Building Robust OT Cybersecurity: A Strategic Framework for Industrial Operations
Key Highlights
- Manufacturers must evaluate OT cybersecurity tools systematically using frameworks like the cyber kill chain, avoiding siloed technologies that lack integration capabilities and establishing visibility across defensive layers.
- Defense in depth requires redundant controls, compensating strategies like virtual patching, and communication between security tools and operational teams to address gaps in protection.
- Companies should validate security defenses through laboratory testing and tabletop exercises before deployment, balancing tool sophistication against realistic staffing and cost constraints.
Industrial operations technology (OT) environments have emerged as high-value targets for cybercriminals, forcing companies to rethink how they protect manufacturing and production systems. Paul Smith, who directs Honeywell's cybersecurity portfolio, identified a fundamental challenge in the industrial space that exacerbates this issue: outdated equipment combined with slow patch deployment cycles create significant exposure points for attackers.
On top of this, the financial incentives for cybercriminals have intensified dramatically, as ransomware operators better understand the economic pressure they can apply to industrial targets.
"Shutting down a facility generating a million dollars daily through ransomware is remarkably straightforward," Smith observed. "Organizations locked out of their systems frequently choose to pay rather than face extended downtime."
Navigating the cybersecurity vendor landscape
Industrial organizations commonly look to IT security tools when addressing OT protection needs. This is an understandable choice given IT security's longer history. However, this strategy can introduce its own complications.
Brandon Cho, who leads OT cybersecurity initiatives at Honeywell, explained what manufacturers face here: "The marketplace offers an overwhelming array of options. That’s why businesses often struggle to identify starting points for evaluation."
Honeywell's recent modernization project for secure remote access illustrated this complexity. The company initially identified more than 50 potential technologies, spent more than 12 months evaluating them and then conducted intensive assessments of 10 finalists before making a selection.
Companies should correlate physical access records with system events to detect threats, such as tracking control room entry to identify who might have connected unauthorized devices.
This process revealed an important insight for Cho. "Having numerous options doesn't guarantee improved protection,” he said. “In fact, cybersecurity complexity itself can elevate risk levels."
And poor tool selection can have serious consequences, such as configuration errors, disruptions to operations and the creation of safety hazards.
These issues commonly associated with deploying IT-focused cybersecurity tools in OT environments can lead OT teams to implement isolated systems that fail to deliver integrated visibility into their security status, while generating excessive log data of limited utility and alerts that remain unexamined.
Smith added that OT staffing constraints worsen this situation. Many facilities operate without dedicated cybersecurity engineers, depending instead on corporate security personnel who lack OT-specific knowledge, he noted.
Understanding attack progression through the kill chain framework
Speaking at the 2025 Honeywell Users Group EMEA event, Smith and Cho outlined strategic approaches to help industrial companies make better-informed cybersecurity choices.
A key point in their presentation was the “cyber kill chain” concept, a framework originally created at Lockheed Martin. This model breaks cyberattacks into seven sequential phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Understanding this progression helps businesses select appropriate defensive tools by clarifying what attack activities look like compared to legitimate network behavior. "
The actions on objectives phase represents the worst outcome, where threat actors reach control systems to manipulate equipment like vessels," Smith explained. "Stopping intruders before they reach this final stage is critical."
Each kill chain phase requires specific defensive measures. For example, during reconnaissance, organizations should assess their public exposure, including employee social media profiles that might reveal their expertise around specific technologies in use at a facility.
Bug bounty programs (where employees receive recognition and compensation for reporting bugs) help counter weaponization by identifying weaknesses before attackers find them, while delivery defenses focus on restricting USB device use and vendor access.
Vulnerability scanning addresses exploitation risks. Smith recommended that organizations without this capability "should prioritize it immediately after firewall deployment." His rationale: scanning reveals potential entry points into your systems.
The installation phase requires evaluating endpoint malware protection. "Organizations must carefully select endpoint protection suited to their environment to avoid solutions that might cause shutdowns or lockouts," Smith cautioned.
For command-and-control defense, Smith recommended focusing on intrusion detection for remote access channels.
Smith emphasized that any single kill chain defense should have the capability to detect and halt an attack.
Layered protection and alternative controls
The defense-in-depth philosophy remains foundational to cybersecurity strategy because it demands multiple control layers, redundancy and integration. Perimeter firewalls alone provide insufficient protection, according to Smith and Cho, which is why organizations need additional controls like zero-trust architectures for remote access.
The “cyber kill chain” model breaks cyberattacks into seven sequential phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
Cho stressed that redundancy is vital for OT security because individual controls always contain gaps.
"Every organization deploys antivirus software, but coverage gaps always exist," he said. Here, the implementation of whitelisting — permitting only pre-approved applications and connections — as a redundant measure can intercept threats that bypass antivirus blacklisting, including novel malware.
Smith also highlighted integration as crucial for closing security gaps. "When you deploy multiple security tools, creating interrelationships and use cases for how they collaborate solves many problems," he said. For instance, passive monitoring systems should integrate with endpoint protection to block malicious files before execution.
OT environments need additional compensating controls, Smith and Cho explained. When organizations can only patch annually or semi-annually, virtual patching at network boundaries can address known vulnerabilities during these extended windows.
Interdependency, the process of understanding how security tools affect OT systems, represents another critical consideration. "No cybersecurity tool should adversely impact your critical OT assets," Cho warned. Companies should correlate physical access records with system events to detect threats, such as tracking control room entry to identify who might have connected unauthorized devices.
Practical recommendations for industrial cybersecurity
Beyond these core concepts, successful OT protection requires pragmatic approaches rooted in organizational capabilities. The bottom line here is that companies must evaluate ideal tools against total ownership costs.
Smith provided an example: "The market's most effective tool might stop every attack. But if it requires 50 staff members to operate, can your organization realistically hire that team to manage it?"
Therefore, before purchasing specific security tools, industrial organizations should identify their most critical assets and thoroughly understand their operational workflows. Bottom-up approaches often prove most effective in OT settings, beginning with essential operational systems and constructing protective layers around them.
Smith also advocated for tabletop exercises to reveal vulnerabilities by examining attack scenarios and working backward to find access points and shared credentials. These exercises pose questions like: What if someone compromised the catalytic cracker? This analysis might reveal that only three devices have authorized access, but 20 people share two credential sets. This knowledge enables organizations to tighten controls around those individuals and credentials to improve access management.
Cho and Smith concluded by presenting four fundamental principles for industrial cybersecurity approaches:
• No single solution provides complete protection. Therefore, security tools must function as an integrated system.
• Thoroughly understand your environment before evaluating vendors, and especially before purchasing and deploying tools.
• Establish visibility, detection and response capabilities across multiple layers to distinguish attacks from unusual but legitimate activities.
• Test defenses through simulated attacks. Smith stressed the value of investing in security testing laboratories. This represents the only reliable method for understanding defensive capabilities in environments where failures risk not just data loss but physical safety and operational continuity.
