When it comes to risk assessment across industrial cybersecurity environments, it is no longer a procedural formality. It is increasingly becoming an operational discipline that demands fluency in both system interdependencies and adversarial behavior. For industrial firms, this means moving beyond abstract threat modeling toward assessments that are specific, consequence-driven, and deeply tied to how physical processes function under stress.
What’s changing across these industrial environments isn’t just the tooling, but the mindset. Frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and IEC 62443 still serve as scaffolding, but the real work happens in interpretation. In practice, risk isn’t measured in general controls; it’s revealed in pressure valves, remote I/O units, and proprietary logic long forgotten by central IT. Impact becomes meaningful when it’s tied to throughput loss, safety system disruption, or cascading downtime across interlinked assets.
Executive leadership is beginning to understand this. Risk is not merely a technical issue; it is also a business risk that directly links to operational safety, continuity, and trust. The conversation is shifting from ‘are we compliant’ to ‘how exposed are we, and what would it take to recover?’ The push is coming from the top, and it’s causing cross-functional conversations that would not have happened five years ago. The shift is also driving closer alignment between engineering, operations, IT, and cybersecurity environments, leading to a long overdue convergence.
Newer technologies are also starting to shift the balance. AI (artificial intelligence), behavioral analytics, and scenario modeling are empowering businesses to transition from static evaluations to dynamic, adaptive strategies. Digital twins and AI-facilitated detection assist, but the heavy lifting remains a matter of human judgment and the unblinking recognition of complexity.
How industrial firms are prioritizing OT cyber risks
Industrial Cyber reached out to experts to break down what makes a risk assessment process effective in industrial cybersecurity, including how organizations can identify and prioritize critical assets across operational technology (OT) environments. The experts also explored how these practices adapt based on an organization’s size and operational complexity.
Kyle Miller, vice president for infrastructure cybersecurity at Booz Allen Hamilton, told Industrial Cyber that his company conducted more than 500 OT cybersecurity risk assessments. Each assessment typically includes an operational overview, an evaluation of threats, vulnerabilities, and existing controls, a risk analysis with prioritization, and the development of a roadmap for recommendations and implementation.
“While paper- and interview-based assessments can be effective, to really understand the ‘ground truth,’ we recommend site visits and technical evaluations,” according to Miller. “Each of these begins with an operational overview where we look to gain an understanding and appreciation of what the site produces, its importance to the organization’s bottom line, how it fits into the supply chain, etc. From there, we prioritize what assets at the site are most critical to its operations.”
As part of an assessment, he added, “We will also frequently utilize OT-focused tools to collect data on network behaviors, assets, and vulnerabilities, to help aid in identifying any unknown single point of failure. These methodologies are fairly similar for mid to large organizations, with the largest only assessing a sample of sites. Some smaller organizations we see rely more heavily on checklist-based approaches.”
“Visibility of OT devices is essential to understanding the risks they pose to both local and remote sites,” Richard Springer, director of OT solutions marketing at Fortinet, told Industrial Cyber. “While various solutions exist to compile accurate inventories, effective prioritization requires collaboration between security and operations teams, balancing the critical knowledge of the cyber risk involved with potential impacts on the most vital production and critical infrastructure systems.”
Grant Geyer, Claroty’s chief strategy officer, told Industrial Cyber that a common approach is to conduct an assessment by cataloging every asset, communication, and vulnerability, only to unsurprisingly discover a mountain of obsolete, risky assets. “It’s too much noise and not exactly actionable. Even worse: you’ve moved from ignorance to negligence without a clear game plan of what matters most. We need to rethink this paradigm.”
Effective risk assessments begin with identifying core mission-critical processes and the assets that enable them, Geyer said. “This helps teams focus protection where a cyberattack would have real operational, safety, or financial impact. Purposeful visibility that can get the details that matter earns credibility with the business and buy-in from engineering. From there, understanding potential attack paths, accounting for segmentation and compensating controls, shifts the focus to what’s truly exploitable. This enables remediation plans that reduce risks that matter, not just theoretical ones.”
“To run and scale an effective industrial cyber risk assessment program, the best enterprises focus on two key areas,” Ted Gutierrez, CEO and co-founder of SecurityGate.io, told Industrial Cyber. “First, they’re looking across the full scope of sites —not just their ‘air-gapped’ or revenue-driving sites. Second, they conduct control-based assessments regularly to identify gaps across the organization from the perspective of control families. Too often, especially in early maturity enterprises, teams attempt to perform deep-dive risk assessments without the prerequisite data like threat, controlled state, and business outcomes.”
OT risk assessments increasingly shaped by cyber frameworks
The executives discuss how industry frameworks and standards, such as the NIST Cybersecurity Framework, IEC 62443, and other ISA/IEC guidelines, shape the way industrial organizations assess and mitigate cybersecurity risks.
