Think You’re Covered? These OT Cybersecurity Myths Say Otherwise
Cybersecurity in industrial automation isn’t new, but the myths surrounding it persist. In the field, boardrooms, and even RFQs, we continue to hear outdated beliefs about protecting operational technology (OT). Some are rooted in old assumptions, some in misplaced confidence, and a few… well, we’re still unsure where they originated.
And why it’s easy to dismiss them — “That won’t happen here” or “We’re not a target” — these myths quietly influence decisions that put actual systems at risk. Because, in modern automation, it’s not enough to be reliable; you also need to be secure.
So, let’s clear up five of the most common cybersecurity misconceptions we encounter and discuss what truly works when protecting PLCs, SCADA systems, and everything in between.
Myth #1: “We’re air-gapped, we don’t need cybersecurity.”
In theory, an air-gapped system—one completely isolated from the internet or any external network—seems like the perfect defense. In reality? True airgaps are about as common as a plant with up-to-date documentation.
Even in sites that believe they are completely offline, we’ve seen laptops connected to the control system while still linked to the internet, remote access tools left active “just for emergencies,” or USB drives transferring data between control panels and office computers. These exceptions silently break the isolation you’re relying on, often without anyone realizing it.
The truth is: if a system can be reached, even occasionally, it can be breached. Cyber threats don’t require constant access, just one overlooked pathway is enough.
The Cybersecurity & Infrastructure Security Agency (CISA) emphasizes this point in its recommended strategies for OT environments, pointing out how common connection points like USB drives, maintenance laptops, and unmanaged remote access can quietly introduce risks, even in systems that are supposedly isolated.
Myth #2: “That’s IT’s responsibility, not ours.”
In many facilities, there’s a quiet deadlock: IT handles the network, OT manages the process, and cybersecurity is somewhere in between. Or more likely, it’s nonexistent.
While IT teams are well equipped to secure office systems, they often lack training in handling legacy PLCs, SCADA servers with strict uptime requirements, or 15-year-old HMIs running unsupported operating systems. OT teams, on the other hand, are focused on keeping production running, but they may not have visibility into how their systems are exposed to the broader network.
This disconnect leaves critical systems vulnerable, not because of neglect, but due to lack of coordination. The NCC Group clearly highlights this gap in their OT/ICS convergence framework, recommending five essential controls to address it, including asset visibility, access control, and segmentation strategies tailored to both plant and IT environments.
Myth #3: “Our system is old, no one’s targeting it.”
This mindset still shows up in risk conversations: “It’s a legacy system, not connected to the internet, and it’s not exactly high value, why would anyone bother attacking it?”
Here’s the truth: legacy systems are exactly what attackers target. These systems weren’t built for today’s threat landscape. Many run outdated firmware, lack basic security controls, or rely on unsupported operating systems. That’s not low-risk — it’s like shooting fish in a barrel.
And attackers know it. According to Dragos, ransomware attacks against industrial infrastructure surged 87% in a single quarter in 2024, with manufacturing hit hardest. Why? Outdated, unmonitored OT systems are easy to find and hard to defend.
Just because your system isn’t shiny and new doesn’t mean it’s invisible. In cybersecurity, “old and quiet” often means “wide open.”
Myth #4: “We’re too small to be a target.”
It’s a common belief: We’re a small operation. No one knows who we are, what could we possibly have that’s worth targeting?
But attackers don’t need to know who you are. They aren’t scanning Forbes lists; they’re searching the internet for vulnerabilities and will take any access they can find. Ransomware doesn’t discriminate. If your system is exposed, outdated, or poorly protected, it’s fair game.
Size doesn’t protect you from consequences. Small manufacturers often suffer more from cyberattacks because they lack the internal resources for quick recovery. What’s even worse? Many smaller operations are part of larger supply chains, and a breach in your system could cause a major outage for your customers or partners. Suddenly, your security gap turns into their emergency.
The 2024 Verizon Data Breach Investigations Report clearly states: manufacturing continues to be a primary target, and attackers are targeting the easiest entry points rather than the biggest brands.
Myth #5: “We’ve never had an incident, we’re fine.”
This one’s tricky because it feels true. If no alarms have gone off, no ransomware notes have appeared, and the process is still running… Things must be secure, right?
Not necessarily.
Most control systems aren’t designed with visibility in mind. They lack modern logging, intrusion detection, or even basic change tracking. So, unless you’re actively monitoring for threats, you may never realize they’re there until they act.
In OT environments, dwell time is crucial. Many attacks remain dormant for weeks or months, mapping your network, gathering credentials, or stealing sensitive data, all while your systems seem to function normally. By the time you realize you’re compromised, your data may be in the hands of competitors, profits could be impacted, and depending on how long the intruder has been active, the damage might be irreversible.
Security isn’t determined by how quiet things seem; it’s defined by how well you’re able to see what’s truly going on.
What You Don’t Know Can Hurt You
Cybersecurity in industrial automation isn’t about fear; it’s about visibility. And as these myths reveal, the most significant risks often stem from outdated beliefs, systems that aren’t properly monitored, or threats that remain quiet until it’s too late.
At Pigler Automation, we work with control systems daily. We understand how challenging it is to stay ahead of vulnerabilities when uptime is essential, and resources are limited. That’s why we provide two ways to help you bridge the gap.
- AUDITIQ™ – our comprehensive system evaluation can help identify cybersecurity vulnerabilities, configuration weaknesses, and compliance risks within your control environment.
- EXPERTCONNECT+™ – our continuous support service that helps you monitor, address, and stay ahead of cybersecurity threats over time
If you haven’t thoroughly evaluated your cybersecurity posture recently — or ever — now is the time. A single missed patch, an unsecured port, or a weak credential can lead to serious consequences.
👉 Talk to us about AUDITIQ™ or EXPERTCONNECT+™
We’ll help you identify what others overlook and take practical steps to improve your system.
