Operational Technology (OT)
Operational technology (OT) encompasses the hardware and software systems that monitor, control, and automate physical processes, devices, and infrastructure. In the context of defense and critical infrastructure, OT security has become a growing concern as cyberattacks increasingly target industrial control systems (ICS), SCADA networks, and other OT environments that were traditionally isolated from enterprise IT networks.
- glossary
- What Is Operational Technology?
What Is Operational Technology?
Operational technology refers to computing systems designed to interact with the physical world. Unlike information technology (IT), which processes and stores data, OT systems directly control physical equipment and processes — from manufacturing assembly lines and power generation facilities to building management systems and military weapons platforms. OT environments typically include programmable logic controllers (PLCs), distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, and human-machine interfaces (HMIs).
OT vs. IT: Key Differences
While IT prioritizes data confidentiality, integrity, and availability (in that order), OT environments traditionally prioritize availability and safety above all else. Downtime in an OT environment can have physical consequences — disrupted manufacturing, infrastructure failures, or safety hazards. This difference in priorities means that OT systems often run legacy software, have longer patch cycles, and were designed without cybersecurity as a primary consideration.
OT Security Risks in the Defense Industrial Base
Defense contractors operating OT environments face unique cybersecurity challenges. As IT and OT networks converge, attack surfaces expand. Nation-state actors have demonstrated the capability to compromise OT systems, as seen in incidents affecting energy grids, water treatment facilities, and manufacturing operations. For DIB organizations, securing OT environments is increasingly relevant to CMMC compliance, particularly when those systems process or transmit Controlled Unclassified Information (CUI).
OT Cybersecurity Frameworks
Several frameworks guide OT security practices. NIST SP 800-82 (Guide to Operational Technology Security) provides comprehensive guidance for securing OT systems. The IEC 62443 series addresses industrial automation and control system security. The NIST Cybersecurity Framework (CSF) applies to both IT and OT environments. Organizations in the DIB should map their OT security controls against these frameworks alongside NIST SP 800-171 requirements to ensure comprehensive coverage.
IT/OT Convergence and Compliance
Modern defense operations increasingly rely on converged IT/OT architectures where enterprise networks connect with industrial systems. This convergence creates efficiencies but also expands the scope of cybersecurity compliance. Contractors must carefully define their CUI boundaries and assess whether OT systems fall within scope for DFARS 252.204-7012 and CMMC requirements. A thorough System Security Plan (SSP) should document OT assets, network segmentation strategies, and the controls applied to protect converged environments.