Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Six Ways to Uncover Hidden OT Risks Inside Your Production Environment  

HuFiCon Management Memo:
Journey with the CISO

A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.

The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration. 

inge_van_der_beijl
Inge van der Beijl

Director Innovation

Production-Enviroment
Published: 9 July 2026

Operational technology is the backbone of many production environments.

It keeps machines running, goods moving, buildings functioning, and critical processes on schedule. But as OT environments become more connected, they also become more exposed.

The challenge is that OT risks are not always visible at first glance. They often sit in overlooked assets, unclear responsibilities, outdated systems, vendor connections, or assumptions that have gone unchallenged for years. Production may be running smoothly today, but that does not automatically mean the environment is secure or resilient.

So where should organisations begin? These six priorities can help uncover hidden OT risks before they turn into operational disruption.

Stars

1. Make sure all assets are visible

The first question is simple: do you know what is connected to your production environment?

Many OT environments have been built up over years, sometimes decades. New machines are added, software is updated, temporary connections become permanent, and legacy systems remain in place because they still perform a critical function. Over time, it becomes more difficult to maintain a complete view of all hardware, software, controllers, workstations, sensors, and connected devices.

This lack of visibility creates risk. If you do not know what exists, you cannot properly protect, monitor, patch, segment, or replace it. That is why a complete, up-to-date inventory of OT assets is one of the foundations of OT security. It is also the first question in Northwave’s OT Security Quick Self-Assessment: do you have a complete, up-to-date inventory of all OT assets across your production environment?

2. Know your full attack surface

OT security is not limited to the production line. Building systems, physical and digital access control, HVAC, cameras, smart devices, and facility management systems can also form part of the wider attack surface.

These systems are often treated separately from the core production environment. They may be managed by different teams, monitored less closely, or excluded from regular security discussions. But attackers do not care whether a system is labelled IT, OT, facilities, or building management. They look for weaknesses and routes into the organisation.

To uncover hidden risk, organisations need to look beyond the most obvious production assets and check that all connected systems are included in monitoring, access control, and incident response planning.

3. Clarify who owns OT cyber security

One of the first questions we ask our OT security clients is: who is responsible for OT security? We find it’s a good sign if people can easily name the person responsible and that person also acknowledges their responsibility.

Often, OT security sits between IT, operations, engineering, facilities, suppliers, and management. Shared responsibility can be useful, but only when accountability is clear. After all, when everyone is partly involved, there is a real risk that no one owns the next decision.

This becomes especially problematic during an incident. Who decides whether a system should be disconnected? Who approves remote access? Who accepts the risk of keeping an end-of-life system in production? Who informs leadership about the potential business impact?

Naming a specific owner in OT security doesn’t prevent collaboration. It makes collaboration possible by ensuring someone is responsible for coordination, decision-making, and escalation.

4. Check whether networks are truly separated

Many organisations believe their production networks are separated from corporate IT. And yet, we see that unexpected connections are often discovered during an assessment or incident.

Network separation can be physical or logical, but it needs to be validated. A flat network makes it easier for attackers to move laterally from one environment to another. In OT, this can have serious consequences, because disruption may affect production processes, safety, delivery timelines, and business continuity.

Uncovering hidden risk means checking whether segmentation works in practice, not only on paper. Organisations should understand where connections exist, why they exist, and whether they are properly controlled.

5. Review remote access and vendor access

Remote access is often necessary in OT environments. Vendors may need to maintain machines, troubleshoot issues, or support critical production systems. But unmanaged remote access can quickly become one of the most serious weaknesses in an OT environment.

The key questions are practical. Is every remote access session protected by multi-factor authentication? Do you know which external partners and vendors have access right now? Is access removed when it is no longer needed? Are sessions monitored? Are old accounts still active? These questions help organisations move from assumption to evidence.

6. Understand and manage legacy risk

Legacy systems are common in OT environments for good reasons. Production technology is built for reliability and long lifecycles. If a system still works, replacing it may be expensive, disruptive, or operationally risky.

But legacy does not mean low-risk. End-of-life operating systems, older PLCs, HMIs, and systems that cannot easily be patched need to be documented and protected with compensating controls. The real problems arise when legacy system risks are unknown, unmanaged, or accepted without proper visibility.

This is where OT security becomes a business resilience issue. Leadership needs to understand which systems are critical, what could happen if they fail, and what controls are in place to reduce the risk.

Gain Clarity with 10 Honest Answers

Most hidden OT risks do not appear overnight. They build up gradually as environments evolve, responsibilities shift, vendors change, and systems age. The good news is that organisations do not always need to begin with a full audit to gain useful insight.

Northwave’s OT Security Quick Self-Assessment gives you a practical starting point. By honestly answering just 10 questions, you can gain a clearer picture of where your OT security foundations stand. It covers visibility, monitoring, ownership, network separation, remote access, vendor access, legacy risk, business continuity, awareness, and outage impact.

Download the OT Security Quick Self-Assessment and uncover which hidden risks may deserve your attention first.

We are here for you

Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.


.