Operational technology (OT) has become one of the most critical areas of cyber risk management for enterprise security leaders. Manufacturing lines, power systems, transportation networks, healthcare infrastructure, energy operations, and other industrial environments rely on increasingly connected systems. That connectivity delivers operational advantages, but it also exposes OT environments that were not originally designed for today’s threat landscape.

For CISOs, this poses a difficult challenge. While OT environments are no longer isolated from enterprise risk, they also cannot be secured simply by extending traditional IT controls into industrial networks. The priorities, systems, and consequences of disruption are all different.

In IT, the primary goals focus on protecting data, users, applications, and business systems. In OT, security must also address safety, uptime, physical processes, specialized equipment, legacy protocols, and operational continuity. A security control that makes sense in a corporate environment may pose unacceptable risk if it interrupts a production line, delays a safety process, or affects the availability of critical infrastructure.

That is why OT security requires a threat-informed approach. CISOs need to understand not only what assets exist but also which systems are most exposed, which threats are most relevant, how an attacker would move through the environment, and which controls can reduce risk without disrupting operations.

Why Traditional IT Security Models Fall Short in OT

Most OT environments were designed for reliability and availability long before they were ever connected to enterprise IT systems, cloud services, remote access platforms, and third-party support networks. As a result, they often include older systems that are difficult to patch, proprietary protocols that are hard to inspect, and operational requirements that restrict when and how changes can be made.

This does not mean OT teams ignored security. It means they operated under different constraints. Industrial systems are often designed to run continuously for years, so scheduled maintenance windows may be rare. Some devices cannot support endpoint agents, and others may run legacy operating systems because the equipment they control was designed to last for decades—all points that are problematic in the age of frontier AI-enabled security.

CISOs who approach OT as if it were simply another branch of the corporate network risk creating blind spots. They may overestimate the effectiveness of standard controls, underestimate the fragility of industrial processes, or overlook the specific ways adversaries target OT environments.

A more effective model starts with the realities of the environment. OT security must protect availability and safety while improving visibility, reducing exposure, and providing security teams with enough context to detect and respond to threats before they affect operations.

A common example is the deployment of traditional IT security controls into OT environments without operational validation. For instance, aggressive vulnerability scanning can disrupt network devices with limited memory and processing capacity, such as programmable logic controllers (PLCs) or remote terminal units (RTUs). Endpoint protection agents may consume critical system resources on human-machine interfaces (HMIs), while routine patching can introduce unplanned downtime in continuous-process operations. In such scenarios, these systems are often mission-critical and expected to remain continuously available to support safe and reliable operations.

Similarly, overly restrictive network segmentation policies may inadvertently block industrial protocols or latency-sensitive communications required for real-time control, safety functions, and operational continuity within OT environments. In addition, OT environments in the critical infrastructure sectors may not support internet or cloud connectivity for security updates. While connectivity is common in IT environments, OT environments may require air-gapped-only solutions, affecting automated and cloud-based security update delivery operations.

Asset Visibility Is the Starting Point

CISOs cannot defend systems they cannot see. In many OT environments, the first challenge is mapping the full asset landscape, including industrial controllers, engineering workstations, HMIs, sensors, field devices, remote access points, and connections between OT and IT networks, all of which is a considerable task when many of the locations can be remote and inhospitable environments.

Such visibility, however, must extend beyond a static inventory. CISOs and security teams need to understand asset relationships, communication patterns, exposure paths, firmware and software versions, known vulnerabilities and patch management strategies, and business criticality. For example, a low-profile device may support a critical process. A forgotten remote access connection may create a pathway into a sensitive environment. Or a vulnerable engineering workstation may pose more risk than a high-volume server because of the systems it can reach and control.

Threat-informed defense depends on this context. The goal is not to treat every asset equally. The goal is to identify the systems most likely to be targeted, the pathways adversaries could use, and the controls that would make those pathways harder to exploit through compensating controls.

This is especially important as OT environments become more connected. Remote operations, predictive maintenance, cloud analytics, and third-party service access can improve efficiency, but they also expand the attack surface. Without accurate visibility, CISOs and their teams are left to manage OT risk based on assumptions.

Segmentation Limits the Blast Radius

Once you understand your OT environment, segmentation is one of the most effective ways to reduce risk for all environments. Flat networks give adversaries room to move, and even more so in OT networks as poorly controlled connections between IT and OT networks can allow a compromise in one area to spread to systems that support physical operations.

Effective segmentation is not merely a technical exercise. It requires collaboration between security, networking, engineering, and operations teams. You must understand which systems need to communicate, which connections are unnecessary, and where access should be restricted. Similarly, controls must be designed around operational realities, not imposed in ways that disrupt essential workflows.

A threat-informed segmentation strategy limits lateral movement, reduces unnecessary exposure, and helps contain incidents before they escalate into operational disruptions. It also provides defenders with clearer visibility into abnormal activity. When traffic patterns are well understood and access paths are controlled, suspicious behavior is easier to detect.

Fortinet’s OT segmentation methodology aligns with ISA/IEC 62443 principles by establishing security zones and conduits that separate industrial processes, safety systems, supervisory networks, and enterprise environments based on operational criticality and communication requirements. Rather than applying restrictive IT-style segmentation policies immediately, the approach emphasizes a phased deployment with visibility-first monitoring, awareness of industrial protocols, and validation of operational traffic flows before enforcement.

