Best Practices for OT Security: Safeguarding Industrial Systems in a Converged World

In the past, Operational Technology (OT) systems ran in isolated, air-gapped environments. But times have changed.

Modern industrial systems are increasingly integrated with IT networks, exposed to external vendors, cloud platforms, and remote access. This convergence brings tremendous efficiency gains — but also new cybersecurity risks.

Recent attacks such as UNC3886 have shown how OT systems can be targeted for disruption, sabotage, or even nation-state espionage. Protecting these environments requires a shift from traditional perimeter-based thinking to a layered, risk-based approach.

Here are 10 best practices to strengthen your OT cybersecurity posture:

1. Segment IT and OT Networks

Avoid a flat network where an attacker can pivot from IT into OT. Use firewalls, DMZs to tightly control traffic between segments. Protocol-aware firewalls that can parse OT-specific protocols like Modbus, BACnet, and DNP3 are critical.

2. Asset Inventory Is Non-Negotiable

You can’t protect what you don’t know. Build and maintain a real-time inventory of all connected OT devices — including make, model, firmware version, and communication paths.

Tools: Use passive asset discovery tools to minimize interference with sensitive equipment.

3. Implement Strong Access Controls

Use least privilege and role-based access controls (RBAC) for both human and machine accounts. Avoid shared admin passwords. For vendor or remote access, implement MFA and time-bound access.

Pro tip: Consider Jump Servers or Privileged Access Management (PAM) solutions to manage sensitive OT access.

4. Harden Devices and Disable Unused Services

Most PLCs and HMI devices come with default credentials and services you don’t need. Disable unused ports and protocols. Change default passwords — and yes, do it even if the system is “behind a firewall.”

5. Patch Strategically, Not Blindly

Patching in OT is tricky — updates can cause downtime or even brick devices. But that doesn’t mean ignoring it.

• Prioritize based on risk, exploitability and exposure

• Test patches in staging before production

6. Continuous Monitoring and Anomaly Detection

Use an OT-aware monitoring solution that can detect protocol anomalies, configuration changes and suspicious behavior. OT threats often blend in — you need visibility beyond “up/down” status.

Look for: Abnormal Modbus commands, timing iregularities, connection patterns or lateral movement attempts.

7. Secure Remote Access (No More Flat VPNs)

Remote access is a necessary evil — but it must be done right.

• Use MFA

• Limit access to specific devices or ports eg. jump host

• Monitor and log all sessions

• Disable access when not needed (time-based access)

8. Secure Engineering Workstations

Engineering workstations are high-value targets and must be locked down:

• Disable removable media like USB thumb drives to prevent malware introduction

• Only install essential applications required for operational tasks

• Stop or disable unused services to reduce attack surface

• Apply application whitelisting or endpoint protection with offline policies

This limits lateral movement and device compromise from targeted or insider threats.

9. Have a Incident Response Plan

Outlines preparation, identification, containment, eradication, recovery and lessons learned to manage security incidents. It defines roles, communication, and tools to minimize damage and restore operations. Regular reviews and updates ensure its effectiveness.

It defines roles, communication protocols and tools to minimize damage and restore operations. Regular reviews ensure the plan stays effective

 

10. Build a Security Culture Through Staff Training

Cybersecurity isn’t just an IT issue. Your control engineers, technicians and plant managers need to understand the basics — not just what to do, but why it matters.

• Conduct regular cybersecurity awareness training, especially around phishing, social engineering and removable media hygiene

• Encourage reporting of unusual activity or suspicious behavior

Final Thoughts

Securing OT environments is no longer optional — it’s a business imperative. The challenge is complex: legacy systems, proprietary protocols and strict uptime requirements make it unlike any IT environment.

But with a risk-informed, layered approach — including hardened workstations, staff awareness and secure architecture — you can build a resilient OT cybersecurity posture that protects both uptime and safety.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Need help with OT security testing or compliance? Talk to our experts on OT risk assessments, network design and compliance support tailored to Singapore’s government requirements.

Checkout here for more details.