Who is Responsible for OT Data? Key Insights to Understand Ownership and Management in Industrial Environments
Digital transformation in industry has brought multiple benefits: greater operational efficiency, improved traceability, predictive maintenance, smart automation, and smoother integration between IT (Information Technology) and OT (Operational Technology) environments. However, it has also sparked a growing debate: who is really responsible for the data generated by OT systems?
This question, which may seem merely technical or administrative, carries deep implications in terms of security, regulatory compliance, legal liability, industrial privacy, and business continuity. Unlike the IT environment, where data governance policies are more mature, in OT this discussion remains open—especially in critical industrial sectors such as energy, water, pharmaceutical manufacturing, automotive, and food production.
What Do We Mean by OT Data?
OT (Operational Technology) data includes all information generated by devices, sensors, control systems, PLCs, SCADA, HMI, and other technologies that operate, automate, and monitor physical processes in real time. This data includes:
- Sensor readings (temperature, pressure, flow, vibration, etc.)
- Machine statuses (on/off, cycles, alarms)
- Control instructions (PLC commands to actuators)
- Event logs and process histories
- Information on downtime, efficiency, and maintenance
This data is essential not only for daily plant operations but also for productivity analysis, energy management, business decisions, and increasingly, to feed artificial intelligence, machine learning, and predictive maintenance systems.
The Responsibility Dilemma: Whose Data Is It?
In theory, data generated in an industrial plant belongs to the organization that owns the plant. However, in practice, the situation is more complex. With the growth of industrial digital ecosystems, multiple actors have access to, custody of, or process these data:
- Machinery or PLC manufacturers
- System integrators
- Cloud or industrial software providers (IIoT, MES, SCADA)
- Internal IT or engineering departments
- External maintenance companies
- Data analytics or AI providers
This raises key questions:
- Who has authority to access, modify, or share the data?
- What happens if data is lost, altered, or stolen?
- Who is accountable if a cyberattack compromises OT data integrity?
A Key Difference: IT vs. OT
In IT environments, the role of the Data Owner is usually well defined. Data governance policies are backed by standards like ISO/IEC 27001, GDPR, or NIS2. However, in OT, this role is not always clearly assigned. Reasons include:
- OT data is generated and used in real time to control physical processes, and is not always stored or managed like IT data.
- OT systems are designed primarily for availability and physical security, not for data privacy or ownership.
- Roles between IT and OT are often misaligned, leading to responsibility conflicts over control of systems and data.
The result is a governance gray area, where decisions about who can access, move, or analyze data may lack clear policies or appropriate security measures.
OT Cybersecurity: Protecting Data Means Protecting Operations
One major risk of not defining responsibility over OT data is increased exposure to cyberattacks. Unlike IT environments—where data is the primary target (information theft, privacy breaches, espionage)—in OT the goal is often to disrupt physical processes, but data remains a key attack vector.
For example:
- Ransomware can lock access to SCADA, blocking supervision of critical processes.
- An attacker can alter historical logs, compromising traceability of batches in regulated industries.
- Data synchronization errors can cause unplanned shutdowns or wrong production decisions.
This shows that the integrity, availability, and authenticity of OT data are as important as its confidentiality—and responsible parties must be clearly designated to guarantee these properties.
Regulatory Framework and Relevant Standards
As awareness grows about OT cybersecurity and industrial data protection, various regulatory frameworks begin to demand clear responsibilities over industrial data:
- IEC 62443
- Defines roles such as Asset Owner and Service Provider.
- Requires control of access, data traceability, and network segmentation.
- Recommends identity management, authentication, and access authorization policies.
- NIS2 (European Directive)
- Applies to essential industrial sectors.
- Requires organizations to implement measures ensuring operational data protection.
- Includes incident notification obligations impacting information security.
- ISO/IEC 27001 and 27019
- Traditionally IT-focused, but applicable and recommended for OT systems.
- Includes controls on data ownership, classification, encryption, backup, and recovery.
- Sector-specific regulations
- Pharmaceuticals: GMP, GAMP5, FDA 21 CFR Part 11.
- Food: IFS, BRCGS, ISO 22000.
- Energy: NERC CIP, ENTSO-E.
Who Should Be Responsible for OT Data?
While there is no one-size-fits-all answer, good practices can help define a clear and functional governance model:
- The OT Data Owner Role
Designate a person or department responsible for governing OT data, with authority to define policies for access, integrity, use, and storage. - IT/OT Convergence: Collaboration, Not Replacement
IT brings data protection expertise, OT understands process criticality. Hybrid teams or industrial security committees should be formed with shared responsibilities. - Contracts and Agreements with Providers
Contracts must clearly define:- Who can access data
- Where and for how long data is stored
- How protection, encryption, and secure deletion are ensured
- Procedures in case of security breaches
- Data Classification and Labeling
Not all OT data has the same value or sensitivity level. Industrial data classification policies help prioritize protection resources based on impact. - Audit and Traceability
Implement logging systems for data access and changes, integrated with control systems (SCADA, DCS, historians) to ensure any manipulation is detectable and traceable.
Practical Case: A Plant Without a Responsible OT Data Owner
Imagine an industrial plant where SCADA data is exported to a cloud analytics system managed by an external provider. A communication channel failure corrupts some data, causing a product quality deviation.
Without clear responsibility:
- OT blames the cloud provider.
- IT claims no control over those systems.
- Production requests corrective actions without understanding the root cause.
This increasingly common scenario highlights the need to designate clear owners for the OT data lifecycle to avoid internal conflicts, financial losses, and reputational damage.
Conclusion: OT Data Is a Strategic Asset
In today’s connected and digital industry, OT data is not just a byproduct of processes—it is a strategic asset. Its value goes beyond daily operations: it supports business decisions, regulatory compliance, operational efficiency, and process integrity.
The question “Who is responsible for OT data?” cannot remain unanswered. Every organization must define a governance model, assign roles, establish clear policies, and integrate OT data management into their industrial cybersecurity and digital transformation strategy.
Need help defining an OT data governance strategy?
At Kollaborative Work, we help industrial companies design OT data management policies, implement frameworks like IEC 62443, strengthen cybersecurity for critical infrastructure, and foster a culture of operational information protection. Visit us to discover how we can help you turn your data into a competitive—and secure—advantage.