two businessmen on a road bridge that is breaking down and disconnecting

OT and engineering are not the same and are creating dangerous conditions

March 31, 2025

Engineers and technicians outside of cybersecurity often do not consider themselves to be OT and may not be aware of its necessity

Joe Weiss

Prior to publication of the 2006 Gartner research paper introducing the term operational technology (OT), there was either engineering or information technology (IT). The term OT created a hybrid between engineering and IT that hasn’t been properly connected. Engineers come from a “physics-based” discipline, whereas OT comes from a data-centric discipline. OT is known in the cybersecurity community but not necessarily outside. That is, electrical, mechanical, chemical, nuclear, industrial, systems and other engineers and technicians often do not consider themselves to be OT and may not be aware of the term.

A recent job solicitation from a medium-size water utility was seeking junior, mid-level and senior engineers. The solicitation stated the essential functions were to:

“…assist with or lead providing electrical engineering and technical support to ensure reliable operation of the utility’s SCADA controlled facilities including remote terminal units (RTUs), programmable logic controllers (PLCs), programmable automation controllers (PACs), associated industrial communications, networking equipment and protective relaying equipment.”

Even though the engineers were responsible for the industrial networks and networking equipment (these would be considered OT networks), the engineers were not responsible for cybersecurity of those networks as there was no mention of cybersecurity in the job descriptions. Moreover, there was no mention of the term OT nor any consideration with working with the network security organization.

Get your subscription to Control's tri-weekly newsletter.

Another recent job solicitation was from a large electric utility for an OT Cybersecurity Senior Analyst. According to the solicitation, the analyst would be part of a team consisting of skilled OT cybersecurity professionals to ensure the cybersecurity resilience and regulatory compliance of the utility’s industrial operational sites. The focus would be on identifying vulnerabilities and assessing risks to uphold and continuously improving the security posture of industrial control systems (ICS) and OT environments. There was no mention of understanding the physical process or working with the engineering organizations.

This gap in mutual understanding has prevented critical plant processes and control system equipment from being cybersecure and safe. The paper “Who’s In Charge of OT Security”, written for the Institute for Homeland Security at Sam Houston State University, explores these cultural challenges in greater detail.

About the Author

Joe Weiss | Cybersecurity Contributor

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]