Why Your AI Strategy Stops Where the PLC Starts: Hard Lessons From the OT Frontlines

The promise of artificial‑intelligence‑driven security is reshaping boardrooms across utilities, automotive plants, and pharma sites. Yet a 2026 Dragos report shows fewer than one‑in‑ten operational‑technology networks have meaningful network monitoring, and in 30% of incidents the first clue came from a human on the shop floor, not an alert. In OT, availability trumps confidentiality, so any blind spot—like the ubiquitous Windows 7 maintenance laptop that still mediates critical protection relays—creates a single point of failure that AI cannot compensate for.

Technical missteps compound the problem. Models trained on enterprise logs (HTTP, DNS, Windows events) flag normal Modbus or PROFINET traffic as anomalies, and when tied to automated response playbooks they can inadvertently shut down production lines faster than a hacker. Vendors such as Nozomi, Claroty, and Microsoft Defender for IoT often offer active‑scanning capabilities, but probing a 15‑year‑old Siemens S7‑300 can crash the controller, prompting operations leaders to reject such tools. The solution lies in passive network monitoring that captures raw Level 0‑2 traffic from the Purdue architecture, feeding AI a genuine industrial data set instead of an empty corpus.

Strategic execution demands a three‑step playbook: inventory the floor to identify the true crown‑jewels—typically three processes that cannot tolerate an hour of outage—then segment the network to isolate non‑critical devices, and finally deploy passive telemetry for AI analytics. Tabletop exercises that trace a ransomware path from a phishing email to a PLC help bridge the cultural divide between IT and OT, turning jargon into a shared incident timeline. With nation‑state actors like Volt Typhoon exploiting “living‑off‑the‑land” techniques, as highlighted in recent CISA advisories, ignoring the factory floor is no longer an option. Properly scoped AI, fed by authentic OT data, can deliver measurable risk reduction and protect critical infrastructure.