The second field is the security of operational technology, the computers that run physical processes: the controllers, sensors, and actuators of a refinery, a grid, a water plant. It is the exemplar domain for this work, and it is where the abstract concern of the previous entries, whether a claim's basis is sufficient to act on, acquires a body. Supply-chain security, examined just before, is the discipline of trusting an artefact by attesting its integrity. Operational technology is the domain where a wrongly-trusted artefact stops being a data problem and becomes a physical one. The two are the same argument from opposite ends, and this entry follows them to the point where they meet.
A field with inverted priorities
Operational technology security inverts the usual ordering of information security. Conventional IT security ranks confidentiality first. Operational technology ranks safety and availability first, and it does so because the consequence model is different in kind. An IT breach typically means data is lost or exposed. An operational-technology breach can mean equipment failure, environmental release, or loss of life. The field maps its systems onto the Purdue reference model, a hierarchy running from the physical process and its controllers at the lowest levels, up through supervisory and operations layers, to enterprise and external networks, and it defends them by segmentation, isolating the operational levels from the enterprise ones. The dominant industrial standard builds its architecture of zones and conduits directly on that model (Cyber Security of OT Networks, 2025).
The property that matters most is irreversibility. An action taken in an operational-technology system manifests immediately and physically: a valve opens, a pump stops, a breaker closes. Unlike an IT system, where a compromise can often be detected and rolled back, an operational-technology system frequently cannot safely reverse an action once it is taken. This is the ground beneath the whole of this work. When the next owner of a claim is a controller about to actuate, the distance between a claim that is merely asserted and one that is demonstrated is the distance between a safe action and one that cannot be undone by correcting the record afterwards.
Where the two fields fuse
The two fields meet in the operational-technology supply chain, and the meeting is not hypothetical. The canonical case is the Triton malware, also called Trisis, discovered in 2017 at a Saudi petrochemical facility. It is the first known malware built to interact with a Safety Instrumented System, the controller whose sole purpose is to bring a physical process to a safe state when something goes wrong (MITRE, n.d.). The attackers reached the plant's information-technology network months in advance, moved into the operational environment, and ultimately reached six safety controllers, with the capability, in the assessment of the analysts who later studied it, to have caused major physical damage and loss of life (INL/DOE CyOTE, 2022).
Within that case sits a smaller event that states the thesis of this work more plainly than any argument could. Before the intruders were discovered, their malware accidentally tripped one of the safety controllers, and the plant shut down. The engineers investigated, concluded the shutdown was a mechanical fault, and restarted the refinery (INL/DOE CyOTE, 2022). It was not a mechanical fault. It was an adversary in the safety system, and the misdiagnosis handed the attackers two further months of undisturbed access. A piece of carried-forward state, the shutdown was a mechanical error, reached the people deciding whether to resume operations, and it arrived carrying no representation of how firmly it was known. It was an inference, made under uncertainty from incomplete information, and it was promoted to a fact and acted upon. The action was physical and consequential. This is the failure this work names, occurring at a real safety boundary, in a real plant, its worst outcome averted by luck rather than by discipline.
One boundary must be stated honestly. The way the attackers first entered is documented as an intrusion into the information-technology network, not as a software supply-chain compromise, and this work does not claim otherwise. Two narrower things are claimed, and both are supported. Triton is the canonical instance of a trust failure reaching a physical-safety controller, which is the consequence side of the fusion. And the engineers' misdiagnosis is a documented case of unverified state being promoted to fact and acted upon at a safety boundary. The defensive response to threats of this kind, the extension of supply-chain practices such as bills of materials and component attestation into critical-infrastructure operational technology, is the other half of the fusion, and it is now visible in national policy.
The recurring principle
Across the three fields this review has now touched, one principle recurs, arrived at independently in each. The supply-chain field reaches it as separation. Network security reaches it as the demilitarized zone. Operational technology reaches it as zones and conduits. In each, safe design attaches trust deliberately and prevents its unfounded propagation, rather than inferring trust from how a thing appears. That three separate disciplines converged on the same move is a strong sign that it is the right one, and that a claim's basis is something to be carried and checked at a boundary, not assumed from the confident surface of what crosses it. Where those fields attach the basis of an artefact or a network segment, this work asks the same question of a claim, and asks it at the moment the claim is about to become a physical act.
References
Cyber Security of OT Networks: A Tutorial and Overview (2025). arXiv preprint arXiv:2502.14017. arxiv.org/abs/2502.14017
Idaho National Laboratory / U.S. Department of Energy CyOTE (2022). Case Study: TRITON Malware Attack Against Petro Rabigh. INL/RPT-22-67981. cyote.inl.gov
MITRE (n.d.). Triton (S1009), ATT&CK for ICS. attack.mitre.org/software/S1009