In my journey to help organisations cloud-enable their Operational Technology (OT) environments, I have co-authored several posts including:

• Extending Operational Technology to Azure
• OT Cloud Enablement – Cloud Adoption Models
• OT Cloud Enablement – Azure Active Directory Tenant

As I continue this journey, I am shifting my focus to how established OT security standards can be interpreted and applied to support bringing cloud capabilities into OT environments.

This series focuses exclusively on Azure, not Microsoft 365 or other Microsoft Cloud offerings, such as Dynamics 365 or Power Platform.

The Prime Directives

One of the earliest and most important learnings when embarking on the challenge to help organisations cloud-enable their Operational Technology (OT) environments was to first understand the requirements and control objectives that govern OT systems. Unlike traditional IT environments, OT operates under a distinct set of safety, reliability, and security constraints that must be respected before introducing cloud capabilities.

In many cases, this exploration led me to the following industry standards as primary reference points:

• ISA/IEC 62443
• NIST SP 800-82 (Guide to Operational Technology Security)

What quickly became apparent is that these standards are best viewed as foundational guardrails rather than prescriptive implementation guides. They define what must be protected and why, but often leave flexibility in how controls are implemented—particularly when applied to modern, cloud-enabled architectures. That said, they provide an essential starting point for designing secure OT solutions.

Throughout this series, I will use these standards as the foundation to explore the following areas:

• Identity and Access Management
  • Requirements and Controls
  • Authentication and authorisation technologies
  • Identification and authentication controls
• more to come

---