Mature OT cybersecurity programs span beyond perimeter defenses, with an emphasis on deep visibility, continuous risk assessment, and strong governance reflecting the unique conditions and needs of OT (operational technology) environments. The roadmap accounts for legacy systems, scattered industrial installations, multilayer network segmentation, secure remote access to the plant, and asset inventories that are up to date, even as critical equipment ages. But most industrial companies are still stuck using legacy risk models designed for the way our systems used to be, rather than the way they are today. The question remains, however, is most, if not all, of the installed base is not hardened for modern threats, including ransomware, nation-state, and supply chain compromise, and leaves critical industrial environments at risk.
As cyber threats and attacks increasingly become physically and geographically charged, the responsibility for OT cybersecurity is being redrawn. Formerly the responsibility of control engineers and plant managers, OT security is now the responsibility of CISOs and enterprise security teams. This is not a smooth transition. For those environments that are intolerant of downtime, where production outages are not only cost-prohibitive but physically intolerable, the concept of chaos can seem like anathema to traditional security teams who have been weaned on IT-centric ‘patch and reboot’ playbooks. Even worse, these environments are not simple to secure while still servicing production workloads, requiring expertise, patience, and coordination.
Building OT cybersecurity programs must also deal with the pressure of cultural gaps between IT security practitioners and OT teams. Engineers may see security controls as impediments to safety or productivity, just as security teams may not recognize how arcane industrial systems are. These disconnects can throw even the most well-considered programs off track, creating a breach for attackers to take advantage of unguarded paths.
The CISOs, sometimes now charged with protecting OT, are ill-prepared to make this cross-cultural and technical leap. Policy updates will not be enough to ensure organizational success. Focusing on OT cybersecurity programs that require realizing the operational significance of cyber investments, investing in developing required skills, and leadership that understands the mission to keep production on, as well as recognizes the need for increases in protection as the threat environment continues to change. Anything less risks getting industrial cybersecurity mired in the past.
What makes a mature OT cybersecurity program?
Industrial Cyber reached out to industrial cybersecurity experts to explore what defines a mature OT cybersecurity program today. They also look into why so many industrial organizations still fall short of that standard.
Jeff Johnson, OT cyber program lead at MorganFranklin Cyber, told Industrial Cyber that a mature program should have holistic cybersecurity management that defines governance, roles, and process life cycles. It should follow a risk-based architecture using ISA/IEC 62443-3-2 for risk assessment and set security-level targets, with zoning and segmentation based on the Purdue Model or operational needs. Secure-by-design principles should be built into future architecture as a standard.
He also identified that throughout the ICS/OT lifecycle, product-level controls should enforce defense-in-depth, least privilege, and availability requirements, with security by design integrated into any new infrastructure from the outset. Finally, continual improvement through regular assessments, patching, monitoring, and incident readiness is essential.
On why most industrial organizations lag, Johnson pointed to legacy ecosystems that dominate with proprietary protocols and limited patching capabilities. OT teams are wary of changes that risk availability or safety… ‘This is the way we’ve always done it.’ He also added complexity and cost as formalizing cybersecurity management systems, asset inventories, segmentation, and secure procurement got pushed to the back burner. Additionally, these older devices are expensive and, in most cases, unnecessary in their eyes, from a productivity perspective.
Dino Busalachi, director for OT cybersecurity at Barry-Wehmiller Design Group, told Industrial Cyber that mature programs share several key characteristics. Mature organizations typically adopt a security framework, such as NIST, IEC 62443, or NERC CIP, and integrate it across their operations.
He added that a critical gap often emerges when organizations fail to communicate their OT cyber strategy to key suppliers. CIO and CISO leadership need to build stronger relationships with original equipment manufacturers and system integrators, since these suppliers serve as the primary delivery teams responsible for bringing OT assets into manufacturing environments. Beyond designing and building these OT systems, they also handle ongoing support and maintenance, making their involvement essential.
Busalachi added that many IT departments have chosen their cybersecurity path without incorporating the broader OT ecosystem, both internally and externally. “This siloed approach prevents organizations from reaching the maturity level required to improve their cybersecurity programs effectively.”