Miller said that these industry frameworks and standards provide organizations with a structured approach to assess and mitigate cybersecurity risks in OT environments and allow them to align with industry best practices to do so. “Following a trusted framework can also greatly aid in communicating risks up to organization executives (both OT and IT).”
“Industry frameworks and standards vary from wide-ranging to highly prescriptive, with preferences shaped by an OT vertical’s maturity, budget, and adoption history,” Springer observed. “Regardless of the choice, most of OT still operates without a framework. To reduce risk, organizations must quantify it and baseline their OT security posture against a standard. Once established, it’s critical that they continuously measure and update that posture to track progress and illustrate ROI.”
Geyer mentioned that frameworks like NIST CSF and IEC 62443 give industrial organizations a common foundation to evaluate and manage cyber risk, but their value depends on how they’re applied.
“In OT environments, prevention is paramount—so most focus should be on the Identify and Protect functions. Incidents are less frequent but often more disruptive, making early safeguards critical,” he added. “That said, the Recover pillar is often overlooked. If production goes down, due to ransomware or any other event, rapid restoration is essential to resume critical services. These frameworks work best when tailored to operational context, not treated as one-size-fits-all compliance checklists.”
Gutierrez said that “regardless of which framework or standard you choose— whether it’s NIST CSF, ISA/IEC 62443, or another option — configuring them to match your business process is the unlock button. To ensure ongoing progress, programs should move away from static, one-time assessments that end up buried in Excel files and collecting dust in someone’s inbox.”
He added that “frameworks matter because they give you structure, but real impact comes from using them in repeatable, scalable ways. Think workflows, not whitepapers. A continual, data-driven approach turns frameworks into action, helping teams mature their programs over time without getting stuck in analysis paralysis.”
Quantifying impact and likelihood in OT cyber risk
The executives examine how ‘likelihood’ and ‘impact’ are quantified differently in industrial environments compared to corporate IT settings, and which methodologies have proven most effective for assessing cyber risk across OT and safety systems.
“The biggest difference between our IT and OT risk analysis is on the ‘impact’ side of the equation,” Miller noted. “In an OT environment, we need to look at specific impacts such as those to production, safety, the environment, and regulatory impacts, but also broad impacts such as those to the organization’s operations, customers, or society at large if production were to be impacted.”
He added that impacts such as power grid outages, pipeline shutdowns, and pharmaceutical supply impacts can all have broader impacts outside of the organization itself. Conducting risk-based assessments combined with business context is an effective methodology.
Springer indicated that in OT environments, the likelihood of a cyber event has traditionally been lower than in IT, while the impact is significantly higher. “However, as OT networks become increasingly connected to IT and the cloud, the attack surface expands, raising the likelihood of cyberattacks.”
He added that the impact of an OT cybersecurity incident extends beyond downtime, encompassing production loss, interruptions, material waste, recovery costs, and brand, all implications of a production floor event. Tabletop exercises involving operations and security teams are a key tool to understand network and production contingencies.
“In industrial environments, ‘likelihood’ is difficult to quantify—events are rare, but consequences could be significant,” Geyer said. “Unlike IT, which often relies on data-driven probabilities, OT risk assessments emphasize exposure and impact to mission-critical functions. Impact isn’t just data loss—it’s production shutdowns, safety events, or environmental harm.”
He added that frameworks like consequence-driven cyber-informed engineering (CCE) from Idaho National Laboratory shift the focus from abstract threats to real-world consequences by mapping what an attacker would need to do to cause mission failure. This approach, combined with asset criticality and attack path analysis, helps prioritize inherent risks and design controls where they matter most.
Qualitative vs Quantitative: OT risk in a shifting world
The executives look into how organizations are balancing qualitative and quantitative approaches to risk assessment in OT systems, and how rising geopolitical tensions are shaping these evaluations.
“Precise risk quantification is difficult in OT environments where the impacts can be broad-reaching and societal, particularly in light of today’s geopolitical environment,” Miller said. “Integrating both types of data can provide the most comprehensive understanding of the organization’s risk profile by combining data-driven analytics with expert judgment. For example, organizations leverage qualitative insights for operational context, while using quantitative models for quantifiable risk measurement.”
Springer identified that qualitative assessments are quickly being replaced by quantitative methods as OT risk is moving up the corporate risk register. “As OT risk now ranks among the ‘Top 5’ concerns for many organizations, boards and executives are demanding measurable, data-driven insights. Risk must be quantified, assigned, and aligned with budget, and clear expectations must be established for measurable risk reduction. If not, the effectiveness of the investment, the plan, and future funding come into question. As a result, qualitative approaches are quickly evolving into quantifiable models,” he added.
