In the world of industrial operations and automation, two acronyms often surface in conversations around process control and cybersecurity: Industrial Control Systems (ICS) and Operational Technologies (OT). This article aims to demystify the differences between ICS and OT, examining their unique characteristics, roles, and the critical importance of each in our increasingly connected and automated industrial landscape. Specifically, we’ll cover how a new revision to NIST 800-82 has moved from ICS to full-blown OT security and best practices.
What Are Industrial Control Systems and Operational Technologies?
Most of us in the world of business and cybersecurity are more than familiar with IT systems. With the ongoing evolution of security threats against industrial infrastructure, we also need to be more generally plugged into the background technologies and systems operating in conjunction with or outside of IT infrastructure. These systems typically help manufacturers or operators in industrial contexts (oil and gas, energy production, etc.) manage physical or hybrid processes.
Within this context, Industrial Control Systems and Operational Technology are terms sometimes used interchangeably, but they represent slightly different concepts.
Industrial Control Systems (ICS)
ICS is a set of devices, controls, and processes that maintain and administer industrial processes, specifically in terms of automation and reporting. ICS comes in a variety of types, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC).
ICS are typically used in industries like power, water, oil, and gas.
Operational Technology (OT)
On the other hand, Operational Technology refers to the hardware and software used to change, monitor or control physical devices, processes, and events in the enterprise. While ICS is a subset of OT, OT also includes other systems, such as building automation and transportation systems.
OT is a broader term and can be considered a superset of ICS. It relates to any technology that manages operations in industries. The technology can range from manufacturing lines to aircraft navigation systems. OT was traditionally separated from Information Technology before the advent of IoT devices.
What is Supervisory Control and Data Acquisition (SCADA)
SCADA is an industrial control system used for gathering and analyzing real-time data. SCADA systems monitor and control a plant or equipment in telecommunications, water and waste control, energy, oil and gas refining, and transportation. SCADA is perhaps one of the most common places where concepts and tools like ICS, OT, and IT all converge in modern industry.
As a form of ICS (and, thus, operational technology), a SCADA system collects information about a process to monitor the process in real-time. This enables operators to detect and correct potential problems before they significantly impact them.
Here’s a basic breakdown of how SCADA works:
- Data Acquisition: Sensors and control relays placed throughout the system gather data on variables like temperature, pressure, flow rate, or any other factors that need to be monitored. These devices are often referred to as field devices.
- Networking: The gathered data is then sent over a network to a central computer, often referred to as the master station or master terminal unit (MTU). The network can be wired, wireless, or a combination of both and span large geographic distances.
- Data Analysis: The central computer analyzes the data, often in real-time, to monitor for any conditions that could be problematic. For example, if a temperature reading in an industrial oven were to exceed a certain threshold, the SCADA system could trigger an alarm.
- Control Actions: Based on the analysis, the SCADA system can send commands back down to the control relays to adjust the system, such as turning on a cooling system if a temperature gets too high. In some cases, these actions can be automated, while in others, they may require human intervention.
The SCADA system is crucial in industries with processes distributed over large geographic areas, such as oil and gas pipelines or water treatment systems. These systems help maintain efficiency, process data for smarter decisions, and communicate system issues to help mitigate downtime.
NIST 800-82 Rev. 2 vs. Rev. 3: Understanding the Key Differences
Regarding securing Industrial Control Systems, the National Institute of Standards and Technology has provided valuable guidance by developing and maintaining Special Publication 800-82.
Traditionally, this publication has focused on creating and maintaining ICSs. However, a new revision is being developed to expand this document to cover the broader spectrum of Operational Technologies. This third revision (or Rev. 3) makes a few significant changes to how NIST expects compliant organizations to handle their ICS/OT infrastructure.
Some of the changes in NIST 800-82 Rev. 3 include the following:
- Expanded Focus on OT Systems: Revision 2 (Rev. 2) primarily focuses on securing ICS, which includes the hardware, software, and network infrastructure used in controlling and monitoring industrial processes. In contrast, Rev. 3 narrows its focus specifically on OT systems, which encompasses a broader range of technologies used in various industries, such as energy, manufacturing, transportation, and more. This shift in focus reflects the evolving landscape of OT systems and the need for targeted security measures.
- Integration with the NIST Cybersecurity Framework: Although Rev. 2 provides valuable security recommendations for ICS, it does not explicitly integrate with the NIST Cybersecurity Framework. Recognizing the importance of a unified approach to cybersecurity, Rev. 3 seamlessly integrates with the NIST Cybersecurity Framework. This integration allows organizations to align their OT security measures with broader cybersecurity best practices, enabling a more comprehensive and effective security strategy.
- Improved Organization and Guidance: While NIST 800-82 Rev. 2 offers valuable insights, some users found navigating and applying the recommendations effectively challenging. Rev. 3 provides improved organization and guidance. It offers a more streamlined and intuitive structure, making it easier for organizations to locate and implement the recommended security measures.
- Clearer References for Implementing Security Measures: In Rev. 2, some users found the references to specific security measures and controls could have been clearer, making it easier to implement them effectively. Rev. 3 more explicitly ties security controls to NIST 800-53 (Rev. 5).
NIST-Compliant ICS and OT Infrastructure with Lazarus Alliance
Whether it is your industrial controls, Operational Technologies, or combined control and IT infrastructure, you’ll want to meet and maintain compliance with NIST standards. In a world with always-present APTs, these security measures cannot be taken lightly.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts