The SANS 2026 cybersecurity skills crisis report didnβt bury the lead: operational technology and critical infrastructure sectors face measurable breach risk specifically because of skills gaps. Not hypothetical future risk. Measurable, present-tense risk tied to the shortage of professionals who understand how to secure industrial systems.
Thatβs not the report calling for more training budgets. Thatβs the report saying people are going to get hurt β or already are.
The power grid, water treatment plants, oil pipelines, hospital equipment, manufacturing floors, and railway systems that modern life depends on are increasingly connected to networks they were never designed to operate on. The professionals who understand both the operational technology running those systems and the security controls needed to protect them are extraordinarily scarce. Senior OT security engineers command $120,000β$180,000 annually β a significant premium over comparable IT security roles β precisely because so few people have the right combination of knowledge.
This is one of the most compelling career transitions available to experienced IT security professionals right now. Hereβs what it actually involves.
OT Security Is a Different Discipline
The foundational mistake IT security professionals make when entering OT is assuming the concepts transfer directly. Many do. The priorities donβt.
In IT security, the CIA triad typically prioritizes Confidentiality, then Integrity, then Availability. You can patch a server. You can take a database offline for maintenance. An hour of downtime in an enterprise system is an incident. Itβs rarely a catastrophe.
In OT security, the priority order often inverts to Availability, Integrity, then Confidentiality. You cannot take a power substation offline for a security patch during peak demand. You cannot interrupt a water treatment process mid-cycle. An hour of downtime in a steel mill isnβt an incident β it can destroy the furnace and cost millions. In a hospital, it can kill a patient.
This inversion changes everything: patch cadence, network segmentation strategy, incident response procedures, acceptable risk tolerance. IT security playbooks applied without modification to OT environments cause problems.
The protocol stack is different. OT environments run on industrial protocols designed in the 1970s and 1980s for reliability and determinism, not security:
- Modbus β one of the oldest industrial protocols still in widespread use; no authentication, no encryption by design
- DNP3 β common in electric utilities and water systems; designed for serial communication, later adapted to TCP/IP
- PROFINET / EtherNet/IP β modern industrial Ethernet protocols used in manufacturing automation
- OPC-UA β the more modern standard with security features built in; still the exception rather than the rule
Most IT security professionals have never seen a Modbus packet. Most OT engineers have never thought about network segmentation. The OT security professional needs both.
The βair gapβ assumption is a myth. The industry has assumed for decades that separating OT networks from corporate IT networks provides security. IT/OT convergence has systematically eroded that assumption. Remote monitoring, predictive maintenance, supply chain integration, and basic operational efficiency have driven connectivity that didnβt exist ten years ago. The Colonial Pipeline attack in 2021 compromised IT systems that caused operational shutdown of OT systems β the air gap failed not because the OT network was breached but because operational response to an IT compromise shut down the pipeline.
The Critical Infrastructure Sectors with the Most Urgent Need
Energy (Electric Utilities and Oil & Gas) NERC CIP (Critical Infrastructure Protection) standards create mandatory security requirements for bulk electric systems. Compliance requires specialized professionals. The offshore drilling and pipeline sectors operate aging SCADA systems that were never designed for current threat environments. This sector is actively recruiting.
Water and Wastewater Among the most underfunded and understaffed critical infrastructure sectors. The EPAβs 2024 cybersecurity requirements created new compliance obligations without corresponding budget increases at most utilities. Small and mid-size water utilities are particularly exposed β they often lack any dedicated security personnel.
Manufacturing Smart factory initiatives have connected previously isolated production systems to enterprise networks and the internet. The attack surface has expanded faster than security practices have adapted. Manufacturing is now a top-five target for ransomware specifically because operators will pay quickly to restore production.
Healthcare (Medical Devices) FDA requirements now mandate cybersecurity by design for new medical devices and postmarket vulnerability management for deployed devices. The intersection of life-safety and IT security makes this a high-stakes, specialized area with strong demand for professionals who understand both.
Transportation (Rail and Aviation) TSA security directives issued after Colonial Pipeline expanded to cover rail and aviation operators. Compliance programs are actively being built at major operators. The specialized nature of rail control systems (ETCS, CTCS) creates demand for professionals with both transportation and cybersecurity backgrounds.
The Career Transition Path
Most successful OT security professionals come from one of two directions: IT security professionals who learn OT, or OT engineers who learn security. Both transitions are viable; neither is quick.
For IT security professionals transitioning to OT:
Start with the conceptual framework. Read the ICS-CERT advisories. Study the NIST SP 800-82 Guide to Industrial Control System Security. Understand why OT priorities differ from IT and internalize the operational constraints that drive those differences.
Get hands-on with industrial protocols. Build a small home lab using open-source tools like OpenPLC and Modbus simulators. Capture and analyze Modbus and DNP3 traffic in Wireshark. Understanding what these protocols look like on the wire is foundational.
The primary certifications to target:
- GICSP (Global Industrial Cyber Security Professional) β GIACβs OT-specific certification; widely recognized by employers in the sector
- Certified SCADA Security Architect (CSSA) β more advanced; good for senior roles
- Vendor-specific certifications β Siemens, Rockwell Automation, Schneider Electric, and Honeywell all offer security-relevant training for their specific platforms
For initial roles, target IT security positions at OT-heavy companies rather than trying to immediately jump into OT security roles. Security analyst roles at energy companies, manufacturers, or utilities will give you exposure to OT environments while building on your existing IT security skills.
For OT engineers transitioning to security:
Your deep knowledge of how industrial systems actually operate is your primary advantage β and itβs an advantage that canβt be classroom-taught to IT security professionals. Double down on it.
Build the security layer on top of your operational expertise. CompTIA Security+, then GICSP. Learn network security fundamentals β firewall architecture, network segmentation, monitoring with tools like Claroty, Dragos, or Nozomi (the dominant OT security platforms). Learn to think in terms of threat actors and attack paths, not just operational efficiency.
What the Roles Look Like and What They Pay
OT Security Analyst β Entry to mid-level. Monitors OT networks for anomalies, investigates alerts, supports incident response. Range: $75,000β$105,000.
ICS/SCADA Security Engineer β Mid to senior. Designs security architectures for industrial environments, implements segmentation, deploys OT-specific monitoring tools. Range: $110,000β$155,000.
OT Security Architect β Senior. Develops enterprise OT security strategies, leads major programs. Range: $140,000β$180,000+.
Industrial Penetration Tester β Specialized. Tests OT environments for vulnerabilities using specialized techniques that wonβt disrupt operations. Small talent pool; commands premium compensation. Range: $130,000β$175,000.
OT SOC Analyst β Emerging role. Staffs dedicated OT security operations centers (still relatively rare but growing). Range: $85,000β$120,000.
The clearance premium applies here too. Much OT security work at defense contractors and government-adjacent organizations requires clearances, which add another 20β40% to base compensation.
The Bottom Line
The SANS warning isnβt hyperbole. The people running OT security programs at most critical infrastructure organizations are doing so with insufficient staff and insufficient specialized knowledge. The regulatory frameworks requiring improvement are new enough that many organizations havenβt yet built the internal expertise to comply.
The professionals who invest in OT-specific knowledge now are entering a market with genuinely scarce supply, structurally increasing demand, and compensation that reflects that imbalance. It takes 6β18 months to develop credible OT security competency depending on your starting point. Thatβs a real investment. Itβs also one of the better career investments you can make in 2026.
