Why the IT Security Toolkit Does Not Work for OT

Most IT security tools, including VPNs, firewalls, PAM solutions, and endpoint protection platforms, fail in operational technology (OT) environments for one simple reason: they are designed for systems that can tolerate disruption, frequent updates, and user variability.

OT systems do not have this tolerance. They prioritize uptime, stability, and safety and often run legacy infrastructure that cannot be patched, restarted, or modified without risk.

This fundamental mismatch is why applying IT security tools to OT environments frequently creates new risks instead of reducing them.

Why Common IT Security Tools Fail in OT

VPNs: Security Through Privacy 

As the name makes clear, virtual private networks (VPNs) were designed to enable privacy, not security. While VPNs can be a suitable solution for allowing a few employees occasional remote access to non-sensitive systems, they are not the right tool for providing secure remote access for large numbers of remote workers on a long-term or permanent basis — especially when critical infrastructure and other OT systems are part of the equation. 

• Attackers can easily compromise a VPN connection with stolen or leaked credentials. Once an attacker breaches the network, the VPN offers no controls with which to limit access or monitor the attacker’s activity. 

• VPNs do not prevent malware dwelling in a user’s device from infecting the wider network and disrupting workstations running on the legacy, unpatched operating systems and infrastructure common to the OT space. 

• Vendors rarely allow for the installation of a VPN agent on contractor devices in the first place. This means that VPNs cannot solve the significant problem of securing access for the many third-party vendors and technicians contracted to perform specialized tasks for industrial organizations. 

In the end, a VPN’s ability to provide anything approaching secure access depends on its not being compromised. Small businesses running only IT systems may still be able to get away with using a VPN as their primary secure remote access solution, but for organizations operating critical infrastructure and other industrial systems, VPNs are just too risky. 

Firewalls: Security Through Traffic-Monitoring 

Firewalls have long been a staple of IT security, and now OT-specific firewalls have emerged to monitor OT traffic and configure communication with the OT network. These firewalls sit deeper within the OT layers, at the programmable logic controller (PLC) level or below.

While they may be more effective than the firewalls created for IT environments, OT-specific firewalls are still complicated to implement and maintain. 

• Firewalls come loosely configured with lax passwords and admin interfaces enabled by default. If the organization fails to shore up these interfaces, attackers can easily capture unencrypted credentials that give them access to the network. 

• Modern tactics like spoofing, port hopping, steganography, and other tactics can easily bypass firewalls. Some IT firewalls can’t identify which set of packet exchanges are permitted in an OT setting, which gives attackers cover to inject malware into the system. 

• Firewalls require substantial and ongoing maintenance — so much that overworked administrators often implement overly permissive rolls so that legitimate access (and productivity) is not hindered. In addition, updating firewalls requires downtime that is not possible in always-up OT settings. 

Finally and perhaps most problematically, firewalls deteriorate over time. Think of a firewall as a literal brick wall. Every type of connection you allow takes a brick out of the wall. If temporary openings allowed for testing or repairs are not promptly closed, the firewall can quickly become porous. The same holds true for vendors as they come and go. 

PAM: Security Through Access Control 

Privileged Access Management (PAM) tools secure critical systems and information by implementing controls around what users can and cannot access. This helps enforce the principle of least privilege and also provides better visibility and logging capabilities.  

While PAM solutions take some important steps toward validating a user’s identity — a key part of ensuring secure access — they don’t go far enough. 

• PAM solutions do not continue to authenticate users after granting initial access to the network. Bad user hygiene, like weak passwords and shadow IT, can undermine the benefits of a PAM solution. 

• As their name suggests, PAM tools are designed to focus on privileged users, most commonly system administrators. However, high-level executives, human resources team members, and other user groups may also have access to sensitive assets. Even third-party contractors are often over-permissioned in order to get them working as quickly as possible. If the PAM is not enabled for each of these groups, then its effectiveness will be limited from the start. 