“A mature program is one with clear expectations, executive support, defined governance, collaborative culture, smart resourcing, dedicated OT security policies, controls and procedures, fit-for-purpose tools, measurable outcomes, a roadmap, and repeatability,” Jason Rivera, co-founder and CEO at Cabreza, told Industrial Cyber. “Any organization can get wrapped around the axle of one of those topics, but if they’re willing to collaborate, communicate, and compromise, maturity gains can be achieved.”
“What defines a mature OT cybersecurity program is having a grasp on the people, process, and technologies (including third parties) that make a business function in a safe and secure manner,” Kevin Kumpf, OT/ICS Strategist at Hard Hat Cybersecurity Services, told Industrial Cyber. “It includes C-Level leadership, IT, OT, change management, and third parties all working together and truly understanding the safety, availability, integrity, and confidentiality of their systems and their physical infrastructure.”
Kumpf said that most organizations have not achieved this because it is costly, and many organizations are outsourcing resource-driven driven using contractors to maintain systems and physical plants. “Outsourcing not only task-driven menial roles but also expertise-focused roles as well. While this produces cost savings on the bottom line, it sacrifices safety and security overall.”
Outdated risk models continue to weaken OT cybersecurity defenses
The executives address whether today’s OT cybersecurity programs are truly prepared to defend against modern threats like ransomware and nation-state attacks, or if they’re still relying on outdated risk models that can no longer keep up.
Johnson said that most organizations are in the process of rationalizing what OT means to their risk, business and bottom-lines, while ‘traditional OT verticals’ (utilities, etc.) tend to have more experience than most, the real challenge is creating space for a different kind of security within non-traditional verticals (healthcare, fintech, telecom, etc).
“This assumes that there is an OT cybersecurity program in place in the first place, focusing mainly on safety, downtime, and compliance, and underestimating cyber-physical attack vectors,” according to Johnson. “Modern threats have evolved fast: ransomware now includes extortion, disruption, and kinetic consequences. Gaps remain, as until ISA/IEC 62443 frameworks are fully applied, especially zones, monitoring, and SL-T enforcement, as many OT programs remain vulnerable.”
Busalachi sees a technology readiness vs. implementation issue, as cybersecurity technologies continue to advance and mature, but the problem lies with end users (asset owners) who are not moving the needle on implementation.
He added that proven frameworks remain valid. The SANS 5 OT Cybersecurity Critical Controls are not outdated and provide solid foundations, including defensible architecture, incident response, secure remote access, continuous monitoring, and vulnerability and risk management.
When it comes to critical visibility gaps, Busalachi identified that too many organizations fall short on OT asset discovery. “Many claim they want 100% visibility without understanding what this process truly means. There’s more to a plant than capturing only North-South traffic. The East-West traffic controls are equally critical for comprehensive security.”
Rivera said, “Unfortunately, probably not. A small manufacturer may be better equipped through a few smart, tactical decisions than a global distributor with politics, risk aversion, or special interests prevailing over site defense and resilience measures. This is what happens in the absence of meaningful, sector-specific standardization and benchmarking, apart from maybe the energy sector, with NERC-CIP.”
“That said, one issue with all the risk models is when they end up suggesting untenable efforts focused in one direction, causing the classic front door closed, back door wide open scenario,” he added. “That’s why I advocate for capability-based prioritization: Determining what can be done now, to get to next, and what can be done later, by when. The best equipped OT security programs are also built with achievability in mind, as well as risk reduction, and an unwavering tether to business and security resilience.”
Kumpf said that while the programs / regulatory standards themselves are attempting to align with cyber threats and risks, the organizations themselves are lacking a true understanding of what their risks truly are.
“As an example, while many organizations know what systems control OT resources, they do not have the depth of understanding on the interconnection of that system to others or how it impacts both upstream and downstream people, process, technologies, supply chain, etc.,” according to Kumpf. “Without clearly defined baselines, interconnectivity models, business risk quantifications, etc., there is no way to truly define a proper risk model.”
Industrial cybersecurity sees changing lines of responsibility
The executives examine who traditionally owns OT cybersecurity within industrial organizations, and how that ownership is shifting as cyber risks grow more physically and geopolitically charged.
