The industrial security community has gone by various names over the years - industrial automation control systems, process control networks, industrial control systems - but the term that resonated most was operational technology, or OT. It always represented the control loop and the connection between digital systems and the physical world. It was about physics, not an operating system.
Over the past few years, what the community has thought of as OT has expanded as the digital world has expanded. OT now relates to a carbon cracker at an oil and gas facility or to an ERP system that sends production orders directly to the manufacturing floor. It is building automation, cloud-connected analytics, and AI-driven optimization systems. The context around these systems drives their designation as OT, not the device category. If those systems go down, operations stop.
Some companies and firms think about xIoT as if IoT and IT are simply extending and converging with OT, or treat all technology as just the “T” in IT. But that approach fails to account for context — which, as the OT community knows, can translate into lives.
Today, Dragos is announcing Extended Operational Technology, or xOT, not as a rebrand of the OT mission, but as a new standard for how the industry defines and defends the full operational environment, so the OT community can continue protecting what matters most without diluting that mission.
Extended operational technology (xOT) defines the full scope of the operational environment - every system, regardless of classification, ownership, or protocol, that can influence a control loop or physical process.
Protecting operations means protecting what influences the physical world. The question is whether the systems within your security program align with the full scope of factors that now influence your operations. For years, we sorted devices by type: OT here, IT there, IoT somewhere in between. Those categories describe what systems are. The control loop test asks what they do.
For example, a printer in an OT network printing non-critical reports is an IT device that happens to be there. That same printer, producing labels that stop a manufacturing line if it goes down, is an xOT device. The difference isn’t the device. It’s the context.
That context problem runs deeper than most organizations realize. A Windows-based human-machine interface - the operator screen that directly controls a physical process - is inventoried as an IT asset because it runs a familiar operating system. It gets patched on an IT schedule, monitored by IT tools, and managed by an IT team. But that device is controlling a physical process. It is xOT. The mislabeling is the gap. And it is exactly the kind of gap adversaries are trained to find.
In this context, every one of these systems can influence a physical process. In many organizations, most of them sit outside the security perimeter that was built to protect “OT.”
In our experience working across critical infrastructure sectors, organizations consistently find systems they did not know were influencing their operations - environmental sensors feeding data to control systems, IIoT devices embedded in production processes, building automation platforms sharing network infrastructure with industrial controllers. The gap is significant enough to materially change how they think about risk.
Most OT security programs were designed around the traditional definition. They cover the control devices well. They often cover engineering workstations and historians. The further you move from the traditional OT core - into analytics platforms, building automation, and remote access infrastructure - the less likely those systems are to be included in the asset inventory, actively monitored, or considered when assessing what could actually disrupt operations.
The HMI, mislabeled as an IT asset, is exactly the kind of system most organizations would not flag as an OT security priority, yet it directly controls a physical process. The gap between how organizations classify their environment and what is actually influencing operations is the xOT problem in practice.
Securing the xOT environment requires more than extending visibility. It requires rethinking the scope entirely. Which systems are in scope, which teams own them, and how they factor into operational risk decisions. Most organizations find the organizational problem harder than the technical one.
Organizations need to conduct an honest accounting of their actual operational environment. Not the definition they inherited. Not the inventory they built five years ago. Every system that touches the control loop, every dependency that could be exploited to disrupt operations, every team that owns a piece of the environment that influences physical outcomes. That accounting will surface gaps. The point is to find them before an adversary does.
This also reinforces something the community has known but has not acted on enough: prevention alone is not sufficient. Firewalls, segmentation, and patching are necessary. But when an AI-assisted adversary can map an internal environment, identify OT-adjacent infrastructure, and develop a targeted access path in hours rather than days, the organizations that fare best are those with visibility into their full operational environment, the ability to detect threats within it, and the capability to respond before physical processes are affected.
That is what Dragos has always been building toward - the visibility, context, and protection required to defend the full scope of the xOT environment, wherever it now extends.
Operational environments are more connected than ever, and that connectivity is accelerating. AI is being integrated into industrial decision-making in ways that will expand the xOT environment further over the next several years. AI is also being integrated into adversary operations in ways that compress the time between IT compromise and OT targeting, reducing the expertise required and accelerating the identification of the very systems that fall into the gap between the traditional OT definition and the real operational environment. Regulatory frameworks are beginning to catch up, but regulation follows incidents, and the incidents are already happening.
The organizations that get ahead of this are the ones willing to ask an uncomfortable question: Does our security program reflect the environment we are actually running, or the one we think we are running? Dragos is built to answer it by protecting the control loop and the systems that influence it, without losing sight of the mission that has always driven this community.
That is why we are excited about the acquisition of Phosphorus and what it enables for our customers. Together, we are building the xOT platform the industrial community needs, delivering the visibility, context, and protection required to keep the control loop and physical operations running safely.
