Episode 21 — Apply Modern OT Patterns: Virtual Machines, Hypervisors, Switching, and Virtual PLCs

In this episode, we’re going to take a calm, practical look at how modern Operational Technology (O T) environments are starting to resemble parts of traditional I T, and why that matters for security. For a long time, many people pictured O T as racks of specialized hardware running the same way for decades, and sometimes that is still true. But more and more, industrial environments are adopting patterns like virtual machines, hypervisors, and virtualization-friendly networking, because those patterns can solve real operational problems. The twist is that these improvements can also change how risk shows up, how failures spread, and how defenders should think about visibility and control. By the end, you should be able to explain what virtualization is doing inside O T, what virtual P L C s are trying to accomplish, and why switching behavior in a virtualized environment becomes a security topic even when no one feels like they are doing anything “cyber.”

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A helpful starting point is to separate the idea of a workload from the physical box it runs on, because that mental split is the foundation of most modern patterns. In older setups, one application often lived on one physical server, and if that server failed, the application failed with it. Virtualization changes that by letting a single physical host run multiple virtual machines, each behaving like its own computer with its own operating system, memory, and storage. In O T, these workloads might be historian services, engineering workstations, H M I servers, patch management tools, or even vendor-provided monitoring components that used to require dedicated hardware. The reason this is attractive is not only cost, but also manageability, faster recovery, and the ability to standardize. The security consequence is that a compromise or a misconfiguration can now have a blast radius that includes many systems sharing one physical host, and understanding that shared foundation becomes just as important as understanding the individual virtual machines.

The component that makes virtualization possible is the hypervisor, which is the layer that creates and manages the virtual machines and controls how they share the physical host’s resources. Think of the hypervisor as the traffic cop and landlord at the same time, deciding who gets time on the processor, how memory is separated, and how virtual storage and virtual networking are presented. In industrial settings, the hypervisor might be part of a cluster designed for high availability, where if one host goes down another host automatically takes over running the virtual machines. That can be great for resilience, but it also means the hypervisor is now a high-value target because it sits below many important systems. If an attacker gains control of the hypervisor, they may be able to observe, influence, or disrupt multiple workloads at once, even if each virtual machine looks healthy from the inside. A common beginner misunderstanding is to assume that because a virtual machine looks like a normal computer, it is isolated in the same way a separate physical computer would be, and that assumption can quietly create security gaps.

Virtual machines also introduce a new kind of “who can touch what” question that matters a lot in O T, where roles and access are often tightly tied to safety and uptime. In a physical setup, someone might need to be in the control room or at the cabinet to interact with certain systems, which naturally limits exposure. With virtualization, administrative access might be available from an operations network management station, or through a dedicated management interface, or even through remote vendor support paths if not carefully controlled. That administrative access is powerful, because it can create, clone, snapshot, pause, or move a virtual machine, and those actions can be operationally useful but also security sensitive. For example, snapshots can help with recovery, but they can also capture secrets and sensitive configuration data in a recoverable form. Cloning can speed deployment, but it can accidentally duplicate credentials or identifiers that are supposed to be unique, causing confusion and unexpected trust relationships. When you hear virtualization discussed as an “efficiency” improvement, it is worth remembering that efficiency usually means more power is concentrated into fewer control points, and defenders need to treat those control points as critical infrastructure.

Now let’s connect virtualization to switching, because in many virtual environments the network is no longer just cables and physical switches. Traditional switching is the process of moving traffic inside a network based on M A C addresses, which are essentially hardware-like identifiers used to deliver frames on local networks. In virtualized systems, a virtual switch often exists inside the hypervisor, connecting virtual machines to each other and to the physical network interface cards that reach the rest of the environment. This can be surprising for beginners, because it means some traffic between two systems might never touch a physical switch at all, even though it looks like network communication. That has direct consequences for monitoring and segmentation, because if you place a sensor on a physical cable expecting to see all traffic, you may miss the “east-west” movement that happens inside the host. In O T, where segmentation is a primary safety and resilience strategy, virtual switching can either strengthen segmentation when designed well or undermine it when assumptions are carried over from older physical layouts.

