18 Essential OT Security Checklist Items for 2026

2026 is not a routine year for OT security. The convergence of IT and OT networks is accelerating, regulatory frameworks including NIS2 in Europe and updated NERC CIP standards are driving compliance obligations into operational environments, and ransomware groups have demonstrated both the capability and the willingness to target industrial infrastructure directly. If your program is still running on a pre-2023 risk model, it is already behind. This OT security checklist 2026 is built for practitioners who need a prioritized, measurable framework, not another theoretical maturity model.

What follows is an 18-item OT security checklist with quick wins executable in two weeks, 30–90 day project tracks, and a KPI for every item. It is designed to be used in the field, presented to boards, and handed to vendors as a baseline expectation.

1. Accurate Asset Inventory and CMDB with Firmware and SBOMs
2. Network Segmentation and Policy-Based Microsegmentation
3. Secure Remote Access Controls
4. Device Identity and Strong Authentication
5. Firmware Integrity and Signed Updates
6. Patch and Vulnerability Management for OT-Safe Patching
7. Visibility and Packet-Level Monitoring (OT-Aware IDS/NSM)
8. Configuration Management and Secure Backups
9. Supply-Chain and Third-Party Risk Controls
10. Change Management and Emergency Break-Glass Procedures
11. Least Privilege and RBAC for OT Systems
12. Data Diodes and One-Way Controls for High-Assurance Flows
13. Resilience and Business Continuity Testing
14. Incident Response for OT
15. Logging, SIEM Integration, and Forensic Readiness
16. Physical Security and Environmental Controls for Field Devices
17. Privacy and Data Minimization for OT Telemetry
18. Continuous Risk Assessment and Metrics

1. Accurate Asset Inventory and CMDB with Firmware and SBOMs

You cannot protect what you cannot see. An accurate asset inventory, including firmware versions and Software Bills of Materials (SBOMs) for embedded components, is the foundation every other checklist item depends on. Unknown assets are unpatched, unsegmented, and unmonitored.

Quick wins (0–14 days): Deploy a passive network discovery tool at a SPAN port or TAP on your primary OT segment. Export your current CMDB and identify gaps against discovered assets.

30–90 day project: Formalize a device register per IEC 62443-2-1 requirements, including firmware version, end-of-support date, and SBOM where vendor-provided. Assign asset ownership by zone. (Owner: OT team + vendor coordination)

KPI: Percentage of OT assets with confirmed firmware version documented in CMDB. Target: 95%+. Cadence: Monthly.

Pitfall: Passive discovery tools that generate ICMP or ARP traffic can disturb some legacy devices. Validate tool behavior in a lab before deploying on production segments.

2. Network Segmentation and Policy-Based Microsegmentation

Flat OT networks remain the primary enabler of lateral movement post-compromise. Without enforced zone boundaries, a single compromised engineering workstation can reach every PLC on the floor.

Quick wins: Review your current VLAN and firewall configurations against your documented zone-and-conduit model. Identify any cross-zone flows that are not explicitly allowed in your communication matrix.

30–90 day project: Implement deny-by-default policy between Purdue Level 2 and Level 3. Build a communication matrix and enforce it at the industrial firewall. Add function-code-level ACLs for Modbus and DNP3 where supported. (Owner: OT + network team)

KPI: Percentage of documented inter-zone flows covered by explicit firewall rules. Target: 100%. Cadence: Quarterly policy drift scan.

Pitfall: VLANs without firewall enforcement at zone boundaries provide no meaningful security control. Always pair segmentation with enforced policy.

3. Secure Remote Access Controls

Vendor and engineering remote access is consistently among the top OT attack vectors. Standing credentials, direct VPN tunnels to Level 2, and no session recording create significant exposure.

Quick wins: Audit all active remote access credentials. Identify any that are standing (not time-limited). Confirm all remote access routes through the OT DMZ and not directly to field device segments.

30–90 day project: Deploy a PAM (Privileged Access Management) platform for OT remote access. Implement just-in-time provisioning, credentials expire at session end. Enforce MFA and session recording for all remote sessions. (Owner: OT security + IT security)

KPI: Percentage of remote access sessions with session recording enabled. Target: 100%. Cadence: Monthly audit of active credentials.

Pitfall: Jump hosts with broad internal network access become high-value targets themselves. Apply the same hardening standards to jump hosts as to the assets they protect.

4. Device Identity and Strong Authentication

Devices that cannot prove their identity before communicating on a control network are implicitly trusted, a posture that adversaries exploit through device impersonation and man-in-the-middle attacks.

Quick wins: Inventory which devices support certificate-based authentication or hardware identity (TPM, secure element). Identify devices currently using shared or unauthenticated connections.

