10 Myths About OT/ICS Security That Put Your Business at Risk

In many OT environments, firewalls are configured, standards are mapped, and remote access is enabled. Everything looks “secure”.  Yet ransomware still disrupts production, blinds operators, and forces difficult decisions under pressure.

The issue is not effort. It is an assumption.

This blog challenges ten common myths about OT and industrial security. These myths create false confidence. And false confidence is what attackers exploit.

If you are responsible for plant operations, OT security, engineering, or industrial risk, these assumptions deserve a second look.

Myth 1: Layer 3 separation alone is sufficient to protect OT

Reality:

Most OT networks use VLANs, ACLs, and firewall policies configured for availability, not adversarial containment. Flat Layer 2 segments, broad historian access, and IT OT bidirectional trust create permitted pathways. Over time, exceptions accumulate and rules drift.

Most attackers do not need to break segmentation. They move through what is already allowed.

Myth 2: PLCs cannot be encrypted, so ransomware cannot impact them

Reality:

Attackers do not need to encrypt PLC logic to cripple operations. Even if controllers remain intact, loss of visibility, engineering access, or authentication can halt or delay production.

High leverage targets typically include:

• Engineering workstations
• HMI servers
• OPC Classic and OPC UA servers or gateways
• Domain controllers used for OT authentication
• Recipe databases and batch management systems

If the control plane is blind or inaccessible, operations may be unable to run or restore safely.

Myth 3: OT protocols are obscure and difficult to abuse

Reality:

Protocols like Modbus, DNP3, EtherNet/IP, and Profinet are well documented and widely supported in offensive tooling. Many deployments still lack strong authentication and encryption, often due to legacy design and operational constraints. Once an attacker gains network access, issuing malicious write commands is easier than deploying malware.

The protocol simplicity is a feature for attackers, not a barrier.

Myth 4: Ransomware only targets Windows systems

Reality:

Modern OT ransomware campaigns target far more than Windows endpoints. Common targets include:

• Linux-based historians and edge gateways
• Virtualized OT infrastructure
• Hypervisors hosting SCADA workloads
• Network attached storage used for backups
• Backup management servers
• Remote access gateways

If it runs an operating system, stores operational data, or enables remote connectivity, it is a viable target.

Myth 5: We can reimage systems and reload configurations quickly

Reality:

Most OT environments lack:

• Version-controlled PLC logic
• Golden images for HMIs and servers
• Accurate asset inventories
• Dependency maps between systems
• Vendor licensing records, installation media, and validation documentation

Even when backups exist, restoration requires testing, revalidation, and sometimes recalibration before production can resume safely.

Rebuilding OT is not a technical reset. It is forensic reconstruction under downtime pressure.

Myth 6: OT endpoints do not need EDR or monitoring

Reality:

Blind OT networks are normal, not safe. Without protocol-aware monitoring, ransomware operators can:

• Enumerate devices silently
• Identify safety system boundaries
• Stage payloads without triggering alerts

Traditional EDR is not always feasible across OT. However, application allow listing, ICS aware network detection, and configuration change monitoring provide visibility without disrupting operations.  

In many incidents, security teams first learn of OT ransomware from operators, not sensors. That is a capability gap.

Myth 7: IT incident response plans apply to OT

Reality:

IT playbooks assume systems can be isolated, shut down, or rebuilt.  

OT environments cannot always be powered off without physical consequences. Taking a controller, HMI, or network segment offline can affect pressure, temperature, chemical reactions, rotating equipment, and human safety. Containment decisions must align with process safety constraints and hazard analysis, not just cybersecurity objectives

Myth 8: Remote access tools are not a major risk if protected by VPN

Reality:

VPNs only secure the tunnel, not the endpoint or credentials.  

Compromised laptops, reused passwords, unmanaged vendor accounts, and persistent access gateways create high-leverage entry points into OT. Stronger patterns include brokered access through hardened jump hosts, just-in-time approvals, multi-factor authentication, and full session recording.

Most OT ransomware does not break in. It logs in.

Myth 9: Air-Gapped Systems Are Secure

Reality:

Many believe OT networks isolated from the internet via air gaps are inherently safe from ransomware. In practice, air gaps are rarely absolute.  

Data transfers via USB media, vendor maintenance laptops, temporary network bridges, wireless links, and dual homed engineering workstations routinely bypass theoretical isolation. Over time, operational convenience erodes separation.

Myth 10: Standards compliance means ransomware readiness

Reality:

Adopting IEC 62443 or mapping controls to MITRE ATT and CK for ICS without testing and operational validation does not guarantee resilience.

Standards describe required controls and maturity targets. They do not prove that detection works, backups restore cleanly, or decision-making holds under live extortion pressure.

Attackers exploit implementation gaps, configuration drift, and untested assumptions, not framework gaps.

Conclusion

These myths do not just mislead. They create dangerous gaps between perception and reality in OT environments. True resilience demands protocol-aware segmentation, continuous monitoring, and OT-specific incident response. It cannot rely on IT assumptions or compliance checklists.

Evaluate your environment against these realities. Do you have asset maps, behavioral baselines, and tested recovery paths?  

Start with a gap analysis using the checklist below. Then engage the right expertise to close the gaps.

Get OT Security Checklist