• Cloud-based PAM tools require secrets like credentials and tokens to be shared with the PAM vendor, immediately creating an opportunity for exposure. But on-premises PAM products have their own problems, such as the need for ongoing maintenance and expensive computing resources.

PAM solutions perform the key task of credentials management, but they do not account for how a user accessed an application in the first place. As long as a user can get to the application and present the privileged credentials, they will be granted access. Once again, in the context of critical infrastructure and industrial control systems, this leaves too wide a window for a bad actor to steal or otherwise obtain valid credentials and then wreak havoc directly via the PAM. 

Endpoint Security: Security Through Devices 

Endpoint security solutions like Endpoint Detection and Response (EDR) and anti-virus software seek to secure the network by preventing malware and other malicious payloads from infecting devices — therefore blocking malicious access to the network. But they too struggle to perform in an OT context. 

• Endpoint solutions require agents to be installed on devices, but most assets and devices in the OT environment lack the computing and storage resources to accommodate agents. OT devices are too deeply integrated with customized control system networks to be serviced by IT-based agents.

• OT environments are often highly complex, and endpoint security solutions may struggle to adapt to their unique configurations and requirements. In addition, many endpoint security tools are incompatible with legacy OT systems and equipment.

• The nature of industrial processes can generate unusual or unexpected behavior that traditional endpoint solutions might incorrectly flag as a security threat. At the same time, these solutions may fail to detect sophisticated attacks or threats specific to OT environments, leading to false negatives.

Ultimately, most endpoint security solutions designed for IT simply do not support the specialized protocols used by OT systems, cannot adapt to complex OT environments, and depend on processes (like real-time monitoring and behavioral analysis) that could disrupt operations. Moreover, the inability of endpoint solutions to easily integrate with OT-specific security controls, such as intrusion detection systems and specialized monitoring tools, can lead to wide gaps in security coverage.

What This Means for OT Security Teams

For industrial organizations, the takeaway is not just that IT tools fall short but that applying them without adaptation can introduce real operational risk.

As we've seen, security decisions in OT environments are impacted by factors that don’t exist in IT. Systems often cannot be restarted, patched, or taken offline without impacting production or safety. Many assets are decades old, vendor-managed, or running proprietary software that cannot support frequent updates or modern security agents.

To achieve success, OT security strategies must work within these constraints and not against them.

In practice, this means:

• No reliance on downtime for deployment or maintenance: If a tool requires scheduled outages, frequent patching windows, or system restarts, it will either be delayed indefinitely or bypassed entirely by operations teams.

• No dependency on agents or endpoint modifications: Many OT systems simply cannot support agents. Security controls need to function fully without touching the underlying systems.

• Strict control over remote and third-party access: Vendors and contractors regularly require immediate access to troubleshoot issues. That access must be tightly scoped, time-bound, and closely monitored — without slowing down response times.

• Continuous verification, not just login-based trust: Granting access based on identity is an important first step but is not sufficient on its own. Security controls should validate user behavior and session activity throughout the connection.

• Minimal impact on network performance and latency: Inspection, routing, or monitoring tools must not interfere with real-time industrial processes or introduce instability into control systems.

• Alignment with how operations teams actually work: If a security tool adds friction, delays troubleshooting, or complicates workflows, it will be bypassed. This happens not because workers are careless but rather because they want to get their tasks done.

OT Environments Deserve OT-Specific Solutions 

IT security tools were introduced into OT environments out of necessity — not because they were a natural fit but because no purpose-built alternatives existed. Fortunately, this is no longer the case.

As threats to industrial systems and critical infrastructure continue to grow, the gap between what IT tools provide and what OT environments require has become impossible to ignore. What once passed as “good enough” now introduces measurable risk.

Advances made in privileged access management, endpoint security, and other areas of IT security are to be lauded, but the fact remains that these solutions simply cannot satisfy the security needs and priorities of OT environments. Instead of forcing IT tools to fit OT constraints, industrial organizations must adopt security approaches built specifically for OT and able to protect legacy systems without downtime or disruption.