30–90 day project: Deploy device certificates on supported devices. Work with vendors to enable hardware attestation where available. For legacy devices without authentication support, compensate with strict network-layer controls and physical access policies. (Owner: OT team + vendor)

KPI: Percentage of OT devices with documented identity credential (certificate or hardware token). Target: 80%+ Tier 1/2 devices. Cadence: Quarterly.

Pitfall: Deploying PKI (Public Key Infrastructure) in OT without a lifecycle management plan creates a certificate expiry risk that can cause unexpected device failures.

5. Firmware Integrity and Signed Updates

Compromised firmware is invisible to OS-level security controls and can persist through device reboots and software reimaging. The 2023 CISA advisory on firmware-targeted attacks in industrial environments underscores this as an active threat (check source, confirm current CISA ICS advisory numbers).

Quick wins: Contact device vendors for SHA-256 or equivalent hash values for all current firmware releases. Compare running firmware hashes against vendor-signed baselines.

30–90 day project: Enable secure boot on all devices where the feature is supported (vendor procedure required). Establish a firmware version tracking process with automated alerting for version drift. Subscribe to vendor security advisories for all device models. (Owner: OT team + vendor)

KPI: Percentage of devices running vendor-signed, current firmware. Target: 100% Tier 1; 85%+ Tier 2. Cadence: Monthly.

Pitfall: Firmware updates require controlled shutdown and maintenance windows. Never update firmware on a running safety-instrumented system without qualified safety engineer sign-off and a tested rollback procedure.

6. Patch and Vulnerability Management for OT-Safe Patching

Unpatched vulnerabilities in OT systems are actively exploited. The challenge is applying patches without disrupting continuous processes, requiring a risk-aware, staged approach distinct from IT patch management.

Quick wins: Subscribe to CISA ICS-CERT advisories (cisa.gov/ics) and cross-reference current advisories against your asset inventory. Identify CVEs present in your environment rated CVSS 9.0+.

30–90 day project: Establish a three-tier patch prioritization framework: critical (exploit available + OT-reachable, patch within 30 days), high (patch within 90 days), standard (next maintenance window). Build a test staging environment for patch validation before production deployment. (Owner: OT team + vendor + change control)

KPI: Percentage of Tier 1 assets with CVSS 9.0+ vulnerabilities remediated within target SLA. Target: 90%+. Cadence: Monthly.

Pitfall: Applying IT patch urgency timelines to OT, patching a live PLC without testing in staging can cause configuration incompatibility and process faults.

7. Visibility and Packet-Level Monitoring (OT-Aware IDS/NSM)

Standard IT IDS tools are blind to Modbus function code abuse, unauthorized DNP3 commands, and IEC 61850 GOOSE message manipulation. OT-aware network security monitoring is the primary detection capability available for most field device threats.

Quick wins: Confirm passive OT monitoring sensors are deployed at all major zone boundaries. Validate that OT protocol parsing (Modbus, DNP3, EtherNet/IP) is active and generating alerts.

30–90 day project: Establish communication baselines for all monitored segments. Configure detection rules for: new device appearing, unexpected function codes, out-of-hours write commands, firmware version change. Integrate OT IDS alerts into the SOC escalation path. (Owner: OT security + SOC)

KPI: Percentage of OT network zones with active OT-aware monitoring coverage. Target: 100% Tier 1 zones. Cadence: Monthly coverage audit.

Pitfall: OT IDS deployed without defined escalation paths generates alerts that erode analyst trust through alert fatigue. Define escalation before deployment.

8. Configuration Management and Secure Backups

A configuration backup is the fastest recovery path after a device compromise, failed update, or ransomware event. Without tested, immutable backups, recovery from a device-level incident can take weeks.

Quick wins: Verify when device configurations were last exported. For any device with no backup in the last 90 days, schedule an export in the next maintenance window.

30–90 day project: Implement version-controlled configuration backups for all Tier 1 and Tier 2 devices. Store backups in an immutable, air-gapped or network-isolated repository. Schedule and document a quarterly backup restoration test. (Owner: OT team)

KPI: Percentage of Tier 1/2 devices with a tested configuration backup less than 90 days old. Target: 100%. Cadence: Quarterly restoration test.

Pitfall: Backups stored on the same network segment as the devices they protect are compromised in the same incident. Maintain physical or logical separation.

9. Supply-Chain and Third-Party Risk Controls

The SolarWinds and Kaseya incidents demonstrated that trusted vendor update channels are viable attack vectors. OT supply chain risk has been a CISA priority focus since 2021, and the 2024–2026 threat landscape reflects continued adversary investment in this vector (check source).

Quick wins: Identify all active third-party vendor connections and software update channels touching your OT environment. Verify each vendor has a documented security incident notification SLA in their contract.

