Why This Distinction Matters in OT
In operational technology environments, vendor roles are often misunderstood or oversimplified, particularly when security frameworks from IT are applied without adaptation. Tool vendors and control vendors may coexist within the same architecture, but they operate under fundamentally different threat models. Failing to recognize this difference leads to flawed risk assessments, misplaced trust, and security controls that protect visibility rather than safety. In OT, this distinction matters because the consequences extend beyond data loss and directly affect physical processes.
Control Vendors: When Compromise Equals Process Control
Control vendors are responsible for the systems that execute industrial logic and translate digital instructions into physical action. PLCs, DCS platforms, safety controllers, and engineering workstations sit at the core of industrial operations and directly influence how machinery behaves. When these systems are compromised, the attacker does not merely observe or interfere with communication; they gain the ability to alter the behavior of the process itself. This makes control vendors inherently high-risk, as any breach at this layer can result in unsafe operating conditions or physical damage.
The Control Vendor Threat Model
The threat model for control vendors must assume that integrity failures can have immediate and long-term physical consequences. Malicious or corrupted logic can execute in a way that appears normal to operators while gradually pushing the process toward instability. Because industrial environments are designed for consistency and long lifecycles, such compromises can remain undetected for extended periods. Recovery is rarely straightforward, often requiring shutdowns, extensive validation, and re-establishment of trust in both the system and the vendor.
Why Control Vendors Are High-Value Targets
Control vendors represent attractive targets for adversaries due to their broad deployment and long-term presence in critical infrastructure. A single vulnerability or compromised update can propagate across many facilities, sometimes globally. These systems are often trusted implicitly and updated infrequently, which increases the potential impact of supply chain attacks. The ability to influence control logic at scale makes control vendors far more consequential targets than many traditional IT suppliers.
Tool Vendors: Observers, Not Process Owners
Tool vendors operate in a supporting role, providing visibility, monitoring, and protective filtering around industrial systems. Firewalls, intrusion detection platforms, asset discovery tools, and analytics solutions help operators understand what is happening in the environment, but they do not execute control logic or directly manipulate physical equipment. Their value lies in detection and awareness rather than decision-making at the process level.
The Tool Vendor Threat Model
The threat model for tool vendors assumes that compromise results primarily in loss of visibility, inaccurate alerts, or data exposure. While these outcomes are serious and can delay response to real incidents, they do not immediately alter the behavior of the industrial process. Tools are expected to fail safely, meaning their removal or isolation should not stop production or create hazardous states. This difference allows tool vendors to operate with greater flexibility in patching and system changes.
The Critical Difference: Who Owns the “Last Action”
The defining distinction between control vendors and tool vendors lies in ownership of the final action before physical movement occurs. Control vendors determine how logic is executed and how actuators respond, placing them directly between software and physics. Tool vendors, by contrast, influence understanding and response but not execution. This separation fundamentally changes the impact of compromise and must be reflected in how risk is assessed and mitigated.
Why Applying IT Threat Models Breaks OT Security
Applying IT-centric threat models to OT environments often leads to overconfidence in monitoring and underinvestment in control-layer integrity. While tools can provide extensive telemetry and sophisticated detection, they cannot prevent malicious logic from executing if the control system itself is compromised. In OT, security cannot rely solely on observation; it must ensure that execution remains trustworthy.
Supply Chain Risk: A Tale of Two Vendors
Supply chain compromise highlights the stark contrast between these vendor types. When a tool vendor is compromised, organizations may experience reduced visibility or delayed detection, but operations can usually continue while the issue is addressed. When a control vendor is compromised, the integrity of the entire process is called into question. The resulting impact can include physical damage, extended outages, and lengthy investigations to determine whether systems can be trusted again.
The Hidden Problem: Control Vendors Often Don’t Act Like High-Risk Vendors
Despite their critical role, many control vendors have historically lagged in adopting security practices that reflect their risk profile. Security features such as cryptographic signing, secure boot, and robust vulnerability disclosure have often been slow to appear. This gap leaves operators compensating with external tools rather than addressing the root of the risk at the control layer.
What OT Professionals Must Do Differently
OT professionals must consciously separate how they evaluate control vendors and tool vendors. Risk assessments should prioritize components that execute logic and influence physical outcomes. While tools remain important, they should be treated as compensating controls rather than foundational security measures. Greater scrutiny and higher expectations must be placed on vendors whose products directly affect safety and process integrity.
The Future: Agentic AI Makes This Divide Even Sharper
As industrial systems begin to incorporate autonomous and AI-driven decision-making, the line between tool and control becomes even more critical. Once an AI system is permitted to adjust setpoints or execute actions without human approval, it effectively becomes part of the control layer. At that point, it inherits the same threat model and safety responsibilities as traditional control systems, regardless of how it is marketed.
Conclusion: Different Vendors, Different Consequences
Tool vendors and control vendors play distinct roles, and those roles carry very different consequences when things go wrong. Tools help operators see and understand the environment, but control systems decide how it behaves. In OT security, protecting visibility is not the same as protecting the process. True resilience comes from recognizing who owns the last action and ensuring that those systems are designed, secured, and governed accordingly.