For most of their history, industrial control systems lived in an isolated world. Programmable logic controllers, SCADA systems, and distributed control systems operated on proprietary protocols over dedicated networks that had no connection to the internet and minimal interaction with corporate IT infrastructure. Physical isolation — commonly called the air gap — was both an operational characteristic and a security posture. If attackers could not reach your industrial systems over a network, they could not compromise them remotely.

That isolation is gone. The convergence of operational technology (OT) with IP-based corporate networks, driven by legitimate operational needs — remote monitoring, predictive maintenance, supply chain integration, cloud-based analytics — has connected industrial systems to the same networks and internet-facing infrastructure that attackers routinely compromise. The results have been significant and, in some cases, catastrophic. This article examines the OT security challenge in detail, explains why standard IT security practices are insufficient in OT environments, surveys the threat landscape including attacks that have directly affected Norwegian industry, and describes the defensive architecture that critical infrastructure operators need to build.

The OT/IT Convergence Problem

The business case for OT/IT convergence is real. Remote monitoring of industrial equipment enables predictive maintenance that reduces downtime and extends asset life. Integration of OT data with enterprise systems enables more accurate production planning and supply chain optimisation. Cloud connectivity enables analytics capabilities that would be impossible with isolated on-premises infrastructure. These benefits have driven a sustained trend toward connecting OT systems to corporate networks and, through those networks, to the internet.

The attack surface implications of this convergence have not always received commensurate attention. Every connection between an OT network and a corporate IT network creates a potential lateral movement path for an attacker who compromises an IT system. Every internet-facing component that touches OT infrastructure — remote access solutions, historian servers, engineering workstations — is a potential initial access vector. Every third-party vendor with remote access to OT systems for maintenance or support is a supply chain risk.

The vulnerability exposure is compounded by the age of much OT infrastructure. Industrial control systems are designed for operational lifespans measured in decades, not the three-to-five year refresh cycles typical in corporate IT. Equipment running Windows XP Embedded or Windows 7 — operating systems for which Microsoft no longer provides security patches — is commonplace in OT environments. Controllers running firmware that has never been updated since installation are standard. The attack surface of a connected OT environment frequently includes dozens or hundreds of systems that would be considered dangerously outdated in any IT context.

OT vs. IT Security Fundamentals

Understanding why standard IT security practices cannot simply be transplanted into OT environments requires understanding the fundamental differences between the two domains.

The Availability Imperative

Information security frameworks traditionally prioritise the CIA triad — Confidentiality, Integrity, and Availability — in that order. In OT environments, the priority order is inverted. For an oil refinery, a water treatment plant, or a power grid, availability is the paramount concern. A cybersecurity control that risks causing system downtime may be considered unacceptable even if it would substantially improve security posture. This fundamental difference shapes every OT security decision.

The practical implications are significant. Vulnerability patching — the foundation of IT security hygiene — is deeply problematic in OT environments. Applying a patch to a controller may require taking a production process offline for maintenance, which in turn may require scheduling a planned shutdown, coordinating with upstream and downstream operations, and accepting significant financial cost. Patch cycles that would be measured in days or weeks in IT environments may be measured in months or years in OT — if patching occurs at all.

Legacy Systems and Protocol Diversity

OT environments run a diverse ecosystem of proprietary protocols — Modbus, DNP3, EtherNet/IP, PROFINET, BACnet, and many others — designed for reliability and deterministic timing rather than security. These protocols typically have no authentication, no encryption, and no mechanism to verify the integrity of commands. A controller that receives a valid Modbus command will execute it regardless of whether that command came from an authorised engineering workstation or from malware on a compromised network.

Many OT security controls that work in IT environments simply cannot be applied in OT without disrupting operations. Network traffic encryption introduces latency that can violate the real-time requirements of control systems. Agent-based security software cannot be installed on controllers or PLCs — they run specialised firmware, not general-purpose operating systems. Active vulnerability scanning can crash industrial equipment that was not designed to handle the traffic patterns it generates.

The Safety Dimension

In many OT environments, the stakes of a security failure extend beyond financial impact to physical safety. Manipulation of a process control system could cause industrial equipment to operate outside safe parameters, potentially endangering the lives of plant workers and surrounding communities. This safety dimension means that OT security is not merely a cybersecurity problem — it is also an operational safety problem, with implications for regulatory compliance under industrial safety frameworks as well as cybersecurity frameworks.

