Operational technology (OT) devices manage, command, direct, or regulate the behavior of other devices or systems. They take a set of input data from their sensors and perform a function based on such data and on established parameters. Control systems can have different sizes and complexities, depending on the process they monitor and control.

Many types of industries, often labeled as critical infrastructure, rely on OT, including:

• Energy industry, such as electric power and oil & gas
• Service industry, such as transportation and logistics
• Factory automation and process industry

Risks related to control systems usually exceed those of IT infrastructures because they include human safety and environmental damage. These risks must be considered while assessing the security and reliability of OT.

Security assessments can be conducted on all types of OT devices, including:

• Distributed control systems (DCS) and programmable logic controllers (PLC)
• Human machine interfaces (HMI), historians, alarm servers, and engineering workstations
• Supervisory control and data acquisition (SCADA) and remote terminal units (RTU)

By mapping the attack surface of industrial control systems, security assessments allow to identify vulnerabilities and exposures and ensure integration of best practice security controls for the protection of critical infrastructure.