How to create OT environments that will last despite uncontrolled IT practices

Most operational technology (OT) environments should last for decades. Manufacturers need OT systems that they can count on for rugged reliability, predictable behavior and safety-focused engineering.

Long-lifecycle OT systems can run in production environments for at least 10–20 years, so OT professionals understand the necessity of keeping them safe and operational with minimal intervention.

But uncontrolled IT practices and increasing connectivity between IT and OT are putting pressure on OT environments and the professionals who maintain them. Manufacturers need to align OT operations with modern IT practices so they can keep their environments up and running as well as safe for workers.

Organizations need to know how to operate, maintain and protect engineered-to-last OT environments while meeting compliance needs and adopting practical resilience strategies that bring IT into the equation.

OT systems such as SCADA, DCS, PLCs and safety instrumented systems often operate in air-gapped, real-time environments where uptime and predictability matter more than rapid software updates.

Unlike IT systems, where patches and updates happen all the time, OT environments require careful coordination between uptime, reliability and safety. OT teams often resist frequent changes because unplanned changes can jeopardize physical processes and worker safety. As such, organizations need to adopt OT-centric practices that can sustain long equipment lifecycles while addressing evolving threats and compliance needs.

Many regulatory and industry standards exist to help manufacturers secure their IT and OT environments without disrupting operations. Effective OT compliance is not about copying IT checklists but aligning OT risk and safety priorities with recognized frameworks.

IEC 62443: A globally recognized series of standards specifically for industrial automation and control systems, IEC 62443 provides a structured approach to OT security. It includes guidance on governance, risk assessment, role-based access controls, zone segmentation and ongoing system monitoring.

NIS2: Primarily a European directive, NIS2 sets expectations for essential services to implement risk management practices, incident reporting and policies that include human resources practices, access controls and asset management.

NIST cybersecurity guidance (including SP 800-82): This set of requirements offers OT security guidance emphasizing risk management that respects performance, reliability, and safety needs unique to industrial control systems. (NIST Computer Security Resource Center)

All of those frameworks are complementary. For example, using IEC 62443 for OT system hardening and NIST guidance for broader cybersecurity risk management helps build a resilient compliance strategy.

For manufacturers, achieving and staying in compliance involves more than documenting IT and OT processes. What’s important is to align IT and OT policies and controls with how the manufacturing environment operates. Manufacturers need to:

• Establish governance structures: Define roles and responsibilities for OT cybersecurity, risk assessments and incident response.
• Segment OT networks: Isolate control zones from non-operational networks, reducing lateral threat movement.
• Document processes: Maintain clear logs of changes, configurations and maintenance activities.
• Train staff: Ensure OT engineers and operators understand both system behavior and security policies.
• Monitor and respond: Deploy appropriate detection mechanisms tailored for OT while minimizing interference with industrial processes.

All of those practices support compliance with OT and IT standards like IEC 62443, NIS2, and others. More importantly, they improve resilience without undermining operational stability.

OT engineers often find themselves facing two conflicting realities: the need to protect systems and the risk associated with change. Applying IT-style patches indiscriminately can lead to downtime or malfunction, which are simply unacceptable in OT environments.

Instead of pursuing an IT-style patching strategy, manufacturers should:

1. Assess risks before changes: Weigh the impact of updates on production continuity.
2. Leverage segmentation and controls: Use network zones and robust access control to reduce exposure without frequent changes.
3. Coordinate cross-domain teams: Engage OT and IT stakeholders in change planning to balance safety and security.
4. Use backups and recovery plans: Make plans to ensure reliable backups, which are essential to protect systems and support fast recovery if changes cause issues.

Those actions align with broader compliance expectations while minimizing operational disruption.

Having a backup and recovery plan is especially important. A solid backup and recovery strategy is foundational for both resilience and compliance. It ensures manufacturers can restore OT systems quickly and reliably in the event of failure, cyberattack or accidental misconfiguration.

Acronis Cyber Protect for OT delivers tailored backup and recovery for long-lifecycle OT systems and supports older OSs and non-IT equipment to enable manufacturers to meet resilience and regulatory needs. It provides capabilities like rapid recovery and self-service restoration that help operations continue without waiting for general IT support. With Acronis Cyber Protect for OT, an employee with no IT experience can restore operations with just one click.

This approach supports compliance in several ways:

• Supports audit requirements: Immutable backups and documented recovery actions provide evidence for compliance reviews.
• Enables safe restoration: One-click or automated recovery reduces downtime and ensures continuity.
• Minimizes change risk: Backup before change allows safe rollback if issues arise.

Simply put, robust backup and recovery are essential parts of a compliant resilience strategy.

There are some concrete actions manufacturers can take to strengthen engineered-to-last OT environments while meeting compliance expectations:

Those steps are achievable with existing teams and tools, but manufacturers must implement them with OT realities in mind.

Long-lifecycle OT systems are engineered to deliver reliable, safe operations for decades. They are not a problem to fix; they are assets to protect. But uncontrolled IT practices, including ad-hoc patching without OT context or blind application of IT compliance playbooks, can destabilize otherwise robust engineering environments.

By adopting OT-aligned compliance frameworks, improving governance and segmentation, and embedding robust backup and recovery practices, manufacturers can meet compliance requirements and strengthen resilience without undermining system reliability and safety.