The OT Threat Landscape

Until approximately 2010, attacks on industrial control systems were largely theoretical concerns. The Stuxnet worm — discovered in 2010 and attributed to US and Israeli intelligence agencies — demonstrated for the first time that malware could be designed specifically to manipulate physical processes, in that case causing Iranian uranium enrichment centrifuges to destroy themselves while reporting normal operation to operators.

Since Stuxnet, the OT threat landscape has evolved substantially. Attacks that were once the exclusive province of sophisticated nation-state actors have become accessible to a broader range of threat groups.

Triton/TRISIS

Discovered in 2017, the Triton malware represented a new threshold in industrial cyber threats. It was specifically designed to attack Triconex Safety Instrumented Systems — the systems responsible for detecting dangerous conditions in industrial environments and triggering safe shutdowns. By compromising the safety systems, the attacker sought to prevent automatic shutdown responses to hazardous conditions, potentially enabling physical damage or catastrophic safety incidents. The attack was ultimately detected because of a programming error that caused safety controllers to enter a safe state unexpectedly. Attribution points to a Russian state-sponsored group.

Industroyer/Crashoverride

The Industroyer malware, used in the 2016 attack that caused power outages affecting parts of Kyiv, Ukraine, demonstrated the ability to directly control power grid switching equipment using native industrial protocols. A successor malware framework, Industroyer2, was used in a 2022 attack against Ukrainian power infrastructure. These attacks showed that ICS-targeted malware had moved beyond proof-of-concept into operational deployment against critical infrastructure.

Ransomware in OT Environments

The Colonial Pipeline attack in May 2021 illustrated how ransomware targeting IT systems can force operational shutdowns of OT infrastructure even without directly compromising OT systems. Colonial Pipeline shut down pipeline operations proactively after ransomware infected their IT billing systems, causing fuel shortages across the southeastern United States. The attack demonstrated that the IT/OT convergence creates bidirectional risk: IT compromises can force OT shutdowns even when OT systems themselves are not directly attacked.

Ransomware groups have also begun targeting OT systems directly, recognising that the operational disruption caused by OT downtime creates extreme pressure to pay ransoms quickly. The operational and safety constraints on restoring OT systems — which cannot simply be reimaged and restored from backup in the way that IT systems can — make recovery from OT ransomware incidents far more complex and expensive.

Norsk Hydro

Norwegian organisations have direct experience with the severity of industrial cyber incidents. In March 2019, Norsk Hydro — one of the world's largest aluminium producers — suffered a significant ransomware attack by the LockerGoga malware that affected operations across multiple continents. Production at several plants was switched to manual operation. The total financial impact was estimated at approximately 800 million NOK. The Norsk Hydro attack is significant not only because of its scale but because of the company's response — a model of transparency that included publishing detailed public updates about the attack and recovery — and because it demonstrated that sophisticated ransomware attacks are a direct risk to Norwegian industrial companies, not merely a theoretical concern.

Defense-in-Depth for OT Environments

Effective OT security cannot be achieved through a single control or a single technology. It requires a layered defensive architecture — defense-in-depth — that provides multiple independent barriers against both external attackers and insider threats, and that is designed with OT operational constraints firmly in mind.

Network Segmentation and the Purdue Model

The foundation of OT network security is rigorous segmentation between OT systems and IT networks. The Purdue Enterprise Reference Architecture — commonly called the Purdue Model — provides a widely used framework for this segmentation, dividing industrial environments into hierarchical levels from field devices and controllers at the bottom through supervisory systems to enterprise networks at the top.

Effective implementation of the Purdue Model places strict controls on communication between levels. Traffic between the OT network and the corporate IT network should be mediated by a demilitarised zone containing historian servers, data diodes, and other controlled data transfer mechanisms. Direct connections between site operations and business network levels should be minimised and strictly controlled.

Network segmentation in OT environments requires careful planning to avoid disrupting legitimate operational communication flows. The segmentation architecture must be developed with input from operations engineering teams, not imposed by security teams without operational context. Poorly implemented segmentation can create exactly the kind of unreliable system behavior that OT security controls are not allowed to cause.

Critical assets within the OT network — safety systems, critical controllers, engineering workstations — should be further segmented within the OT network itself. Flat OT networks, in which every device can communicate with every other device, dramatically increase the blast radius of any compromise.