“Many industrial organizations still lean on qualitative methods for OT risk, driven by limited data, complex system interdependencies, and the difficulty of modeling physical consequences,” Geyer observed. “We encourage organizations to leverage the Business Impact Analysis and engineering knowledge of the process to make this more concrete. There’s also a growing shift toward quantitative approaches using consequence modeling, attack path analysis, and frameworks like CCE to better prioritize risk.”
He added that geopolitical tensions—particularly state-aligned threats targeting critical infrastructure—have accelerated this shift. “The result is a blended approach: qualitative context from operators and engineers, paired with quantitative tools to model exposure, consequence, and mission impact in high-stakes threat scenarios.”
“Qualitative insights are valuable—as long as they’re grounded in quantitative, control-based data,” Gutierrez said. “Too many teams rely on technical vulnerability data alone, while overlooking the bigger picture: process gaps, human behavior, and untested procedures. The most mature organizations blend structured frameworks with real-world context, scoring control effectiveness, then layering SME input to refine priorities.”
He added that it’s not about guessing better—it’s about measuring smarter. “When you build your program around people, process, and controls—not just exploits—you get risk insights that actually drive action. The industry has a lot of work to do in this arena.”
Executive leadership key to OT cyber risk strategy
The executives focus on the role of executive leadership in supporting robust industrial cybersecurity risk assessments and emphasize the importance of cross-functional collaboration between operations, engineering, IT, and security teams.
Miller highlighted that executive leadership plays a critical role by setting the strategic direction, allocating the appropriate resources, and fostering buy-in. “OT leaders have a lot of competing priorities, and without executive sponsorship, OT risk assessments frequently don’t get the attention they need to be successful.”
“As OT risk rises on the corporate risk register, executive leadership is becoming increasingly involved,” Springer said. “According to the Fortinet 2024 State of OT and Cybersecurity Report, the responsibility of OT risk is increasingly being assigned to CISOs and other C-suite members. This shift reflects the broad impact an OT cyber event can have, not only through direct disruptions, but also indirect business processes that may not be fully understood.”
He added that gathering diverse operational and security teams is critical to identify and address both direct and indirect risks critical to production and infrastructure.
Geyer recognizes that mitigating OT cyber risk is a people problem, not just a technology problem. “That’s why executive leadership is essential: they set the tone, prioritize cybersecurity as a business risk, and ensure resources and accountability. But success also depends on breaking down silos.”
“A cross-functional steering committee—with representatives from operations, engineering, IT, and security—creates a structured forum for clear communication, aligned decision-making, and trust-building,” he added. “Each group brings unique insights: engineers understand process impact, IT knows architecture, and security connects threat models to risk. It ensures everyone is working from the same playbook, focused on business impact, not turf protection. With strong leadership and a steering committee in place, organizations can drive assessments that lead to real risk reduction.”
Gutierrez observed that executive leadership sets the tone. “If risk assessments are seen as checkbox exercises, that mindset cascades. But when leadership backs cybersecurity as a core business function, it gets the budget, the people, and the cross-functional attention it deserves. The best programs aren’t built in silos—they’re built by bringing OT, IT, engineering, and security to the same table, working from a shared playbook.”
He added that collaboration isn’t optional; it’s the only way to assess real-world risk across complex, hybrid environments that don’t respect organizational charts.
How emerging tech is transforming OT risk strategy
Lastly, the executives address how emerging technologies such as AI and machine learning are transforming the risk assessment process in industrial environments, and what steps organizations are taking to future-proof their strategies.
While still in the early stages, Miller said that “we are seeing a multitude of use cases for AI and ML to help support our OT risk assessments. From simple use cases of AI parsing documentation to prioritize review, to more advanced use cases of utilizing AI and ML to review network traffic and logs, build a baseline of ‘normal’ and identify anomalies for our assessors to dig into.”
Springer said that AI and ML have been central to threat analysis for more than a decade, but with advancements in generative and agentic AI, they now enable faster, more focused responses to high-priority threats and elevate security specialists to focus on the highest-priority cyber events. “In OT environments, where traditional systems rely on static, signature-based detection, AI and ML deliver real-time visibility, anomaly detection, and predictive threat analysis.”
“AI and machine learning are transforming industrial risk assessments by automating asset discovery, determining core business processes, and understanding attack path vectors,” according to Geyer. “Paired with human experts, Human-Machine Teaming enhances organizations’ shift from inventories to actions with context on the business: from reactive to predictive security, enabling faster, more informed decisions. However, some of the most important tasks AI can be used for are addressing the mundane yet critical work is improving data quality.”
He concluded that without an accurate and trustworthy asset inventory, the OT team won’t find the data trustworthy, and the security team can be chasing phantom risks that don’t really exist.
