When will OT security be taken as seriously as IT security?

Cyber Instincts AB
26 nov. 2025
5 min läsning

Industrial digital systems are vulnerable — and the consequences are already visible in the real world.

Digitalization, automation, and connectivity have made Swedish industry more efficient than ever. Control systems and process automation provide better operational data, higher availability, and more predictable production. But the same development has also opened a door that was previously closed: a pathway into the systems that run our production, our energy, and our critical societal functions.

That door leads straight into the OT environment — Operational Technology. The question many companies now need to ask themselves is simple:

When will we start taking OT security as seriously as IT security?

This is not a technical detail. It is about the organization’s ability to continue operating and withstand attacks.

En fabrik som blir mer digitaliserad får fler attackytor, vad gör vi för att inte riskera attacker som innebär driftstopp? — A digitalized factory creates more attack surfaces — how do we reduce the risk of operational downtime?

When digital attacks lead to physical consequences

The idea that cyberattacks can shut down industrial systems is no longer an abstract risk. In recent years, several major global incidents have shown what happens when someone succeeds in disrupting the control systems of a factory or an energy operation. This is not about lost files or slow computers — it is about production lines coming to a halt, batch processes being interrupted, and monitoring systems suddenly going dark.

When IT systems go down, they can often be restored.When OT systems are affected, the impact is immediate in the physical process: conveyors stop, valves end up in the wrong position, and machines wait for signals that never arrive.That difference is what changes everything.

A Swedish example: What happens if LKAB is targeted?

To understand the potential impact of an attack, no extreme scenario is needed. It is enough to imagine what would happen if a major Swedish industrial company like LKAB experienced operational disruptions in its control systems.

LKAB’s production relies on a long chain of machines and processes working together: conveyor belts, crushers, pump stations, autonomous equipment, ventilation, mine chamber monitoring, and communication systems. Everything is connected to a digital operational environment.

If an attack disables monitoring in part of the facility, or causes the control systems to behave unpredictably, operations must be slowed down or stopped for safety reasons. It only takes one central transport flow being affected for the entire production sequence to shift.

Restarting the system is not simple either. A mine cannot be restarted in five minutes. The processes are long, complex, and must be activated in the correct order. Every hour without flow affects production, deliveries, and ultimately international customers.

This is a clear example of why OT security is not a matter of “IT in the factory,” but rather a matter of the entire organization’s ability to continue delivering.

Energy and critical operations: Vattenfall as a scenario

In the energy sector, the challenge looks different, but the consequences can be equally significant. Companies like Vattenfall depend on uninterrupted operations and monitoring around the clock, whether in district heating, hydropower, or electricity distribution.

Imagine a scenario where an attack makes it difficult to obtain accurate real-time data from a facility. Not all systems fail, but operators are forced to make decisions with limited information. Manual verification takes time, redundancy decreases, and parts of production must be run more cautiously than usual.

This is where ISO/IEC 27019 becomes crucial. It is developed specifically for control systems in the energy sector and describes how operations can continue even when certain functions are exposed to cyber disruptions.While IT standards focus on information security, ISO/IEC 27019 focuses on something even more important for the energy industry: operational reliability under pressure.

For an energy company, insufficient OT security is not just an internal risk — it can have consequences for entire regions and ultimately for society’s critical functions.

Why IT security is not enough in OT environments

Many organizations take comfort in having implemented ISO/IEC 27001 and working systematically with IT security. While this provides an excellent foundation, it does not cover everything.

OT environments follow different rules:

Systems are older, yet must still operate in real time.
They run around the clock and cannot always be updated or restarted.
They control physical processes where failures can have tangible consequences.
The supply chain is often deeper and involves specialized equipment.

This means that a traditional IT security model cannot always be applied. You cannot shut down a control system for patching in the middle of production. You cannot always introduce new security functions without risking operational disruptions.

OT security must therefore be built on OT’s own terms.

The energy sector is critical to society — is security keeping up as more functions become digitalized?

IEC 62443 – the standard that speaks the language of OT

IEC 62443 has become the most established standard for industrial environments precisely because it takes the realities of production into account. It is not only about technology — it is about how an organization should structure its work with security in control systems.

The standard describes, among other things, how environments should be segmented, how communication should be protected, and how different parts of the process should be assigned security levels based on risk.Where ISO/IEC 27001 provides an overarching security framework for the entire organization, IEC 62443 provides concrete requirements and guidance for environments where operations must run without interruption.

For industrial companies, the combination of these frameworks is often the most robust way forward:ISO/IEC 27001 for governance – IEC 62443 for production.

Insufficient OT security is only noticed once something has already gone wrong

What makes OT security so difficult is that many organizations do not notice deficiencies until they face an operational issue that cannot be isolated to traditional IT. It may begin with monitoring data looking unusual, certain systems running slower than usual, or remote connections behaving unpredictably.

When this happens, it is often hard to quickly determine whether the cause is:

a technical failure,
human error, or
a targeted external attack.

That uncertainty alone can force production to slow down or stop — and this is when the costs begin to rise.This is why organizations need a way to gain visibility before something happens.

Creating a clear picture – the first step toward secure OT operations

The most common and effective way to start working with OT security is a thorough current-state assessment. This is not about pointing out mistakes; it is about understanding how the environment actually looks:

which systems depend on each other
how communication flows between different components
where connections to IT or external parties exist
which functions are most critical
and how current protections align with recommended standards

Once this picture is established, it becomes much easier to prioritize the right measures without burdening production.

Such assessments often use IEC 62443 and ISO/IEC 27019 as reference frameworks — not to add more administration, but to ensure that the measures work in practice, in the environment where they are needed.

Waiting will not make the environment safer — only more complex

OT security is one of the few risks that grows over time. Not because threat actors increase dramatically, but because systems become more interconnected, older, and harder to update.

An attack that today would cause limited disruptions could in a few years lead to a complete shutdown, simply because more dependencies have been built into the system.

This is why OT security cannot be postponed.It is not about technology — it is about ensuring stability, operational continuity, and access to energy, materials, and products.

How you can take the first step

There is no need to wait until an outage or disruption forces change.A well-executed OT gap analysis provides a clear, practical view of the current situation and identifies which actions deliver the greatest value — without disrupting production.