Why Antivirus Alone Fails In OT

Operational Technology (OT) environments run the systems that directly control physical processes - machines, production lines, utilities, and safety systems. As cyber threats increase, many organizations attempt to secure OT networks by deploying traditional IT solutions such as antivirus software. While antivirus is widely accepted and effective in office IT environments, its role in OT is often misunderstood and overestimated. OT systems operate under very different constraints, priorities, and threat models compared to IT. As a result, relying on antivirus alone creates a false sense of security and leaves critical industrial processes exposed to sophisticated, process-focused cyberattacks. In this post, we will understand why antivirus alone fails in OT.

The basic use of antivirus in OT systems:

In OT environments, antivirus software is primarily used as a basic endpoint protection measure on systems that run standard operating systems, such as Windows-based HMIs, SCADA servers, engineering workstations, historians, and maintenance laptops. Its main purpose is to detect and block known malicious files, such as viruses, worms, trojans, and ransomware, that could enter the OT network through removable media (USB drives), software updates, maintenance activities, or remote access sessions. Antivirus helps prevent accidental infection caused by human error, such as an engineer connecting an infected laptop or inserting an unscanned USB device. In well-managed OT setups, antivirus is carefully configured to run in passive or scheduled modes, with controlled updates and exclusions, so it does not interfere with real-time control, system performance, or availability. In short, antivirus in OT acts as a hygiene and containment layer, reducing exposure to common IT-style malware but not providing comprehensive protection against OT-specific threats.

But, apart from this, antivirus alone fails in OT (Operational Technology) environments because OT risks are fundamentally different from IT risks. Here’s a clear, practical breakdown below and will understand the concept more properly.

Why signature based antivirus cannot detect modern cyber OT attacks:

Signature-based detection means antivirus can only stop what it already knows. Traditional antivirus works like a photo-matching system. It stores fingerprints (signatures) of known viruses. When a file enters the system, antivirus compares it with this database. If a match is found, it raises an alarm. If the threat is new or slightly modified, antivirus does not recognize it.

In OT environments, attacks are rarely common or mass-produced. They are custom-built for a specific plant, PLC, or process. The attacker may use new tools, scripts, or techniques that have never been seen before. Since no signature exists for these attacks, antivirus has nothing to compare against.

As a result, the attack looks unknown but not suspicious to antivirus. This is why signature-based antivirus struggles in OT, where threats are unique, targeted, and process-specific rather than generic malware.

Why OT malware targets PLC logic instead of files:

In traditional IT systems, malware usually spreads through files such as executables, documents, or scripts. Antivirus is designed to scan these files, detect malicious patterns, and block them. This works well when the attack exists in the form of a file stored on a computer.

In OT environments, the most valuable target is not a file but the control logic. Attackers focus on PLC programs, function blocks, firmware, and configuration parameters that directly control machines and processes. These changes are downloaded into controllers over industrial protocols and do not exist as suspicious files on the operating system. Because PLC logic and firmware modifications happen outside the OS file system, antivirus has no visibility into them. A ladder logic or structured text change that alters a sequence, disables an interlock, or modifies a safety condition looks like a normal engineering activity to the system.

As a result, critical process manipulation can occur without triggering any antivirus alert. The system may appear clean from an IT perspective, while the actual control behaviour has already been compromised.

Why availability takes priority over security updates in OT:

In OT environments, the highest priority is continuous operation. Production lines, utilities, and safety systems are expected to run 24/7, and even a short downtime can result in major financial loss or safety risk. Because of this, security updates are often delayed, restricted, or avoided altogether.

Antivirus software depends on frequent updates to remain effective. It needs regular signature updates, engine upgrades, and sometimes system reboots. In OT systems, these actions are seen as risky because they can interrupt control processes, crash legacy applications, or invalidate vendor certifications. As a result, antivirus in OT is usually configured in a limited or outdated state. Updates may be applied only during planned shutdowns, which might happen once or twice a year. During normal operation, the system remains exposed to new threats that antivirus is not equipped to recognize.

This creates a gap where systems remain available but gradually become insecure. In OT, availability is protected at the cost of timely security updates, reducing the real effectiveness of antivirus protection.

