability assessment, penetration testing, and developing practical security processes. His notable work in e-commerce and energy industries includes establishing secure coding practices and maturing enterprise security strategies. Giovanni focuses on environment-specific practices that meet business needs while building resilient infrastructures.
Read More by Giovanni: Operational Technology’s use of Wireless Networks