30–90 day project: Require SBOMs from OT software and device vendors. Implement a vendor security scoring process. Add contractual security clauses covering: vulnerability disclosure, patch notification timelines, and incident notification within 24 hours. (Owner: procurement + OT security + legal)

KPI: Percentage of Tier 1 OT vendors with executed security SLA clauses. Target: 100%. Cadence: Annual vendor review; quarterly monitoring.

Pitfall: Accepting vendor software updates without hash verification. Always validate the cryptographic integrity of update packages before applying them.

10. Change Management and Emergency Break-Glass Procedures

Uncontrolled changes to OT configurations are a primary cause of both security incidents and operational outages. Equally, an undefined emergency access process creates pressure to circumvent controls precisely when those controls matter most.

Quick wins: Review your current change management log. Identify any firewall rule or device configuration changes in the last 90 days without a corresponding change record.

30–90 day project: Implement dual-approval change control for all Tier 1 OT configuration changes. Document a formal break-glass procedure: activation criteria, access scope, mandatory post-incident review, and automatic expiry. (Owner: OT operations + security)

KPI: Percentage of OT configuration changes with a corresponding approved change record. Target: 100%. Cadence: Monthly audit.

Pitfall: Break-glass procedures activated repeatedly as a convenience workaround indicate that normal change control is too burdensome, address the process, not the guardrail.

11. Least Privilege and RBAC for OT Systems

Over-privileged accounts in OT environments allow a single compromised credential to affect multiple systems and process areas. Separation of duties between operators, engineers, and administrators limits blast radius.

Quick wins: Audit active accounts on HMIs, engineering workstations, and historian servers. Identify any accounts with administrator-level access that do not require it for their role.

30–90 day project: Implement RBAC aligned to Purdue model responsibilities. Define: operator (read + execute defined commands), engineer (read + limited write within approved scope), administrator (full access, MFA-required). Remove shared accounts. (Owner: OT team + IT identity team)

KPI: Percentage of OT system accounts with documented role assignment. Target: 100%. Cadence: Quarterly access review.

Pitfall: Single shared “admin” accounts used by multiple engineers are a persistent problem, individual named accounts enable accountability and forensic traceability.

12. Data Diodes and One-Way Controls for High-Assurance Flows

For historian data replication, compliance reporting, and safety system log forwarding, where data flows only from OT to IT, a hardware data diode provides a security guarantee that no firewall configuration error can undermine.

Quick wins: Identify all data flows from OT to IT that are genuinely one-directional in function. These are candidates for data diode replacement of bidirectional firewall rules.

30–90 day project: Deploy hardware data diodes at Level 3/OT DMZ boundary for confirmed one-way use cases. Verify physical directionality through attempted reverse-path connection test in lab environment. (Owner: OT security + network team)

KPI: Number of high-assurance one-way flows protected by hardware diode vs. software firewall rule. Target: 100% of identified high-assurance flows on hardware diodes. Cadence: Annual architecture review.

Pitfall: Over-deploying data diodes on flows that require bidirectional communication creates operational workarounds. Reserve for genuinely one-way, high-criticality flows.

13. Resilience and Business Continuity Testing

A resilience plan that has never been tested is not a plan, it is a hypothesis. Ransomware recovery times in OT environments without tested DR processes have been documented at multiple weeks (check source for current industry benchmarks).

Quick wins: Confirm the last date a DR or failover test was conducted for each critical process area. Identify any area with no test in the last 12 months.

30–90 day project: Schedule and conduct a tabletop DR exercise covering the top two OT incident scenarios (ransomware reaching Level 3; PLC configuration corruption). Document RTOs and compare against business requirements. (Owner: OT operations + security + business continuity)

KPI: Number of OT DR scenarios with documented, tested RTO within business tolerance. Target: All Tier 1 processes. Cadence: Bi-annual tabletop; annual full drill.

Pitfall: DR plans that assume specific personnel availability, if the one engineer who knows the recovery procedure is unavailable during an incident, the plan fails. Document procedures, not people.

14. Incident Response for OT

IT incident response procedures do not transfer to OT. Forensic collection methods, safe isolation procedures, and communication paths for process engineers are fundamentally different from IT IR workflows.

Quick wins: Review your current IR playbooks, identify whether OT-specific scenarios (PLC compromise, HMI ransomware, unauthorized remote access to field devices) are explicitly covered.

30–90 day project: Develop or update OT-specific IR playbooks for top five threat scenarios. Conduct a joint IT/OT tabletop exercise. Establish OT forensic capability: passive memory capture tools, network traffic archiving for the 72 hours preceding an alert. (Owner: OT security + CISO + OT operations)

KPI: Number of OT incident scenarios with documented, tested IR playbook. Target: Top 5 scenarios covered. Cadence: Annual tabletop + quarterly playbook review.

Pitfall: Isolating a compromised OT device by disconnecting it from the network can cause a process fault if the device is active in a control loop. Define safe isolation procedures with OT engineering input.