Why legacy OT systems break traditional antivirus protection:

A legacy system in OT refers to control hardware and software that has been in operation for many years and is still performing its intended function reliably. These systems were designed primarily for stability, deterministic behaviour, and long life cycles, often running for 10–25 years without major changes. Typical examples include PLCs, HMIs, and SCADA servers running on old operating systems such as Windows XP, Windows Embedded, or vendor-specific real-time platforms that are no longer supported or updated.

Antivirus software, on the other hand, is designed with modern IT assumptions. It expects systems to support frequent updates, background scanning, sufficient processing power, and compatibility with the latest security engines. Legacy OT systems do not meet these expectations. Even a small increase in CPU load or memory usage can impact scan times, screen refresh rates, or real-time communication with controllers.

In many OT environments, vendors explicitly restrict or prohibit antivirus installation because it can interfere with certified system behaviour or void support agreements. When antivirus is allowed, it is often outdated, partially disabled, or limited to basic scanning, which significantly reduces its effectiveness. As a result, antivirus cannot operate as intended on legacy OT systems. The gap between modern security assumptions and long-lived industrial technology makes legacy systems one of the biggest reasons why antivirus alone fails to protect OT environments.

A quick note to refer to what a legacy system actually is - from a pure technology and IT perspective, modern Windows versions such as Windows 10 LTSC or Windows 11 are not legacy systems. They are actively supported by Microsoft, receive regular security updates, and are designed to work with modern antivirus and endpoint security tools. In OT environments, a system is called legacy not only because of its age, but because of how it is used and maintained. Even a newer Windows version can effectively become “legacy” when it runs vendor-certified control software that must not be changed, security patches are frozen to avoid process disruption, antivirus updates are limited or disabled and system configuration remains unchanged for many years. In such cases, the operating system may be modern, but the operational constraints are legacy-like. In OT, a system is considered legacy if it cannot be updated freely, security tools must be restricted, any change risks production downtime or safety and vendor support depends on keeping the system unchanged. So legacy is more about life-cycle and change tolerance, not just OS version.

How OT attacks bypass antivirus by mimicking normal behaviour:

In OT environments, most actions that control machines, such as starting equipment, changing setpoints, downloading logic, or acknowledging alarms, are legitimate daily activities performed by operators and engineers. Control systems are designed to trust authenticated users and approved engineering tools, not to question intent.

Attackers take advantage of this trust model. Instead of deploying obvious malware, they use authorized access, valid credentials, and standard engineering software to make small but harmful changes. From the system’s point of view, these actions look exactly like routine maintenance or process optimization.

Antivirus is designed to detect malicious files and abnormal programs, not valid control commands. When an attacker changes a temperature limit, disables an interlock, or modifies a control sequence using approved tools, antivirus sees no suspicious behaviour because no malicious file is involved. As a result, the attack blends into normal operations. The system appears healthy from an IT security perspective, while the physical process is quietly being manipulated, making this type of OT attack especially dangerous and hard to detect.

Why east-west traffic in OT is invisible to antivirus:

In OT networks, most communication does not flow to the internet or external servers. Instead, it moves horizontally within the plant, such as PLC-to-PLC, HMI-to-controller, or engineering station-to-remote I/O. This internal communication is known as east-west traffic and is essential for normal plant operation.

Antivirus works at the endpoint level. It monitors files, processes, and sometimes inbound or outbound connections on a single machine. It does not analyse continuous device-to-device communication happening across the OT network. As long as no malicious file is written to disk, the antivirus remains blind.

OT attacks often spread laterally by abusing industrial protocols like Modbus, Profinet, Ethernet/IP, or OPC. Malicious commands can be sent from one trusted device to another, appearing as normal control traffic. Antivirus does not understand these protocols or the meaning of the commands inside them. As a result, attackers can move across the OT network, discover devices, and manipulate controllers without triggering any antivirus alert. The threat exists in the network traffic, not on the endpoint, making antivirus ineffective against east-west OT attacks.

I have covered the general theory on sole antivirus failure in OT. I have also not attempted to cover all the topics related to it, as it can vary from case to case. Once you are familiar with this type of technology, you can easily troubleshoot any issues related to it.

Thank you for reading the post. I hope you liked it and will find a new way in this type of technology.