IT security teams entering OT struggle because data-centric controls collide with environments where small technical changes can disrupt physical processes, safety, and uptime.
Paul Veeneman, Cybersecurity & Risk Lead at Point Solutions Group, frames OT security as protecting end-to-end processes rather than isolating individual systems.
He outlines a process-first approach that applies familiar IT controls deliberately, treats legacy systems as managed business risk, and uses zero trust to reduce vendor-driven exposure.
Operational technology security starts with protecting the process itself. In industrial environments, security decisions directly affect physical outcomes, from production uptime to worker safety. For IT teams entering this space, success depends on abandoning a data-centric mindset and aligning with OT’s priorities, where reliability, productivity, and safety shape every security decision.
Paul Veeneman, Cybersecurity & Risk Lead at Point Solutions Group, has spent nearly three decades working at the intersection of risk, infrastructure, and industrial systems. With deep specialization in IoT and OT security and credentials that include CISSP, CISM, and CRISC, he brings a practitioner’s view of what actually breaks in the real world. His message to IT professionals entering OT environments is blunt and consistent: unlearning old assumptions is a prerequisite for protecting what matters.
"What we protect in OT isn’t equipment or endpoints. We protect the process itself and every asset the process depends on," says Veeneman. Adopting his mindset means trading IT's classic "Confidentiality, Integrity, Availability" triad for a new set of priorities built for the physical world.
The new trinity: It's a foundational step in effectively securing industrial control systems. "On the process side, the focus isn't confidentiality and availability; it's safety, productivity, and reliability," he explains. "When you adopt that mindset, the two groups start speaking the same language, and the stress level of the operations and engineering folks starts to come down."
Optimizing the Monday: In deterministic OT environments, where even microsecond delays can cascade into hours of downtime, a routine IT action can have disruptive consequences and erode trust between teams. "When IT shows up on a Thursday or Friday to apply updates, productivity is down throughout the weekend, and Monday is never a great day," notes Veeneman.
For Veeneman, the path forward is a pragmatic return to basics. Foundational frameworks like the NIST Cybersecurity Framework 2.0 have plenty of overlap with OT-specific ones like ISA/IEC 62443. Taking an "inside-out" approach by targeting the familiar IT side of the house, where Veeneman notes 98% of threat vectors originate, allows teams to bypass arcane protocols. They can apply existing skills to address the rising number of attacks on Windows-based engineering workstations and SCADA servers already embedded in the OT environment.
Singing the same song: "We can take what we've learned from IT and use it as the first step in IT/OT collaboration," says Veeneman. "It allows disparate groups to start singing from the same song sheet. Begin with the basics, like applying network logical access, configuration management, and endpoint protection."
A calculated risk: A major challenge is often the unpatchable legacy system, a product of what Veeneman called "technology archaeology," with layers of digital sediment built up over decades. With an OT mindset, the objective changes from solving an unsolvable technical problem to introducing compensating controls—like network disconnection or application whitelisting—and then formally presenting what’s left to business leaders. "We harden that system to the best of our ability and then communicate the situation to leadership. We explain what we've done, what risks still exist, and make it clear that the choice is to either replace the system or formally accept the risk. That way, everybody is on the same page."
The cost of convenience: A focus on fundamentals shifts attention away from headline-grabbing attacks and toward the everyday risks that cause the most damage. Veeneman emphasizes that basic hygiene failures, often driven by convenience, remain the dominant threat, with phishing still the primary entry point and tens of thousands of industrial devices left openly exposed. "A quick search on Shodan shows roughly 42,000 industrial devices sitting on the internet," he says. "That’s not sophistication, it’s convenience, and it’s a risk we can eliminate at very low cost by putting connectivity inside something as basic as a VPN."
In the end, Veeneman points out that the most underestimated attack surface isn't a piece of technology. It's the trust placed in vendors and partners. That insider risk from a third-party firm with direct network access is a major, often overlooked vulnerability beyond the organization's "castle walls." "When you have a third-party engineering firm managing the design and maintenance of your control environment, you are implicitly trusting their entire security posture. That represents an exponential increase in the risk your organization is taking on."
The solution often lies in applying a core tenet of zero trust: re-asserting control by using tools like jump boxes—often enabled by modern security platforms—to isolate third-party access and reclaim control over a significant source of risk. "Zero trust only works when access is designed for control, not convenience, and in OT that means forcing every connection to pass through infrastructure you own, harden, and monitor," Veeneman concludes.