15. Logging, SIEM Integration, and Forensic Readiness

Without adequate log retention and centralized collection, incident investigation is limited to whatever is in volatile device memory, which an attacker can clear and which resets on reboot.

Quick wins: Confirm log forwarding is enabled on all Tier 1 devices that support Syslog. Verify logs are reaching your central collector and that the retention window meets your incident investigation requirements (minimum 90 days for most regulated environments).

30–90 day project: Integrate OT log streams into your SIEM alongside IT telemetry. Define normalization rules for OT protocol events. Create detection rules for: authentication failure, configuration change, firmware version change, new device. (Owner: SOC + OT security)

KPI: Percentage of Tier 1 OT devices with log forwarding to central collector. Target: 90%+. Cadence: Monthly.

Pitfall: Log forwarding that introduces unexpected network traffic to quiet OT segments can affect deterministic communications. Validate traffic impact before enabling.

16. Physical Security and Environmental Controls for Field Devices

USB-delivered malware, physical device substitution, and direct console port access remain realistic threats against field devices, particularly in distributed environments with limited physical oversight.

Quick wins: Walk-down of Tier 1 field device locations, confirm cabinets are locked, USB ports are physically blocked or disabled, and access logs are in place.

30–90 day project: Implement tamper-evident seals on critical device enclosures. Deploy physical access logging (electronic access control) to control rooms and field device locations. Document environmental thresholds (temperature, humidity) and verify monitoring is active. (Owner: Facilities + OT operations)

KPI: Percentage of Tier 1 field device locations with confirmed physical access control and tamper detection. Target: 100%. Cadence: Quarterly physical audit.

Pitfall: Focusing exclusively on cyber controls while physical access to a PLC remains unrestricted undermines every network security investment.

17. Privacy and Data Minimization for OT Telemetry

OT telemetry increasingly includes data that intersects with privacy regulations, operator activity logs, shift patterns, and in some environments, health and safety data. GDPR, DPDPA (India), and emerging OT-specific data governance requirements are creating compliance obligations for data collected from plant environments.

Quick wins: Inventory what OT telemetry data is collected, where it is forwarded (particularly to cloud platforms or IT SIEM), and whether any of it could qualify as personal data under applicable regulation.

30–90 day project: Implement data masking or pseudonymization for operator-identifiable data in OT logs forwarded to IT systems. Define and document retention periods for OT telemetry data. Review with legal and compliance teams. (Owner: OT security + legal + data governance)

KPI: Percentage of OT telemetry data flows with documented data classification and retention policy. Target: 100% of flows to IT/cloud. Cadence: Annual data flow audit.

Pitfall: Treating OT telemetry as entirely outside privacy regulation scope, this assumption is increasingly challenged by regulators in several jurisdictions (check source for current guidance in your region).

18. Continuous Risk Assessment and Metrics

A point-in-time risk assessment is obsolete the day after the next asset change. The programs that consistently demonstrate improvement have replaced annual assessments with continuous risk quantification and board-ready reporting dashboards.

Quick wins: Define your five most critical OT risk scenarios and assign a current likelihood and impact estimate. Schedule a monthly review of any scenario where likelihood has changed.

30–90 day project: Build an OT security dashboard covering the KPIs from this checklist. Report to plant management monthly; to the board quarterly. Align metrics to business language: availability risk, safety consequence, compliance exposure. (Owner: CISO + OT program manager)

KPI: Completeness of OT security dashboard, percentage of the 18 checklist items with active, current KPI data. Target: 100%. Cadence: Monthly dashboard review; quarterly board report.

Pitfall: Reporting metrics that look good because scope is limited, ensure the asset inventory KPI reflects your actual fleet, not only the devices you have already hardened.

Verification and Assurance

Demonstrating compliance requires evidence, not declarations. Build an evidence library that includes: passive monitoring exports confirming zone coverage, change log samples demonstrating dual approval, backup restoration test records, and vendor security SLA confirmation.

For regulatory audits (NERC CIP, NIS2, IEC 62443), ensure each checklist item has a corresponding documented control with implementation evidence, test date, and responsible owner.

Annual third-party OT security assessments provide independent verification. Safe red/blue exercises, passive adversary simulation using OT-appropriate tooling, no active exploitation, validate detection and response capability without process risk.

Sampling strategy: for large fleets, validate a minimum 20% random sample per device class quarterly. Full-fleet validation annually. Any finding in a sample triggers full-class review.

Conclusion

The OT security checklist 2026 is not a one-time project. It is a continuous operating discipline. The programs demonstrating the most measurable improvement are not the ones with the largest budgets, they are the ones with clear ownership of each item, consistent KPI reporting, and a bias toward testing over assuming. Start with the 14-day quick wins. Assign 30–90 day project owners. Build the dashboard. Report to the board with business language.