Virtual switching also changes how certain controls are implemented, especially controls that depend on network boundaries. In a physical environment, you might rely on a specific switch port, a specific cable path, or a specific physical zone to enforce separation. With a virtual switch, separation is enforced by configuration inside the hypervisor and by the way virtual network interfaces are attached to virtual networks. That can be very effective, but it means configuration integrity becomes a security requirement, not just an I T preference. A misconfigured virtual port group, an overly permissive virtual network, or a forgotten test network can create unexpected pathways between systems that were supposed to be isolated. Another operational reality is that changes can happen quickly, sometimes with a few clicks, which is convenient but also risky if change control is informal. For beginners, the key lesson is that networking rules still apply, but where those rules live and how they are enforced may have shifted into software-managed components that require different visibility and governance.

It also helps to understand how virtualization affects redundancy, because redundancy is often the heart of O T reliability planning. Virtual environments often support features like live migration, where a running virtual machine can be moved from one host to another with minimal interruption. They also support high-availability clusters, where workloads restart automatically if a host fails. These are powerful capabilities, but they can hide failure conditions in a way that changes how operators experience incidents. Instead of one obvious server outage, you might see a series of brief hiccups as workloads relocate, storage paths renegotiate, or virtual networks re-converge. From a security perspective, that dynamic behavior can also create more log events, more configuration state, and more dependency on shared storage and management networks. If the shared storage system is disrupted, many virtual machines can fail together, which is different from the old world where each server had its own disks. When you’re thinking about resilience in a virtualized O T environment, you are often protecting fewer physical components, but each component matters more, and that is a tradeoff worth naming plainly.

Now we can talk about Virtual P L C s in a way that makes sense without getting trapped in vendor specifics. A Programmable Logic Controller (P L C) is traditionally a rugged industrial computer designed to interact with sensors and actuators and execute control logic with predictable timing. A virtual P L C takes the control logic and runs it as software on a general-purpose compute platform, sometimes inside a virtual machine, sometimes under a real-time layer, and sometimes as part of a broader distributed system. The motivation is usually flexibility and lifecycle benefits, such as easier updates, easier scaling, and less dependence on specialized hardware that may be hard to source or maintain. This can also make it easier to standardize across multiple sites, because you can deploy control logic like you deploy other software, using templates and managed images. The security implication is that the control function is now closer to the same kinds of vulnerabilities and management challenges as other software systems, and the line between “control equipment” and “server infrastructure” becomes blurrier.

Timing and determinism are especially important in control, and virtualization can complicate them in subtle ways. Determinism means that the system behaves predictably, especially with respect to time, because in industrial processes the order and timing of actions can directly affect safety and product quality. Virtual environments share resources, so a virtual machine’s access to the processor might be scheduled alongside other workloads, and that can introduce jitter, which is small variations in timing. In many business applications, jitter is annoying but not catastrophic, while in some control contexts, jitter can cause incorrect behavior or unstable process control. Modern platforms can address this with reserved resources, real-time scheduling features, and careful design, but the point for a beginner is that virtualization is not automatically safe for every control task. When organizations adopt virtual P L C patterns, they are often making a careful decision about which control functions can be virtualized without creating unacceptable risk. Security teams need to respect that reality and avoid pushing patterns that increase unpredictability just to match a corporate standard.

Virtualization also influences how we think about segmentation and safety zones in an industrial environment. A traditional model might separate the enterprise network from the industrial network, and then further separate production zones from each other, and then isolate safety-related systems even more. When many systems run on one virtualization platform, a big question becomes how to keep those zones meaningfully separated even though they share physical resources. This is not a reason to avoid virtualization, but it is a reason to design it thoughtfully, especially around management networks and administrative access. The management plane, which is the network and tooling used to control the hypervisor and virtual infrastructure, often needs stronger protection than people expect. If an attacker can reach the management plane, they can potentially change network attachments, alter virtual machine configurations, or disrupt availability in ways that bypass the protections inside each workload. For beginners, it is useful to remember that the management plane is like the master key to an entire building, and you do not want that key hanging on a public hook even if each apartment has a lock.

