By DM Cyber Solutions · 2026
The mismatch
The OT security market in 2026 is full of vendors selling network detection, anomaly modeling, and asset-discovery tools. Those tools are real and useful. They are also not what is keeping most utilities awake at night.
What is keeping us awake: control-system vendors who still ship products that only speak SHA1+AES128 for SNMPv3, FortiOS 6.0.x boxes still in production because the vendor never validated replacement, ICS protocol implementations that do not survive a properly-segmented network, and air-gapped networks that are not actually air-gapped.
Three things that actually move the risk needle
- Real segmentation, not "we have a firewall." A FortiGate between the corporate network and the OT network is the start, not the end. Real segmentation means VLAN/VRF design that maps to your Purdue level, deny-by-default rules that survive audit, named host objects (not /24 wildcards), and the discipline to keep it that way through change cycles.
- Identity and remote access that you can prove. Vendor remote access is the single largest backdoor in most OT environments. Replace VPN-and-trust with brokered access (Tailscale ACL-bounded, jump hosts with session recording, just-in-time creds via Vaultwarden or similar). Prove it with evidence, not assertions.
- Patch & firmware that is scheduled, not aspirational. "We patch when we can" is the wrong answer. "We have a quarterly patch window with a documented exception process and we hold to it" is the right answer. Same for switch firmware -- the longer a Catalyst 9K sits on an old IOS-XE, the harder the upgrade becomes.
What we tell utility clients to skip
- Bolt-on "OT visibility" tools that re-discover what NetBox already knows. Use the SoT you already have; ingest from there.
- SOAR playbooks that auto-action on the OT network. Read-only enrichment, yes. Auto-quarantine of a relay, no.
- "Zero Trust" labels on architectures that are not. The label is cheap; the segmentation work is not. Do the work; the label takes care of itself.
Where compliance helps -- and where it gets in the way
NERC CIP is a useful forcing function for things that should already be true: asset inventory, change control, account management, evidence trails. It is a hindrance when it locks an organization into the minimum-viable interpretation. The risk surface NERC CIP cares about is not the same as the risk surface a credible OT attacker cares about. Use CIP to fund the program; use the threat model to design it.
Talk to us about OT security