OT/ICS Security: Defending Critical Infrastructure from Volt Typhoon

    > 🎙️ This post was auto-generated from the [Tech Updates podcast](https://rss.com/podcasts/tech-updates-by-andres-sarmiento/2777805) episode.

    When the power grid goes dark, nobody cares about your uptime metrics or your cloud architecture—they care about whether the lights come back on. OT/ICS security is the unglamorous, high-stakes corner of cybersecurity where infrastructure defenders prevent the kind of disruptions that cascade into real-world harm. This episode pulls back the curtain on what it actually takes to defend critical infrastructure, and why so few security professionals even know this world exists.

What This Episode Covers

The reality of OT/ICS defense work — segmentation strategies, SCADA patching, PLC hardening, and cross-functional coordination with plant engineers
Compensation and career trade-offs — why OT security pays 40–60% less than cloud security roles at the same companies, and what that “purpose tax” really means
Real attack precedent — Ukraine 2015 grid attack, Triton/TRISIS (2017), Oldsmar water treatment (2021), Aliquippa Municipal Water (2023), and Volt Typhoon pre-positioning
A day in the field — 6 AM substation site visits, vendor management of legacy Windows 7 SCADA systems, and the interpersonal challenge of building security culture with plant engineers
Career paths into OT security — whether you come from plant engineering or IT security, and why GICSP beats CISSP for this space
The asymmetry of success — when you do the job right, nobody notices anything happened. When you fail, there’s a body count.

Deep Dive

The OT/ICS Landscape

Operational Technology (OT) and Industrial Control Systems (ICS) are fundamentally different from enterprise IT. These are the systems that do things in the physical world — they operate power generators, control water treatment chemistry, manage pipeline pressure, and regulate petrochemical reactions. A breach isn’t a data exfiltration; it’s a physical disruption that can black out a city, poison water, or trigger an industrial explosion.

The systems themselves are often 10–20 years old, built for availability and uptime in isolated networks, not security. Many run on Windows 7 or proprietary embedded OSes that will never receive patches. They’re designed to keep running even when things go wrong—which is the opposite security posture of enterprise systems that need to fail safely.

What OT Defenders Actually Do

OT security practitioners work at the intersection of engineering, networking, and threat hunting. Their daily work includes:

Network segmentation — isolating OT networks from IT networks and the internet, often through airgaps or heavily monitored demilitarized zones (DMZs). Unlike IT segmentation, a misconfiguration here doesn’t cause a support ticket; it creates an attack vector into systems that control physical infrastructure.

SCADA and PLC hardening — Supervisory Control and Data Acquisition (SCADA) systems and Programmable Logic Controllers (PLCs) are the brains of OT environments. Patching them is a coordination nightmare: you often can’t restart them without halting production, vendors take months to ship updates, and testing has to happen in isolation before deployment.

Cross-functional engineering coordination — Plant engineers care about uptime and safety margins. Security people care about threat models. OT defenders spend significant time translating between these worlds, building the case for security measures that plant managers will actually support.

Threat intelligence and forensics — Understanding how adversaries move through OT networks, which is very different from IT-focused attack chains. State-sponsored groups like Volt Typhoon don’t rush; they pre-position themselves and wait for the strategic moment to strike.

The Real Stakes

The show notes reference four major incidents that illustrate the stakes:

Ukraine 2015 — Russian actors conducted one of the first public cyberattacks on a power grid, cutting electricity to 230,000 people for hours
Triton/TRISIS (2017) — Malware targeted safety systems at a Saudi Arabian petrochemical facility, a first-of-its-kind attack on the last line of defense between operators and disaster
Oldsmar (2021) — A remote access breach at a Florida water treatment plant allowed an attacker to manipulate chemical dosing; operator vigilance prevented poisoning
Volt Typhoon (ongoing) — Chinese state-sponsored actors have been quietly pre-positioning themselves across U.S. critical infrastructure for years, waiting for a conflict scenario to activate coordinated disruptions

These aren’t theoretical. They’re the operating environment for OT defenders.

Career Realities and the Compensation Gap

Here’s the harsh truth: OT security roles pay 40–60% less than equivalent cloud or enterprise security positions at the same company. A cloud architect making $180K might see an OT specialist at the same firm earning $90–120K. This reflects both lower IT budgets in industrial settings and the perception that OT is a niche specialization.

What you get instead is purpose. You get to know that when you succeed, critical services don’t fail. The trade-off isn’t for everyone—and it shouldn’t be—but for practitioners who find meaning in that kind of work, it’s irreplaceable.

Certifications and Training

The industry standard for OT security is the GICSP (GIAC ICS Security Professional), which is far more relevant than the CISSP for this domain. CISSP assumes enterprise IT architecture; GICSP focuses on industrial control systems, legacy equipment, and OT-specific threat models.

Key Takeaways

OT security is a different discipline — legacy systems, physical consequences, and engineering constraints create a fundamentally different security posture than enterprise IT
Volt Typhoon pre-positioning is the current threat — state actors are already inside critical infrastructure networks, waiting for strategic moments to activate attacks
Career path choice matters — whether you come from plant engineering or IT security will shape how you approach the role; both paths are viable
Compensation reflects purpose — OT roles pay less than cloud security, but if protecting critical infrastructure resonates with you, that trade-off may be worth it
Success is invisible — the metric of OT security success is simple: the lights stayed on. That’s harder to sell upward than a cloud security incident that you prevented, but it matters far more to the country

Why This Matters

For IT professionals considering a lateral move into specialized security, OT/ICS represents one of the highest-impact career choices available. The field is understaffed, the consequences are real, and the technical challenges are genuinely complex. If you’re burned out on enterprise IT firef

    ---

    🎧 Listen to the full episode on [Tech Updates](https://techupdates.it-learn.io) or wherever you get your podcasts.

What This Episode Covers

Deep Dive

The OT/ICS Landscape

What OT Defenders Actually Do

The Real Stakes

Career Realities and the Compensation Gap

Certifications and Training

Key Takeaways

Why This Matters

Related Posts

Non-Human Identity Security Explained — The 45:1 NHI Crisis in 2026

Salt Typhoon: CALEA Backdoor Abuse & Telecom Breach Explained

AI Security Engineer: Salary, Skills & Attack Surface Guide

Data Center Power Crisis: Why AI Needs Nuclear Energy

Detection Engineer Roles: How $240K Salaries Replaced SOC Analysts

npm Supply Chain Attack: 47K Apps Compromised