Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
Khadas Mind modular compact Intel PC launches on Kickstarter
Sep 01, 2023RS Supports Modular Material Handling and Packaging Applications With Extensive IO
Aug 23, 2023CISA Releases Two Industrial Control Systems Advisories
Aug 05, 2023Miniature Circuit Breaker Market in North America to grow by USD 75.89 million from 2022 to 2027
Jul 27, 2023Is the HoloLens 3 Closer Than we Think?
Aug 27, 2023The Lie We’ve Been Sold About OT—and Why It’s Time to Rewrite the Definition - Industrial Cyber
Apr 04, 2025Last week’s article explored the limitations of the traditional CIA triad and made the case for adopting a process-centric perspective on OT security—one that replaces the CIA focus with a COO triad rooted in Controllability, Observability, and Operability. In this article, I’m going to challenge another entrenched belief: the very definition of OT—Operational Technology.
Let’s start with defining IT, Information Technology.
Definition of Information Technology (IT)
Information Technology (IT) encompasses the use of computers, networks, storage, and other digital infrastructure to process, manage, and communicate information. It supports business operations through applications, data management, cybersecurity, and information systems, enabling organizations to operate efficiently, make informed decisions, and deliver digital services.
IT view on data: In IT, data is symbolic and informational—it represents business records, identities, transactions, documents, and communications. Its value lies in what it means, not what it physically does. Data is managed throughout its lifecycle and protected primarily through the lens of the CIA triad:
In a May 2006 research paper Gartner introduced the term Operational Technology (OT). The term was publicly presented in September 2006 at the Gartner Energy and Utilities IT Summit.
The term “OT” was initially applied to control systems in the power utility sector and later adopted across other industrial domains. Gartner introduced the term to help an IT-focused audience understand the nature and role of control system technology—systems that were largely unfamiliar in traditional IT circles. Its primary purpose was to highlight the technological and functional distinctions between Information Technology (IT) and industrial control systems.
This differentiation became increasingly relevant as industrial platforms evolved from bespoke, proprietary solutions to architectures that began relying on the same types of servers, desktops, and network infrastructure long used in IT.
System-Centric Definition of OT (Gartner view)
Operational Technology (OT) refers to the set of digital systems—such as PLCs, DCSs, SCADA, SIS, and HMIs—that automate, monitor, and control physical processes. This view (commonly associated with Gartner and similar IT-centric frameworks) focuses on the architecture and components that distinguish OT from IT.
System Centric OT view on data: In the Gartner (system-centric) definition of OT, the focus was on identifying OT as a distinct set of systems—not redefining the nature of data itself. As a result, the treatment of data largely remained aligned with IT thinking. This approach did not fully account for the fact that in OT, data is not merely informational—it is operational, with direct influence on physical processes. That gap becomes critical in cyber-physical risk analysis, where the consequence of data compromise is not data loss, but process deviation or hazard activation.
With all my years of experience in the process industry, I was never waiting for a definition of OT. I spent my entire career working in what we use to call the Process Automation System (PAS) or Process Control System (PCS). But as the term “OT” gained traction, I gradually adapted to the language used around me and began using it as well. Still, many years later—when I became involved in cyber-physical risk assessments, around 12 years ago—I began to feel that the term OT didn’t fully capture what mattered most to me. It lacked something essential, the process.
So, I started thinking about what was missing and concluded about 4 – 5 years ago that I needed a process-centric definition of OT, result was:
Process-Centric Definition of OT
Operational Technology (OT) is the digital embodiment of industrial process execution, where data does not merely flow through systems but actively mirrors and governs physical states. OT is defined by its role in maintaining operational integrity—the ability of a system to perform its intended physical function safely, reliably, and within defined process limits.
Process-Centric OT View on data:
In a process-centric definition of OT, the view on data significantly changes. In this context data becomes a real-time mirror of the physical installation—reflecting process behavior, control actions, and system responses. It is interpreted functionally, and deviations from expected values signal operational risk. Data is a live representation of physical reality. It is multi-dimensional—time-bound, context-sensitive, and functionally loaded. Any compromise to this data (integrity, availability, timing) can directly impact physical process safety and stability.
The process-centric view of OT makes it clear that cyber risk is not about system boundaries but about whether a process can be safely operated. The COO triad—Controllability, Observability, and Operability—captures the core functional conditions that define whether an industrial system can remain within its design limits.
These three elements are not abstract—they are measurable conditions of safety and stability. Cybersecurity that does not account for COO misses the essence of process-integrated risk.
Perhaps I’ve already lost some readers by diving into what may seem like theoretical hair-splitting. Does it really matter how we define OT? Actually—it does.
The shift from a system-centric to a process-centric definition of OT has real and far-reaching implications for how we understand and manage cyber-physical risk. It reshapes both the strategic focus and the operational priorities of OT security. The shift from a system-centric to a process-centric definition of OT fundamentally changes how we need to approach cyber-physical risk. It reorients security from protecting infrastructure to preserving operational intent and process safety. This transformation has five key dimensions:
1. Security Becomes Consequence-Driven, Not Asset-Driven
Each path consists of specific assets—controllers, engineering stations, field devices—characterized by their inherent properties, such as communication channels, network location, exposed services, or configuration states. These define the asset’s cyber exposure and are critical for understanding how it may be exploited in a process-relevant context.
Risk is assessed by threat modeling the asset and its inherent properties, resulting in a Probability of Failure if Attacked (PFA) vector. This vector expresses, for each relevant threat actor category (which defines a difference in motivation, skills, and opportunity), the conditional probability that the asset will fail to perform its intended function if a specific threat action is executed, exploiting a given vulnerability category, and taking into account the presence and effectiveness of implemented security countermeasures.
These PFAs are then aggregated along the attack path, allowing for scenario-based risk estimation grounded in structural system exposure, attacker capability, and existing protections. This approach supports credible cyber-physical risk analysis even in the absence of historical incident frequency data—by focusing on what must not go wrong, and how a cyber threat could realistically cause it, given the system’s current state of defense.
2. Threat Modeling Becomes Hazard-Informed
Old view:
Threat modeling relies on abstract attack frameworks (e.g. MITRE ATT&CK), starting from known adversary tactics and techniques, and mapping them onto general asset exposure—often without clear linkage to physical consequences.
New view:
Threat modeling begins with known process hazards (e.g. overpressure, manifold manipulation, failure to shut down) and traces backward along the attack paths that could realistically cause them.
This includes:
Impact:
Threat modeling becomes grounded in engineering logic and process consequence. Security controls are no longer prioritized based on general exposure or hygiene but based on their ability to reduce the likelihood that credible threat actors can exploit vulnerabilities along process-critical attack paths. This results in consequence-relevant protection, aligned with operational priorities.
3. Detection Is Rooted in Deviation from Functional Intent
This shift is critical for enabling Defend Forward in OT environments. Under the logic of cyber persistence, the adversary does not always act immediately—they often establish a silent, long-term foothold in the digital infrastructure, waiting for an opportune moment to manipulate the process in a way that appears legitimate but undermines operational integrity.
By focusing on functional deviations in the physical domain—rather than just digital signatures or system anomalies—defenders gain a window into the attacker’s presence before activation. This allows them to act proactively: detecting and disrupting latent manipulations, denying the adversary freedom of movement, and shaping their behavior within the contested space of industrial systems. In this way, functional detection becomes a foundational enabler of Defend Forward in OT.
4. Response Planning Integrates Process Safety and Control Layers
5. Prioritization Shifts from Perimeter Protection to Functional Protection
Security focused on keeping adversaries out—using perimeter controls like firewalls, segmentation, and access restrictions, primarily organized around network zones or vendor-defined system boundaries.
The priority shifts to ensuring that process-critical functions remain correct, observable, and controllable, even in contested environments. Focus areas include:
Segmentation, access control, and monitoring are now designed around functional risk, not just architectural boundaries.
Protection strategies are informed by the role a function plays in process safety and stability, enabling defenders to preserve core process capabilities even if adversaries establish digital footholds.
This supports both resilience and Defend Forward, as the focus moves from blocking intrusions to sustaining trustworthy operation under threat.
Conclusion
This shift—from a system-centric to a process-centric definition of OT—reframes the entire security model. It turns OT security into a function of process consequence management, where protection, detection, and response are aligned with physical outcomes, not just digital exposure.
Only through this lens can we address the true nature of cyber-physical risk—where attacks do not merely compromise data, but threaten the safety, stability, and integrity of industrial operations.
Definition of Information Technology (IT)Information Technology (IT)IT view on data: System-Centric Definition of OT (Gartner view)Operational Technology (OT)System Centric OT view on data:Process-Centric Definition of OTOperational Technology (OT) Process-Centric OT View on data:1. Security Becomes Consequence-Driven, Not Asset-DrivenTraditional view (system-centric):New view (process-centric):Impact:2. Threat Modeling Becomes Hazard-InformedOld view:New view:Impact:3. Detection Is Rooted in Deviation from Functional IntentOld view:New view:Impact:4. Response Planning Integrates Process Safety and Control LayersOld view:New view:Impact:5. Prioritization Shifts from Perimeter Protection to Functional ProtectionOld view:New view:mpact:Conclusion