If you run OT security for a living, you already know the bad news: the threats targeting industrial networks are getting worse, and most organizations are still playing catch-up. Here's what I think is actually worth paying attention to this year, based on what we're seeing in real environments.
What's Driving the Shift
A few things are converging at once, and they're all making life harder for OT defenders.
More Connected Devices, More Problems
Every plant floor I walk into has more IoT sensors than it did two years ago. Temperature monitors, vibration sensors, smart valves. Most of them run stripped-down firmware with no authentication, no encryption, and no update mechanism. They were designed to be cheap and reliable, not secure.
The real danger isn't the sensor itself. It's that these devices create network paths that didn't exist before, and most OT teams don't have full visibility into what's actually talking to what.
AI Is a Double-Edged Sword
AI-based anomaly detection is genuinely useful for spotting weird traffic patterns in OT networks. But attackers are using the same technology to craft better phishing emails, automate reconnaissance, and find vulnerabilities faster. A threat actor using an LLM to map out Modbus traffic patterns isn't science fiction anymore.
Regulations Are Tightening
NIS2 is forcing European operators of essential services to get serious about network segmentation and access controls. For many organizations, this means retrofitting security onto networks that were designed in the 1990s.
On the US side, CMMC is still a pain point for defense contractors. If you're handling CUI and your OT network touches anything related to production for DoD contracts, you need to prove segmentation and access control. Not just on paper, but in practice.
The Threats That Actually Keep Me Up at Night
APTs Targeting Industrial Control Systems
Nation-state actors aren't going after OT just for espionage anymore. Groups like Sandworm and Volt Typhoon have shown they're willing to pre-position inside industrial networks for future disruption. The Volt Typhoon campaign was particularly alarming because the attackers used living-off-the-land techniques that blended in with normal admin activity.
If you're only looking for malware signatures on your OT network, you'll miss this entirely. You need behavioral baselines for your control system traffic and someone who actually reviews the alerts.
Insider Threats (The Uncomfortable One)
Nobody likes talking about this. But a disgruntled operator with legitimate access to an HMI can do more damage in five minutes than most external attackers can do in a month. I've seen cases where a contractor with VPN access to a SCADA system kept that access for over a year after their contract ended, simply because nobody revoked it.
Least privilege isn't optional in OT. Every remote access session should be time-limited, logged, and tied to a specific maintenance window. Trout Access Gate handles this with gated, auditable access to OT systems. No permanent VPN tunnels sitting open.
Industrial Espionage Through OT Networks
Think about what lives on your OT network: process recipes, PLC logic, production parameters. For a competitor, that data is gold. And because most OT networks have weaker monitoring than IT networks, they're an easier target.
I worked with a chemical manufacturer that discovered exfiltration of batch process data through an unsegmented historian server. The attacker got in through a contractor laptop and pivoted to the historian because nothing was stopping lateral movement between the IT DMZ and the process network.
Legacy Systems You Can't Patch
Let's be honest. You have Windows XP machines running HMIs. You have PLCs with firmware from 2008. You can't patch them because the vendor is gone, or the patch would require a two-week production shutdown, or the system simply doesn't support updates.
The answer isn't pretending you'll patch everything. The answer is isolation. Put those legacy systems behind a gateway that controls exactly who and what can reach them. Monitor the traffic going in and out. Accept that the device itself will never be secure, and build your defense around it instead.
Supply Chain Compromises
The SolarWinds attack was IT-focused, but the same playbook works for OT. Your PLC vendor's update server gets compromised, and now you're downloading backdoored firmware. Your system integrator's laptop has credentials to your process network, and their security practices are an unknown.
Every third-party connection to your OT network is a potential entry point. Treat vendor access the same way you'd treat any untrusted connection: authenticate, authorize for a specific task, monitor the session, and cut it off when they're done.
What Actually Works
Zero Trust, But For Real This Time
Zero trust gets thrown around so much it's almost meaningless. In OT, here's what it actually means: don't let anything communicate with anything else unless there's an explicit policy allowing it. That includes engineer workstations, historian servers, and especially remote access sessions.
The Trout Access Gate enforces this at the network level. Instead of relying on VLANs and firewall rules that nobody updates, it creates per-session access grants that expire automatically. It's the difference between a door that's always unlocked and a door that opens only when someone with the right badge shows up for a scheduled visit.
Segmentation That Reflects How OT Actually Works
Most segmentation advice comes from IT people who think in terms of subnets and VLANs. In OT, you need to think about process zones. The Purdue Model isn't perfect, but it gives you a starting point: separate your safety systems from your control systems, your control systems from your supervisory systems, and your supervisory systems from the enterprise network.
The hard part isn't drawing the zones on a diagram. It's enforcing them when your process engineer needs to pull data from a Level 1 device into a Level 3 historian, and they just want to "make it work."
Training That Goes Beyond Phishing Simulations
Your operators need to understand why they shouldn't plug a USB drive from a vendor into an HMI. Your maintenance team needs to know what a suspicious remote access session looks like. Generic corporate security awareness training won't cut it. Make the training specific to the systems and scenarios your people actually encounter.
The biggest risk reduction I've seen in OT environments didn't come from buying new technology. It came from getting plant floor staff to actually report weird stuff instead of ignoring it because "the system always does that."
