Hey gang! I’m back from Hacker Summer camp, over my con crud, and I’m all riled up!
I wanted to take a second to address one of the fundamentals of modern cybersecurity, Operational Technology (OT), and its inexcusable fragility. Here in the mid-21st century, we’re still treating OT like Tennessee Williams’ glass menagerie — critically important, emotionally loaded, and wildly fragile. It’s guaranteed to break when your gentleman caller of a network scanner tromps onto the scene.
Expensive breakage is both inevitable and heartbreaking. Every ITOps professional I know has a story about that one time a Nessus scan trashed their network, so now we just kind of live with these ridiculous “best practices” of off-hours scan windows and careful tweaking of scanning parameters. Take a look at NIST SP 800-82r3:
“Active scans may cause device instability or interfere with the device process state, potentially impacting safety and integrity. Active scans should be scheduled to occur during planned OT outages whenever possible.”
This isn’t some dusty advice from the 1900s. The NIST guidance above was published in 2023.
We’ve been connecting OT networks to IT infrastructure for decades, intentionally or otherwise. They run power plants, factories, pipelines, agriculture, water, and more. You know, all the stuff that keeps civilization running. And yet a garden-variety network discovery can cause an industrial seizure. The frustrating part is that this isn’t just some law of physics, it’s bad engineering that we’ve allowed to take hold for decades.
Two things need to change, now.
1. Stop shipping fragile devices
OT device manufacturers need to stop gaslighting us into thinking it’s okay to ship devices that faint at the sight of an unexpected UDP packet. Today, CPU is cheap. Memory is cheap. Bandwidth is cheap. Resilient TCP/IP stacks have been around for decades. If your safety-critical controller keels over when it sees a malformed packet, you’ve shipped a denial of service bug. “Don’t scan it or it’ll die” isn’t sound advice, it’s an indictment of an industry.
2. Stop normalizing bad security
Security vendors need to stop making it worse. It didn’t take me very long to find a recent product manual that normalizes this state of affairs: “When scanning OT/Industrial devices, select only the OT Device Scan option to ensure that the scan is tailored to industrial assets, as other IT scans may not be appropriate. If IT scans are used to probe industrial assets, they may crash or reboot due to intrusive scans.”
This guidance is from Qualys’s documentation, and it presumes that users have already ensured, 100%, that their "IT" and "OT" networks are segmented. With this offering, Qualys puts the onus on their customers to make doubly sure that their OT networks aren’t wired up to the regular network. You know, exactly the kind of exposure you bought an exposure management solution to find for you.
Attackers aren’t going to wait for your “planned outage” window to start waltzing around your factory floor. A ransomware event that includes a demo of crashing something critical and a threat of keeping it up is a pretty effective way to extract a payoff, and they can usually just use the same security tools that defenders have.
The fact we’ve still got this inferiority complex about our OT buildout in 2025 means we’ve failed to make even basic resilience a requirement. OT fragility is an unconscionable liability. We need to make OT subnets just like all the other horses (to again borrow from Tennessee Williams). Normal, stable, and just like all the others — not a fragile glass unicorn of technology.
While runZero can’t help much with the engineered instability of operational technology, we can at least make it normal and easy to keep up with OT’s vulnerability exposure through light touch, exceedingly polite OT scanning techniques, written by professionals who have all experienced the pain, frustration, and embarrassment of accidentally knocking over a printer or a manufacturing plant.
If you want to see how this plays out in the real world, join me and Travis Farral, CISO of Archaea Energy, for a live webcast on how his BP subsidiary secured IT/OT environment across dozens of plants without downtime. We’ll cover how they streamlined vulnerability management, sped up M&A due diligence, and cut response times with always-on scanning.
