Amid escalating cyber threats and regulatory demands, outdated OT cybersecurity reporting lines, often routed through IT leadership with little operational insight, are proving to be a critical vulnerability across the industrial sector. With regulatory pressure mounting from NIS2, TSA, and the SEC, organizations are beginning to rethink reporting lines, exploring hybrid models that blend centralized oversight with local control. But without giving OT (operational technology) security clear authority and a direct line to leadership, critical infrastructure remains exposed, and executive teams remain uninformed.
Industrial Cyber had an opportunity to discuss these issues with Sarah Freeman, chief engineer for intelligence, modeling, and simulation at MITRE’s Cyber Infrastructure Protection Innovation Center, where she focused on common reporting structures for OT cybersecurity and how these models typically fall short when it comes to addressing real-world threats and operational risks.
“Most incident reporting structures can be grouped into two categories: internal and external schemas. The first is focused on ensuring key stakeholders and decision makers are informed of any adverse events that have occurred or may have occurred,” Freeman said. “The second category, external notification, is often the result of legal or contractual obligations to inform other parties that an adverse event or incident has occurred, with Securities and Exchange Commission filings as one well-known example. Other examples of sharing with external parties involve informing insurers, cyber insurers, or reinsurers that an adverse event has occurred, or a supplier disclosing a breach to its customers.”
She noted that in both cases, one of the consistent challenges is ensuring that the right people get the right data quickly. Unfortunately, many reporting methods rely on a manual approach, which can introduce delays in sharing information, which can also result in additional damages or impacts.
“Manual and inconsistent processes often lead to vague or incomplete reports on cyber incidents, weakening the value of shared threat intelligence,” according to Freeman. “Considering cyber campaigns, where similar organizations are hit with the same tools, delays or poor-quality data can leave others exposed and more likely to be compromised.”
Addressing the gaps exposed by recent OT-targeted attacks and the lessons learned, Freeman pointed to internal reporting delays that cost valuable time during breach detection and response. “This, in turn, can increase the severity, scope, or scale of the event. A quintessential example of this occurred during the infamous Target breach in 2013, with slow responses from Target enabling exposure of millions of consumers’ financial information.”
Another commonly cited example is the first cyber-attack in Ukraine. “During that attack, one operator opted to record the event on a personal cell phone rather than intervene or report it. While this may be a mischaracterization of those events in 2015, those December attacks highlight the speed at which an adversary can manipulate an operational technology environment, and those attacks emphasize the need for decisive defender action.”
More recently, Freeman referenced the Solar Winds breach in 2020 also demonstrated the need for quick identification and remediation for cyber incidents. “Although the initial compromise occurred in March 2020, the breach was not identified until December 2020. During that time, the adversary was able to seed malicious Orion versions in thousands of end-user environments.”
Examining the role of regional and site-level OT security within centralized governance models, and whether hybrid approaches strike the right balance between local autonomy and centralized control, Freeman said that reporting procedures should never slow down the remediation of a potential or confirmed breach. “Site staff must have the authority to act decisively to protect processes, cyber-physical systems, and other equipment. At the same time, efficient information flow is essential. This is best achieved by designating a primary point of contact (POC) for communications, separate from the site lead, and identifying this individual in advance.”
She also mentioned that doing so ensures that critical activities are carried out effectively during a cyber incident.
Regulatory frameworks like NIS2, TSA security directives, and the SEC cyber disclosure rule are forcing structural change in how cybersecurity incidents are reported and escalated. These regulations broaden accountability, bringing supply chain and third-party stakeholders into the reporting ecosystem. While many organizations are playing catch-up, compliance-driven reforms offer a unique opportunity to improve long-overdue reporting systems.
Freeman notes that reporting structures in critical infrastructure often remain reactive and are struggling to keep pace with the demands of emerging regulatory frameworks. “However, these regulations have significantly expanded the scope of who is accountable for security, bringing new stakeholders, such as supply chain partners, into the conversation. Importantly, these frameworks also have elevated discussions around effective security measures and communication practices, which is a positive development for the industry.”
Another essential component across critical infrastructure installations is the need for clear reporting lines. Remarking that preparation is key, Freeman added that “During an incident (or when one is suspected), it’s critical that staff and leadership understand the organization’s reporting requirements. This starts with designing clear communication pathways and practicing them annually.”
She added that a communication framework built in advance is far easier and faster to deploy than creating one on the fly. “For example, organizations can pre-establish notification systems for adverse cyber events so that points of contact are already identified. This also helps to ensure communication lines between IT and OT teams stay open, since the systems are in place beforehand. Additionally, drafting and distributing policies and procedures ahead of time – both digitally and in hard copy – positions organizations to respond quickly and effectively when an incident occurs.”
OT cybersecurity is often sidelined in strategic conversations because it lacks budgetary control or visibility at the board level, and these teams struggle for influence. MITRE suggests aligning OT with enterprise risk by emphasizing operational impact, safety, and threat-informed models, instead of just probabilistic risk assessments. High-profile incidents like Colonial Pipeline have shown that OT threats carry immediate financial and reputational costs.
“There are many strategies to strengthen the position of OT security teams within organizations. One of the most effective is framing OT security as a critical component of overall organizational and business risk,” Freeman said. “A key aspect of this, especially within the industrial security community, is ensuring that threats to safety are fully integrated into risk assessments. Often, this requires advocating for the use of threat intelligence and other threat-informed approaches, since traditional probabilistic risk models alone cannot account for determined, intelligent, and malicious cyber adversaries.”
Clearly, the challenge of OT cybersecurity reporting has been diagnosed; now it’s time for organizations to modernize. MITRE’s perspective makes it clear that preparation, clarity, and decisiveness are the building blocks of effective incident response, thus improving the foundation of resilience in critical infrastructure.