“OT security historically has sat with plant engineering or operations teams—aligned to safety/process reliability. And from what I’m seeing, the majority still do,” Johnson said. “However, I do see a shift underway where CISOs, or embedded OT security leads, are now increasingly leading programs supported by cross-functional governance boards (OT Centers of Excellence in some cases).”
He added that cyber risk is rapidly merging with physical and geopolitically driven threats. Centralized cyber oversight ensures a coherent risk posture spanning IT, OT, supply chain, and geopolitical contingencies.
Busalachi said that ownership varies by sector. In critical infrastructure organizations, OT teams usually take responsibility for OT cybersecurity. However, they face significant challenges with limited resources and budget, especially in smaller organizations and municipalities.
He also identified an authority vs. responsibility disconnect. “IT departments may have cybersecurity responsibility, but they lack authority in OT environments. Ultimately, OT teams own the OT assets, not the other way around.”
From an engagement imperative, Busalachi said that IT leadership must decide whether to engage the OEMs and system integrators who are the primary deliverers of OT assets on the plant floor. “If these groups aren’t providing a clear path forward for their clients (OT asset owners), there’s a critical gap. IT is not currently engaging them effectively.”
“The CISO or CSO usually ‘owns’ programs, but that’s not to say they call every shot, or should. The most accountable and responsible parties need to listen, ask questions, and collaborate to prevent their program from dying on the vine,” Rivera said. “So, the evolved successful model of ownership is distributed between global security and the local, more operational teams.”
Kumpf said that cybersecurity risk is owned at the Board and C-suite level. “The C suite is responsible for the execution of the program, and in most organizations, this aligns to a CISO of IT. While some high areas of critical infrastructure (oil and gas, power, air and rail, etc) have an OT CISO, it is not the norm.”
“Implementation of the program resides with the plant manager or operational management of an OT area. There is a disconnect between this level and the levels above in nearly every organization I have worked with,” according to Kumpf. “There are not two communications, and this inhibits the true flow of information regarding physical and geopolitical risks. A CISO does not know where things are produced at the intimate level of a plant manager. A CISO does not understand the physical consequences of not having redundancy in core systems and why, in many instances, you cannot (digital twins are attempting to become a solution to this).”
Coping with cyber risk in downtime-averse OT environments
The executives explore how organizations are managing visibility and risk in legacy-heavy OT environments where downtime is intolerable and many assets remain difficult to identify.
Johnson said that organizations often start with asset inventory, using agentless discovery and network traffic analysis to map devices without disrupting operations. Risk-prioritized segmentation is then enforced through zoning and conduits to limit lateral movement.
In cases where patching is impossible, Johnson leaned towards hybrid compensating controls being deployed, including DMZs for devices that require both OT and IT access, along with firewall rules and other network-based protections. Finally, continuous monitoring and incident response provide situational awareness through network detection and response, anomaly detection, and response plans aligned with service-level agreements.
Busalachi said that maturity levels vary significantly, as less than 80% of organizations are mature enough to have developed comprehensive metrics. “Some sophisticated clients use Overall Equipment Effectiveness (OEE) to benchmark and improve manufacturing productivity.”
He added that the OT cybersecurity value proposition is that many organizations fail to realize these technologies actually help prevent events that cause unplanned and unscheduled downtime, improving OEE and overall operational efficiency.
“Well, organizations with programs should have control (and compensating control) criteria and requirements established for asset, detection/monitoring, and risk management,” Rivera said. “They’re entity-level exercises with outcomes that can be iterated on as people and technologies change. But for the organizations that just passed ‘Go’ and grabbed a tool off the shelf, they’re probably not managing well.”
“The only absolute way you can resolve this is to walk the plant floor and take a physical inventory. Once that inventory is collected, you need to ensure it is given to an owner (not an outside third party) who will continually update, maintain, and control its existence,” according to Kumpf. “You need to understand the who, what, when, where, and why of the asset. Who owns it, what it does for the organization, when it is used (non stop running, once a week, etc.), where it is located and how it is connected/accessed, and why the organization needs it (can another device already in place do the same function or task). Lastly, you need to understand its BIA/BCP if that device has an event/issue.”