OT-Specific Intrusion Detection

Traditional IT intrusion detection systems are largely ineffective in OT environments because they do not understand OT protocols and cannot distinguish normal industrial traffic from malicious manipulation. A new generation of OT-specific monitoring platforms — from vendors including Claroty, Dragos, and Nozomi Networks — addresses this gap by providing passive monitoring that understands industrial protocols and can detect anomalies in OT traffic without any active interaction with controlled systems.

These platforms work by passively capturing network traffic and applying deep packet inspection for OT protocols. They build a baseline model of normal communication patterns — which controllers communicate with which HMI stations, what commands are normally sent, what data values fall within normal operating ranges — and alert on deviations. This approach can detect both network-based attacks and manipulation of process data values that might indicate tampering with control system logic.

The passive nature of these tools is critical: they generate no traffic of their own and cannot cause the kind of unexpected behavior that active scanning tools can trigger in sensitive OT equipment. Deployment requires careful network tap placement to ensure visibility across all critical OT network segments.

Secure Remote Access

Remote access to OT systems — for maintenance by internal engineers, for support by equipment vendors, and for management by operational staff — is one of the highest-risk exposure points in industrial environments. Traditional VPN solutions are frequently inadequate for OT remote access because they provide broad network access rather than tightly scoped access to specific systems, and because they lack the granular session monitoring and recording capabilities needed for OT access security.

Purpose-built OT remote access solutions provide tighter controls: access limited to specific named assets, session recording for audit and forensic purposes, protocol-specific access rather than full network access, multi-factor authentication enforced at the access gateway, and time-limited access windows that automatically expire. These controls substantially reduce the risk exposure associated with vendor remote access while enabling the operational flexibility that remote access provides.

Third-party vendor access warrants particular attention. Supply chain compromises — in which an attacker gains access to OT systems by first compromising a vendor or contractor with legitimate remote access — have been a recurring attack vector. Vendor access should be strictly time-limited, require separate credentials rather than shared accounts, be monitored in real time where feasible, and be immediately revocable when a vendor relationship changes or a vendor security incident is identified.

Asset Inventory

You cannot protect what you cannot see. Comprehensive asset inventory is a prerequisite for effective OT security, but it is frequently neglected in industrial environments where systems may have been installed and forgotten over periods spanning decades. OT environments often contain controllers, sensors, and communication equipment that is not documented in any asset register and whose ownership and configuration is unclear.

Building a comprehensive OT asset inventory requires combining several approaches: review of as-built documentation and engineering diagrams; physical inspection of cabinets and rack infrastructure; passive network discovery using OT monitoring tools that can identify devices from their traffic patterns without actively scanning them; and engagement with operations engineering teams who have institutional knowledge of what is installed where.

The asset inventory should capture, at minimum: device type and model, firmware version, network location and connectivity, vendor support status, and criticality classification. This baseline enables vulnerability management, network segmentation design, and incident response planning.

Patch Management in No-Downtime Environments

OT patch management requires a fundamentally different approach than IT patch management. The operational constraints that make unplanned downtime unacceptable also make the standard IT approach — deploy patches promptly as they become available — impossible in most OT environments.

Effective OT patch management starts with prioritisation based on exploitability and impact rather than CVSS score alone. A critical vulnerability in a system that is not accessible from the network and that controls a non-critical process is lower priority than a moderate vulnerability in an internet-facing system controlling a safety-critical process. Vendor patch recommendations should be evaluated against OT-specific constraints before deployment — some IT patches have been known to cause stability problems in OT systems when applied without vendor testing in an OT context.

Where patching is not possible within an acceptable timeframe, compensating controls become essential. Network segmentation can reduce the exploitability of a vulnerability by limiting the network paths from which it can be reached. OT monitoring can detect exploitation attempts. Application whitelisting on engineering workstations can prevent malware from executing even on unpatched systems.

Planned maintenance windows — scheduled shutdowns for preventive maintenance — provide the most practical opportunity for applying OT patches. Security teams should work with operations to ensure that patch deployment is included in maintenance window planning cycles, and that testing of patches against OT-specific configurations is completed before the maintenance window to minimise the risk of deployment delays.

Norwegian Critical Infrastructure Context

Norway's critical infrastructure presents a specific OT security challenge given the country's economic and strategic importance in several key sectors.