Another shift is how images, templates, and snapshots affect trust and lifecycle management in O T systems. When you deploy a new virtual machine from a template, you are relying on the template to be clean, correctly configured, and appropriate for its purpose. If the template has outdated software, unnecessary services, or hardcoded credentials, those problems can spread rapidly because templates multiply. Snapshots can preserve a system state that includes old vulnerabilities, and rolling back can unintentionally undo security improvements, which is a real concern when uptime pressure is high and people reach for the fastest recovery method. In O T, where maintenance windows can be rare and changes are carefully controlled, these features can be extremely valuable, but they must be paired with disciplined governance so that convenience does not turn into hidden risk. A practical way to think about it is that virtualization makes it easier to create copies of systems, and security must make it equally easy to ensure those copies are safe and consistent.

Monitoring and visibility are also different in virtualized O T, and the difference often surprises teams that are used to watching traffic on physical links. Because virtual switching can keep traffic inside the host, you may need monitoring that understands the virtual network layer, not just the physical network. Logs from the hypervisor, the management platform, and the virtual switches can reveal configuration changes, administrative actions, and unexpected movements of workloads between hosts. Those are not “extra” logs in a virtual environment, they are often the most important signals you have. At the same time, you want to avoid overwhelming operators and beginners with the idea that more logs automatically means better security. The goal is to capture evidence that helps explain what changed, who changed it, and how that change affected operational behavior. In O T, the best monitoring is often the monitoring that can quickly answer whether a process change was caused by the physical process, a control logic change, a network path change, or a platform-level event like a migration or resource contention.

It is also worth talking about failure modes, because modern patterns can create surprising chains of dependency. In a traditional design, if one server fails, a handful of functions fail, and the rest of the environment may continue. In a virtualized design, if one hypervisor host fails, many workloads might restart elsewhere, which is fine if the cluster is healthy, but it depends on shared storage, healthy networking, and correct cluster configuration. If the shared storage is degraded, many workloads can become slow at the same time, and slow can be worse than down in O T because it can create subtle timing errors. If the management platform fails or is misconfigured, you may still have running workloads but lose the ability to control, recover, or diagnose them quickly. These are not reasons to panic, they are reasons to map dependencies clearly and to treat the virtualization platform as a critical system with its own security and resilience requirements. Beginners should come away with the idea that modern patterns shift risk from many separate boxes into fewer shared foundations, so the foundations deserve more attention.

Finally, we should address a common misconception that virtual equals less real, which can lead to underestimating the operational impact of security decisions. A virtual machine can host a control system component that is just as critical as any physical device, and a virtual P L C can influence real-world equipment with real safety consequences. That means patching decisions, access decisions, and segmentation decisions should be made with the same respect for uptime and safety as any other O T change. It also means that cybersecurity conversations need to include the people who understand process risk, because the right answer is not always the most “secure” in the abstract, but the most secure that still supports stable operations. When teams do this well, virtualization can improve both security and reliability by making recovery faster and making configurations more consistent. When teams do it poorly, the same features can magnify mistakes, spread weak configurations, and create invisible pathways across zones.

Bringing it all together, modern O T patterns like virtual machines, hypervisors, virtual switching, and virtual P L C s are best understood as a shift in where control and risk live, not as a simple upgrade from old to new. Virtualization can consolidate hardware, improve recovery options, and make deployments more consistent, which is why it keeps showing up in industrial environments. At the same time, it concentrates power into the management plane and the hypervisor layer, and it can move network behavior into places that traditional monitoring might not see unless you plan for it. Virtual P L C s can increase flexibility and reduce hardware dependency, but they also require careful attention to timing, determinism, and the reality that software control still controls physical outcomes. For a brand-new learner, the most important mindset is to treat these platforms as part of the O T environment, not as an I T add-on, and to assume that anything that improves convenience can also improve an attacker’s options if it is not governed carefully. If you can explain how shared foundations, virtual switching, and control logic virtualization change both resilience and exposure, you will be thinking in the way modern O T security expects, which is to protect operations by understanding how the environment is actually built today.

Episode 21 — Apply Modern OT Patterns: Virtual Machines, Hypervisors, Switching, and Virtual PLCs
Broadcast by