Practical implementation typically includes deploying FortiGate Next-Generation Firewalls (NGFWs) at key conduits between Level 1–3 industrial automation and control system (IACS) environments, applying OT-specific policies for protocols such as Modbus TCP, DNP3, IEC-104, OPC, and CIP, and enforcing least-privilege communications between controllers, HMIs, historians, and engineering workstations. Fortinet also recommends passive asset discovery, topology mapping, and traffic baselining before segmentation changes to minimize operational disruption. Additional protections may include secure remote access with MFA, internal segmentation firewalls within critical production areas with transparent firewalling and network bypass capability for mission-critical systems, and virtual patching to protect vulnerable legacy assets when immediate patching is not operationally feasible.

Additionally, FortiLink allows a FortiGate NGFW to remotely manage FortiSwitches. FortiLink enables native integration of FortiSwitch into the FortiGate NGFW UI and supports the management and monitoring of network ports on the FortiSwitch. This integration provides full visibility into network nodes and assets connected to the FortiSwitch, enabling OT engineers to pinpoint network faults and issues and troubleshoot them efficiently.

Threat Intelligence Must Be Relevant to Industrial Risk

Threat intelligence is most valuable when it helps security teams prioritize making better decisions. In OT security, that means understanding the adversaries, tactics, techniques, and procedures most relevant to industrial environments and critical infrastructure.

CISOs need intelligence that connects threat activity to operational risk. Which groups are targeting similar sectors? Which vulnerabilities are being exploited in industrial systems? Which remote access methods are commonly abused? Which malware families or intrusion patterns have appeared in OT-related incidents? Which controls would disrupt the most likely attack paths?

Generic threat intelligence has limitations in this environment. OT teams need intelligence that reflects the systems, protocols, and operational processes they actually use. They also need the ability to translate that intelligence into action, including updated detection logic, tighter access controls, improved segmentation, and more focused incident response planning.

This is where threat-informed defense becomes critical. It helps organizations move from broad concerns about OT risk to specific decisions on what to prioritize.

IT and OT Teams Must Manage Risk Together

One of the hardest aspects of OT security is organizational, not technical. IT and OT teams often have different priorities, vocabularies, and definitions of acceptable risk. IT teams may focus on confidentiality, patching, access control, and compliance, while OT teams may focus on safety, uptime, process integrity, and operational continuity. Both perspectives are valid, but neither is sufficient alone.

CISOs need to create a unified risk management model that respects operational constraints while improving security outcomes. That requires joint governance, shared visibility, incident response planning, and clear ownership. It also requires involving OT leaders early, rather than treating security as something imposed from the outside.

When IT and OT teams work together, security decisions become more realistic. Patch management can be aligned with maintenance windows. Segmentation can be designed around operational dependencies. Incident response plans can account for safety and production requirements. Executive reporting can reflect both cyber exposure and operational impact.

Effective IT/OT collaboration is essential to maintaining both cybersecurity and operational resilience. Organizations should establish joint governance between IT, OT engineering, operations, and cybersecurity teams through shared asset inventories, coordinated change-management processes, and cross-functional incident response planning. Regular tabletop exercises that simulate cyber incidents, such as ransomware affecting production systems or loss of visibility or control in industrial environments, help validate communication paths, escalation procedures, and operational recovery strategies. Collaborative reviews of IT/OT segmentation policies, remote access requirements, and maintenance activities also help ensure that security controls are implemented without adversely affecting safety, availability, or real-time industrial operations in OT and critical infrastructure environments. 

IT-facing services such as email and web services are common vectors for cyberattacks on interconnected OT infrastructure via phishing and compromised business email. As adoption of the Internet-of-Things (IoT) and Industrial-Internet-of-Things (IIoT) technologies increases, the attack surface expands and can even bypass traditional IT security controls. Therefore, a comprehensive IT/OT (or IT/OT/internet/cloud) security and risk management program can address the broader threat landscape. 

Organizations increasingly recognize that OT cybersecurity requires executive-level oversight, with responsibility shifting from VP-level roles to the CISO as IT and OT environments converge. The trend over the past several years reflects a broader industry focus on centralized visibility, governance, and risk management across critical infrastructure environments. Fortinet’s upcoming 2026 State of Operational Technology and Cybersecurity Report will offer new insight into how organizations continue to evolve their approach to OT security leadership and resilience.

A Practical Path Forward for CISOs

A threat-informed OT security strategy should begin with a few practical questions:

• What assets do we have, and which ones support the most critical operations?
• Where are IT and OT networks connected?
• Which remote access paths exist, and who can use them?
• Which systems cannot be patched quickly, and what compensating controls can be implemented to protect them?
• Which adversaries and attack techniques are most relevant to our industry?
• Assuming a breach, how would we detect abnormal activity in our OT environment?
• If an incident crossed from IT into OT, who would make decisions, what are the priority systems to protect to maintain the safety of customers, and how quickly could we act?

These questions help CISOs move from abstract OT concerns to measurable risk reduction and help security teams prioritize the controls that matter most. The objective is not to make OT environments look like IT environments. The objective is to secure them in ways that protect both digital systems and physical operations.

The CISO Role Is Expanding

As IT, OT, cloud, and third-party ecosystems continue to converge, CISOs are being asked to manage risk across a broader, more complex environment. OT security is often part of that responsibility. It requires a different mindset, deeper collaboration with operational teams, and a security architecture that supports visibility, segmentation, and threat-informed response across hybrid environments.

Critical infrastructure, in particular, depends on systems that must remain operational. This makes OT security both a cybersecurity and a business-resilience priority. CISOs who take a threat-informed approach will be better positioned to protect industrial operations, reduce exposure, and support the teams responsible for keeping essential systems safe and available.

Learn more about Fortinet’s approach to OT security and join us at the upcoming virtual 2026 OT Security Summit to hear from Fortinet experts on protecting critical infrastructure in a converging threat landscape.

Our next CISO Collective Forum will be Wednesday, August 19, 2026, at 8 a.m. PST | 11 a.m. EST | 4 p.m. GMT. Register here.