Energy

Norway is a major global energy producer, with substantial oil and gas production on the continental shelf and a domestic electricity grid that is nearly entirely hydropower-based. Both sectors operate extensive OT infrastructure. Offshore platforms operate complex integrated control systems managing drilling, production, and safety functions. Hydropower facilities use supervisory control systems that manage dam operations, turbine control, and grid connection. The energy sector is a persistent priority target for nation-state actors seeking both intelligence and the ability to cause disruption.

Maritime

Norway's maritime sector — shipping, offshore support, fish farming, and port operations — relies heavily on OT systems including vessel automation, navigation systems, dynamic positioning, and port infrastructure management. Maritime OT presents distinct security challenges given the remote operating environments, satellite-based connectivity, and the mix of vessel-specific and shore-side infrastructure.

Water and Wastewater

Municipal water and wastewater systems are among the most commonly targeted critical infrastructure sectors globally, partly because they frequently operate with limited security budgets and older infrastructure. Norwegian municipalities operate water infrastructure that relies on OT systems for treatment process control, pumping station management, and distribution network monitoring. These systems are increasingly connected to corporate IT networks for remote monitoring, creating the same convergence risks present in other critical infrastructure sectors.

NIS2 Obligations for Essential Service Operators

The NIS2 Directive establishes binding cybersecurity obligations for entities classified as essential or important service operators across a range of sectors including energy, transport, water, digital infrastructure, and manufacturing. Norwegian organisations in these sectors will be subject to NIS2-derived requirements under Norwegian law.

The NIS2 obligations most directly relevant to OT environments include:

• Risk management measures: Operators must implement appropriate and proportionate technical and organisational measures to manage cybersecurity risks, including measures addressing network and information systems security. For OT operators, this encompasses the network segmentation, access control, and monitoring measures described in this article.
• Supply chain security: NIS2 explicitly addresses supply chain security, requiring operators to consider the cybersecurity practices of their suppliers and service providers. For OT operators, this includes the security posture of equipment vendors with remote access to control systems.
• Incident reporting: Significant incidents must be reported to the relevant national authority within 24 hours of detection, with a more detailed follow-up report within 72 hours. Meeting these timelines requires incident detection capability — which in OT environments requires the monitoring infrastructure described above.
• Business continuity: Operators must have plans for maintaining or rapidly restoring operations after a significant incident. OT-specific business continuity planning requires attention to the longer recovery timelines characteristic of OT incidents and the operational constraints that make OT recovery more complex than IT recovery.

Non-compliance with NIS2 obligations carries significant financial penalties. More importantly, the NIS2 framework reflects the consensus view among European governments and security authorities that the voluntary approach to critical infrastructure security has been insufficient, and that binding minimum standards are necessary given the demonstrated consequences of OT security failures.

Taking the Next Step: OT Security Assessment

For most organisations with OT environments, the appropriate starting point for an OT security improvement program is a comprehensive assessment of the current state. Many OT operators have limited visibility into the actual security posture of their industrial networks — asset inventories are incomplete, network diagrams do not reflect the current state of connectivity, and security controls that were implemented years ago have never been tested against current threat techniques.

A rigorous OT security assessment covers several key areas:

• Network architecture review — mapping actual connectivity against documented architecture and identifying undocumented connections and segmentation gaps
• Asset discovery — building a comprehensive inventory of OT devices, software versions, and communication relationships
• Vulnerability analysis — identifying known vulnerabilities in OT assets and assessing their exploitability given the network architecture
• Remote access review — evaluating all remote access paths to OT systems, including vendor access
• Incident response readiness — assessing the organisation's capability to detect, respond to, and recover from an OT security incident
• Regulatory gap analysis — mapping current controls against applicable frameworks including NIS2, NSM guidelines, and sector-specific requirements

The output of the assessment should be a prioritised remediation roadmap that sequences improvements by impact and feasibility, with specific attention to operational constraints that determine what can be done without downtime versus what requires planned maintenance windows.

ZeroSubnet provides OT security assessment services delivered by specialists with direct experience in Norwegian critical infrastructure sectors including energy, maritime, and industrial manufacturing. Our assessment methodology is designed to deliver actionable findings within operational constraints — we do not generate reports full of theoretically correct recommendations that are operationally impossible to implement. Contact us to discuss how a ZeroSubnet OT security assessment can give your organisation the visibility and roadmap it needs to manage OT cyber risk effectively.