Most of the cybersecurity coverage aimed at small business focuses on IT — email, files, M365, laptops. That is the side of cyber where ransomware encrypts the shared drive and the office stops working for a few days. Painful, but recoverable.
OT — operational technology — is a different category. OT is the controllers, sensors, and networked equipment that runs production. The PLC controlling a sawmill green chain. The telemetry head on a grain auger. The SCADA-style system monitoring a battery site. The building-management system controlling a cold-storage warehouse. When OT goes down, production stops. Not "the office is slower today" stops. Stops. Crews go home. Trucks sit. Customers wait. The financial cost of an OT incident measured per hour is usually an order of magnitude larger than an IT incident at the same business.
This article is a plain-language walkthrough of OT cybersecurity for northern Alberta SMBs — sawmills, ag operations, oilpatch shops, and the building systems that sit alongside them.
What counts as OT for a northern Alberta SMB
The line between IT and OT is fuzzier than the textbooks suggest, especially at SMB scale. For a typical 30-person operation in Mackenzie County or the broader Peace River region, OT usually includes some combination of:
- Programmable logic controllers (PLCs) on sawmill lines, edgers, planers, and material-handling equipment
- Telemetry and SCADA-adjacent systems on ag equipment, grain handling, water systems, fuel monitoring
- Building automation: HVAC, refrigeration, cold storage, lighting controls, access control panels
- Networked CCTV and video management systems
- Generator and UPS controllers with network management cards
- Vendor-installed remote-access systems on capital equipment (often unmanaged and undocumented)
- Older Windows PCs running line-of-business or controller software that the vendor will not let you patch
If you are reading that list and thinking "we have most of those, but I am not sure exactly which network they are on" — that is the normal starting position. The first job of OT security is asset visibility. The second is segmentation.
The four most common OT attack vectors
Industry data and incident-response reports converge on a small set of attack paths that account for most OT incidents at SMB scale.
1. The engineer laptop bridge. A maintenance technician or controls engineer carries a laptop between the office network and the shop floor. The laptop has email, browsing, and USB ports. It also has the controller programming software and a direct connection to PLCs when on-site. A single phishing compromise of that laptop opens a path from email to controllers. This is the most common OT entry vector at SMBs.
2. Weak remote-access VPNs. Almost every piece of modern industrial equipment ships with vendor-installed remote access — VPN, cellular modem, vendor cloud portal. Often deployed by the equipment installer with default credentials, no MFA, and no inventory record. The owner does not know it exists. It is exposed to the internet.
3. Flat networks. A single VLAN — or no VLANs at all — covering both the office and the shop floor. Once an attacker compromises any office endpoint, the PLCs, HMIs, and historians on the production network are reachable. No additional defence in depth.
4. Unpatched legacy controllers and HMI PCs. OT equipment runs for decades. The Windows XP and Windows 7 PCs running controller software are still on production floors. The PLCs themselves run firmware that has not been updated since installation. Vendor support contracts often prohibit unauthorized patching. The result is a population of vulnerable, internet-adjacent, unsegmented systems.
Why traditional IT controls do not translate
Several IT security practices that are baseline-good on the office side become actively harmful on the OT side.
- Do not install agentless EDR on a PLC. The PLC operating systems do not support it. Even where a PLC-adjacent Windows HMI can technically host an agent, vendor warranties frequently prohibit it. Misconfigured EDR has been documented to crash control systems.
- Do not enable automatic patching on controllers. Patches to controller firmware are tested in lab environments by the equipment vendor for a reason. An auto-patch in the middle of a shift can stop the line.
- Do not deploy network scanning tools on production networks without explicit allowlists. Nmap-style discovery against legacy PLCs has crashed controllers in field-documented incidents.
- Do not assume Windows update policies that work in the office apply to HMI PCs. Those machines often need exception lists and manual patch cycles aligned with planned downtime.
OT security trades some of the IT-style defences for compensating controls — primarily segmentation, monitoring, and access discipline.
A sensible approach for a 30-person operation
The right OT security posture for an SMB is not "industrial-grade SOC with passive monitoring sensors on every switch port." That is enterprise spend. The right approach is segmentation, asset visibility, vendor-access discipline, and a documented jump-host pattern.
Network segmentation. Separate the office LAN from the OT network at the firewall. A capable small-business firewall — a Fortinet 40F, a Sophos XGS 107, or even a properly-configured pfSense box on appropriate hardware — handles this comfortably in the $400 to $1,200 range for hardware. The firewall rules permit only specific traffic from office to OT (a defined jump host, specific monitoring tools) and deny everything else.
A stylized example. A sawmill might run a VLAN scheme like:
- VLAN 10 — Office workstations, printers, M365
- VLAN 20 — Office servers
- VLAN 30 — Wireless office and guest
- VLAN 100 — OT / production: PLCs, HMIs, controllers
- VLAN 110 — OT engineering workstations (controls programming PCs)
- VLAN 120 — CCTV and physical-security systems
- VLAN 130 — Vendor remote-access jump host
Default-deny between VLANs. Specific allow rules between VLAN 110 (engineering) and VLAN 100 (production) for the controller-programming protocols. A single jump host in VLAN 130 is the only path for outside vendor access. The jump host runs a session-recorded remote-access tool with MFA on every login.
Asset inventory on the OT side. A spreadsheet is acceptable to start. Better is a small passive-discovery tool inside the OT VLAN, but at SMB scale a documented inventory updated quarterly meets the standard for both cyber-insurance and a typical OT audit. Every device: vendor, model, firmware version, IP, last-touched date, vendor contact.
Vendor remote-access discipline. Every vendor that has ever connected to your OT environment gets documented. Access goes through the jump host with named credentials and MFA. Standing always-on connections (vendor-installed cellular modems, vendor cloud bridges) are inventoried, justified, and either replaced with on-demand access or isolated behind their own firewall rules. This single control alone closes most SMB OT incidents.
Documented downtime windows for patching. HMI PCs and supported controllers get patched on a defined cadence aligned with planned production downtime. Patches are tested on a non-production HMI first when possible. Unsupported legacy systems are documented as risk-accepted with a documented end-of-life plan, even if that plan is "five years out."
What this costs at SMB scale
For a 30-person northern Alberta operation with a mix of sawmill, ag, or oilpatch OT, a defensible OT security baseline usually costs:
- Firewall and segmentation work: $400 to $1,200 hardware plus 8 to 16 hours of configuration
- Jump host with session recording: a $30 to $80 per month managed service or a documented internal pattern
- Asset inventory and vendor-access policy: 4 to 8 hours of documentation work
- Annual review and tabletop: 4 to 6 hours
Plus the ongoing operational discipline of actually following the policy. The hardware spend is small. The discipline is most of the work.
When to bring in help
OT security is a different specialty than IT security. Most northern Alberta SMBs do not need a full-time OT specialist on retainer. They do need someone who can walk the floor, draw the network diagram, write the policy, and configure the firewall correctly. That is the engagement model that fits — a structured one-time assessment followed by an annual review.
If you are looking at a sawmill, ag operation, or shop with PLCs, controllers, or vendor remote access, and you have never had OT specifically reviewed, that is the right place to start. The first question is always the same: what is connected, who can reach it, and what would happen if it stopped?
Peace Country Cyber offers OT security assessments alongside our standard cyber-insurance and managed services work. Start a conversation →