When it Comes to OT, Visibility Is the Foundation of Effective Security

By Phil Muncaster • 18 November 2025

IT often grabs the headlines, especially now we’re embarking on a new age of AI-powered everything. But it is operational technology (OT) that still makes much of the world go round. From manufacturing plants to power stations, and hospitals to transport networks, this tech typically interfaces with the physical world, to control vital industrial-grade machinery. There’s just one problem: it was never really designed to cope with the cyber-threat landscape of the 21^st century.

This is why new guidance from the National Cyber Security Centre (NCSC) should be welcomed by OT operators. It emphasises the vital first step to securing OT: visibility. And it suggests ISO 27001 as a great way to get there.

Why OT Security Matters

Given that OT runs industrial control systems, it doesn’t take a great leap of imagination to understand what’s at stake. Hijacking such systems would enable threat actors to potentially disrupt critical infrastructure (CNI). In fact, Chinese state-sponsored adversaries were last year discovered inside US CNI networks, having pre-positioned themselves to activate destructive attacks in the event of a military conflict.

Aside from the potential physical harm to individuals and entire societies that might come from such attacks, they could exact a heavy financial and reputational toll on CNI providers and other OT operators. Just a few months ago, insurer Marsh McLennan sought to quantify the scale of this risk, using its proprietary claims database and other intelligence. It calculated that the annual financial risk associated with OT incidents could be as much as $329.5bn (£250m).

The challenge is that OT systems are often poorly defended. Equipment lasts much longer than typical IT kit, meaning that it often has to run legacy software and operating systems for which patches are no longer available. If security updates are theoretically available, then priority is usually given to uptime over security. And these machines often operate in critical environments where taking them offline to test and apply patches is logistically challenging. Outdated and insecure communications protocols can also create additional security risks.

What the NCSC Says

The NCSC’s approach is sound: you can’t protect what you can’t see. To that end, it wants OT operators to focus first on creating a “definitive view” of their OT architecture. This goes much deeper than a mere list of assets, including:

Components such as devices, controllers, software and virtualised systems, all classified by criticality, exposure, and availability requirements
Connectivity: ie how these assets interact within the OT network and beyond
Wider system architecture including zones, conduits and segmentation measures; resilience provisions; and the reasoning behind design choices
Supply chain and third-party access: ie, which vendors, integrators and service providers connect into the OT environment, and how connections are managed and protected
Business and impact context: Understanding what would happen from an operational, financial and safety perspective if an asset/connection failed or were compromised

The NCSC’s guidance, which was also shaped by agencies in the US, Canada, New Zealand, the Netherlands and Germany, is based around five principles. It directs OT operators to devise processes for establishing and managing their “definitive record”, identifying and categorising assets, identifying and documenting connectivity, and documenting third-party risk.

Protecting Your Definitive Record

Perhaps most interesting is Principle 2: establishing an OT information security management programme. This becomes essential given the sensitivity of the info contained in the definitive record. It could include design and business information, identity and authorisation data, operational data related to real-time control of OT systems, and cyber and safety risk assessments.

Adversaries could use this intelligence to “finesse” their attacks, by building up a contextual picture of system architecture, and selecting components to target and exploit, the NCSC says. “Your organisation should have clearly documented policies and procedures on how each type of information should be secured,” it adds – urging organisations to consider the classic “CIA” triad. This means ensuring:

Sensitive information is only accessible to systems and users that are authorised to have access (confidentiality)
Information is complete, intact, and trusted, and not modified (integrity)
Organisations protect the information from outages, delays, and service degradation (availability)

The ISO 27001 Advantage

The NCSC recommends OT operators “use standards such as ISO/IEC 27001 to aid in the implementation of an OT information security management system.” That’s music to the ears of ISMS.online CPO, Sam Peters, who says it reflects a growing consensus: “the principles of a structured, risk-based information security management system apply as effectively to OT as they do to IT.”

Peters tells ISMS.online that, having worked with the standard for many years, he knows exactly how effective it can be in helping to manage OT-related risks.

“I know first-hand that ISO 27001 provides a consistent approach to asset visibility, configuration management, and change control – all of which are critical in complex, legacy OT environments where unplanned changes can have real-world safety implications,” he adds. “It also strengthens assurance across supply chains by formalising how third-party access, patching, and maintenance are governed.”

ISO 27001 also assists from a technical perspective, in helping organisations to bridge the IT-OT divide through “shared terminology, standardised controls, and evidence-based risk treatment,” Peters says.

“It certainly supports the NCSC’s call for a definitive view of the OT architecture, ensuring that security decisions are driven by accurate, current system knowledge rather than assumptions,” he concludes.

“To be clear, this isn’t about layering IT controls onto OT. It’s about applying a proven management system that accommodates the unique constraints of industrial systems, prioritising availability, safety, and resilience while maintaining traceability and continuous improvement. That balance is exactly what OT has needed for some time.”

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

What the Deloitte Australia Saga Says About the Risks of Managing AI

Generative AI (GenAI) has scaled the heady heights of industry hype since it burst onto the scene in late 2022. Now it is entering what Gartner cal...

Phil Muncaster

Cyber security 6 November 2025

The NCSC Says “It Is Time to Act”, But How?

It’s unusual to see an open letter from a business leader at the start of a government cybersecurity report. Especially someone whose company has j...

Phil Muncaster

Cyber security 16 October 2025

What an npm Attack Says About the Risks of Open-Source Software

The history of open-source security is littered with examples of catastrophic failings and near misses. A crypto-malware campaign discovered in ear...

Phil Muncaster