OT and industrial cybersecurity

Quick summary

Operational technology has become a primary target, and the rules governing its security have tightened sharply. This guide explains how OT monitoring, IT/OT convergence and EU regulation combine into one connected discipline for energy and industrial operators.

Introduction

Operational technology used to be protected mainly by isolation: systems that did not connect to anything could not easily be attacked. That assumption has collapsed. ENISA's latest threat landscape, drawn from nearly 4,900 incidents, found that internet-exposed devices and OT systems remain high-value targets across every category of threat (ENISA, 2025), and the same connectivity that makes modern operations possible has enlarged the attack surface that once barely existed. At the same time, a wave of EU regulation has reclassified the security of these systems from good practice to legal obligation.

Those two pressures, a worsening threat environment and a tightening regulatory one, are why OT and industrial cybersecurity has to be approached as a single connected discipline rather than a set of unrelated tasks. Seeing the network, securing the dissolving boundary between IT and OT, documenting compliance against NIS2 and meeting product obligations under the Cyber Resilience Act are not separate workstreams. They reinforce each other, and the operators who integrate defence and compliance are the ones who stay both secure and lawful.

You cannot defend what you cannot see

Everything in OT security begins with visibility, because a network that is not observed cannot be defended. Monitoring and intrusion detection in operational technology differ fundamentally from their IT equivalents: OT prioritises availability and safety above all, runs specialised protocols, and frequently cannot tolerate the active scanning or frequent patching that IT security takes for granted. Building detection that respects those constraints is a discipline of its own, examined in the analysis of intrusion detection and monitoring for OT networks.

This is the foundation the rest of the discipline builds on. Continuous OT asset visibility and monitoring is what makes every later control meaningful, because segmentation, response and compliance evidence all depend on knowing what is actually on the network and how it is behaving.

Takeaway: OT defence starts with visibility, achieved through methods that respect availability and safety constraints.

Securing the boundary as it disappears

For years the protection of operational systems rested on a boundary between IT and OT. As those worlds merge, that boundary dissolves, and the security model has to be rebuilt for a more connected reality. This means rethinking segmentation, applying zero-trust principles and adapting reference models like the Purdue architecture, all without compromising the determinism and availability that operations depend on, the substance of the analysis of securing IT and OT convergence in industrial systems.

The key is adaptation rather than importation. IT security principles are sound, but applying them unmodified to OT, with its decade-long lifecycles and intolerance for disruption, causes as many problems as it solves. Convergence security works when those principles are reshaped to operational constraints.

Takeaway: Convergence security adapts IT principles to OT realities, rather than importing IT practice wholesale.

Regulation makes security an accountable obligation

NIS2 has turned much of this from good engineering into legal duty. It places binding cybersecurity obligations on essential and important entities, including much of the energy sector, and ENISA found that 53.7 percent of recorded incidents concerned entities defined as essential under the directive (ENISA, 2025), which shows how closely the law tracks real exposure. The broad scope and the practical steps it demands are set out in the overview of the NIS2 directive in 2026.

In operational environments the directive becomes very specific. For substation, SCADA and RTU systems it translates into documented risk management and security measures that a regulator can examine, a translation detailed in the analysis of what NIS2 means for substation and SCADA security. Security is no longer something an operator can simply assert; it is something that must be evidenced.

Takeaway: For critical operators, NIS2 turns OT security into a documented, accountable obligation.

Security extends to the product itself

The newest front is the product. The Cyber Resilience Act extends security obligations to connected and IoT products across their entire lifecycle, with requirements for vulnerability handling and reporting and deadlines phasing in through 2027. For anyone manufacturing or integrating connected devices, this reframes security as a property that must be built and maintained over the life of the product, not delivered once at launch, as set out in the Cyber Resilience Act explained for software and IoT companies.

It also closes the circle with everything above. Product-level obligations meet organisational ones, so a connected device run by a regulated operator sits under both the CRA and NIS2, which is precisely why defence and compliance can no longer be separated.

Takeaway: Product-level security is now a regulated obligation across the connected-device lifecycle.

Conclusion

OT and industrial cybersecurity is one connected discipline pulled together by a worsening threat environment and a tightening legal one. It starts with seeing the network, continues by securing the vanishing boundary between IT and OT, is anchored by documented compliance against NIS2, and now extends to product obligations under the Cyber Resilience Act. With operational technology squarely in attackers' sights and regulation advancing in parallel, the operators who integrate these strands, rather than treating security and compliance as separate problems, are the ones who manage to be both defensible and lawful.

FAQ

Why is OT security harder than IT security?

Operational technology prioritises availability and safety, runs specialised protocols, operates for decades and often cannot be patched or scanned on IT timelines. Security techniques have to be adapted to those constraints rather than copied directly from IT environments.

What does NIS2 require of energy operators?

Risk management, incident reporting and management accountability for essential and important entities. In substation, SCADA and RTU environments this becomes specific, documented security measures that regulators can inspect.

How does the Cyber Resilience Act fit alongside NIS2?

NIS2 governs organisations as operators of services, while the Cyber Resilience Act governs the security of products placed on the EU market. Connected products operated by regulated entities can fall under both at the same time.

Sources

ENISA Threat Landscape 2025 – ENISA – 2025 – https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
Cyber Resilience Act, official text and timeline – European Commission – 2024 – https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
Directive (EU) 2022/2555 (NIS2) – EUR-Lex – 2022 – https://eur-lex.europa.eu/eli/dir/2022/2555/oj

About Author Wirtek is a Danish tech company with 25 years of experience, specialising in three core domains: energy, connectivity & automation and digital engineering. We build, connect and operate digital solutions through software development, Internet of Things (IoT), quality assurance and ready-made products. Founded as a Nokia spin-off, we combine deep know-how with EU compliance to partner with companies on their journey to modernise systems and extend capabilities while reducing risk. Since 2022, we have focused strongly on shaping solutions that power the sustainability transition.