← ~/blog
2026.05.20 · ICS/OT · Yash Nagare

ICS/OT is where security gets real

Nighttime industrial skyline under a glowing protective shield with a gap on one side and a red intrusion trace slipping toward it

Most hacking you hear about ends in leaked data. A password spills, a pile of credit card numbers shows up for sale, a company sends an apology email, and everyone moves on. Operational technology is the other kind. Usually shortened to OT, and also called industrial control systems or ICS, it is the layer of computers that quietly run physical machines: the pumps at a water plant, the robotic arms on a factory line, the switches that route electricity to your street. When someone breaks into those, the damage does not stay on a screen. Water stops flowing. A machine tears itself apart. A whole city goes dark. That is why this corner of security feels different. The stakes are made of concrete and steel, not spreadsheets.

It is not just IT with older computers

It is tempting to picture OT as regular office IT, only dustier. It is almost the opposite. Normal IT security is mostly about keeping secrets: your bank hides your account number, your email stays private. OT security is about keeping the physical world behaving. Nobody really cares if a hacker learns the temperature of a boiler. They care enormously if that boiler is told to keep heating until it bursts. So the whole priority list flips. Staying safe and staying running come first, and secrecy comes last.

The machines make this hard on purpose. A controller on a factory floor is built to run for twenty years without being touched, not to install updates every Tuesday like your laptop. You also cannot just turn it off and on again. You would not reboot the software in a car doing seventy on the highway, and you cannot reboot the system keeping a hospital powered or a chemical reaction under control. Worse, a lot of these machines were designed back when they lived on sealed, isolated networks, so they trust any command that reaches them, no password required. Picture a building where every internal door assumes anyone who knocks already belongs inside. That was fine when nothing from the outside could knock. Then everything got wired to the internet, and it stopped being fine.

Why a hacked pump is a national security problem

Zoom out and OT is basically the machinery a whole country runs on: the power grid, the water you drink, the gas in the pipeline, the trains, the factories that build everything else. Knock enough of it over and ordinary life grinds to a halt. This is not a thought experiment. A handful of real attacks show exactly how far it can go.

In 2010, a piece of malware called Stuxnet quietly made Iran's nuclear centrifuges spin themselves to pieces, all while the control room screens cheerfully reported that everything was normal. It was the first time code reached out and physically destroyed real hardware.

In Ukraine, attackers flipped the power off for hundreds of thousands of people in the dead of winter, remotely, by hijacking the grid's own controls. Then they came back and did it again the next year.

At a petrochemical plant in Saudi Arabia, malware called Triton went straight for the safety systems, the automatic shut-offs that exist to stop an explosion. Imagine reaching in to cut the brakes before forcing a crash. It got caught, but only just.

And in 2021, the Colonial Pipeline attack never even touched the pipeline's controls. The company shut the pipeline down itself, out of caution, and that alone drained gas stations across the eastern United States and had people panic-buying fuel, some of them filling plastic bags at the pump.

That is the pattern. These systems are the first thing serious, government-backed attackers go looking for, because breaking them does more than cost money. It shakes the basic trust that the lights will come on and the tap water is safe to drink. Guarding this stuff is not an IT chore, it is national security, and the number of people actually doing it is far smaller than you would hope.

The hardest part is finding people who get both worlds

Here is the twist that surprises people: the biggest weakness in OT security is not a gadget or a piece of software. It is a shortage of the right humans. Defending these systems takes someone who lives in two very different worlds at once. One is the engineer who knows the machines, how the plant truly works, and what normal is supposed to look like, but who was never trained to think like an attacker. The other is the security analyst who knows exactly how hackers move, but who has never stood next to a live turbine or a running assembly line. You need both kinds of thinking inside one head, and almost nobody has it.

You cannot train that overnight, either. Much of the knowledge only exists inside real facilities you cannot casually walk into, picked up slowly and by hand. So while you can always buy more sensors and slicker software, you cannot buy the seasoned judgment to know which alarm, on a live and dangerous process, is worth halting production over. Every plant and utility running short on those people is a soft target waiting to be noticed.

It all starts with being able to see

Under everything sits one plain idea: you cannot protect what you cannot see. The dangerous blind spot is the seam where the ordinary office network quietly meets the machines on the floor. Watch the right signals there and you can catch an intruder while they are still moving, from a stolen login toward the controls, and stop them before anything physical goes wrong. Miss it, and you usually find out only after something has already broken, which in this world can mean something no software patch will fix.

That is what makes this field worth the trouble. The goal is not to collect one more clever exploit. It is to close the gaps: between the office and the factory floor, between where an attack begins and where it does its real damage, and between the small group of people who understand these systems and the countless places that badly need them.

And if any of this made you curious, that instinct is exactly what the field runs short on. CISA, the US government's cyber defense agency, puts a whole set of free ICS security courses online, from a gentle introduction to hands-on labs. It is a genuinely good place to start poking around. It is honestly where I started.