Misaligned cultures threaten industrial security programs
The executives look into the cultural disconnects that exist between operations and cybersecurity teams, and how these tensions impact the success or failure of security initiatives.
Using the ‘Apples and Oranges’ analogy, Johnson said that OT leaders emphasize uptime and safety; cyber teams emphasize defense and confidentiality. “Both are good on their own, but I don’t want warm orange juice with spices in the fall, or cold apple juice with my cereal in the morning.”
“OT sees cyber as a threat to physical continuity, especially when misconceived as IT-centric. Cyber side frames standards/tools in IT jargon, while OT values safety, functional continuity, and risk-driven practices,” according to Johnson. “This friction leads to stalled segmentation, delayed patching, and token compliance. Using ISA/IEC 62443 ‘s shared language—zoning, risk scores tied to operational impact, measurable controls—to translate requirements into operational benefits for both sides, you can bridge the gap and provide a win for everyone.”
Highlighting the visibility problem, Busalachi said that too often, “when visiting manufacturing facilities to tour plant floors (OT environments), it’s the first time many IT team members (infosec, networking) have been onsite. In many cases, they haven’t visited the plant in years or have never been on the plant floor to review industrial control system architecture, applications, infrastructure, and networks.”
He added that IT departments have significant blind spots related to OT environments. “The critical question is – what is IT’s relationship with internal OT teams and their third parties (vendors, OEMs, and system integrators)? If these relationships don’t exist, cybersecurity initiatives will inevitably fall short.”
“Disconnects in responsibilities, expectations, decisions, risks, and feedback loops are going to happen. They can become some of the most defining moments of an organization’s OT security journey,” Rivera said. “But they’re also where the juiciest work is, which pays off greatly for any organization serious about doing OT security the right way. It’s important to learn from them and continuously strengthen relationships. On that note, incentivization models go a long way.”
Noting that there is a disconnect between plant-level operations and the C-suite, Kumpf said that “They do not have a true voice or advocate at the table. People at the C-level are dollar and risk-driven. Can we do it cheaper (put things in the cloud, outsource, etc.) and by the need to automate security through instant patching, AI-driven threat mitigation, shutting down systems that are outdated?”
“I equate this to the vision of the smartphone in today’s world. Why do you need a phone, camera, computer, desk calendar, etc., when you can do it all in one device (IT thinking)? OT is not built like that,” Kumpf added. “You would not expect a photographer you hired at a special event to show up with a cell phone and begin to take pictures or a person you paid to build you a custom cabinet to just go to a home improvement store and buy one, and just add hardware you selected.”
He also mentioned that OT is driven by many unique processes and situations. “There is always room to improve and streamline, but every plant and OT operation is unique and with its own challenges. It is not a ‘one size fits all.’”
CISOs struggle to bridge IT-OT cyber divide
The executives assess whether CISOs are well-positioned to lead OT cybersecurity efforts or whether a cultural and technical divide between IT and OT still hinders effective leadership.
“CISO leadership is increasingly essential as they bring board-level visibility, governance expertise, and a holistic risk mindset,” Johnson said. “However, many CISOs lack deep OT fluency, without operational credibility, and OT teams resist their guidance.” He added that CISOs with dedicated OT deputies or cross-functional steering committees bridge domain knowledge gaps. “CISOs must speak OT’s language— connecting cyber measures to safety, reliability, and business continuity.”
Identifying that the clear answer is ‘no,’ Busalachi said that CISOs are not well-positioned to lead OT cybersecurity efforts if they’re not engaging the external OT ecosystem operating in their manufacturing facilities. “This engagement gap represents a fundamental barrier to effective OT cybersecurity leadership. The technical and cultural divide between IT and OT continues to hinder progress until leadership bridges these gaps through meaningful engagement with all stakeholders in the OT ecosystem,” he added.
Rivera said that barring a substantial rise in CSO surpassing CISO roles within industrial organizations, “the CISO is the best positioned to lead, even despite being classically trained in IT security first. If there is some great divide, that’s the CISO allowing that kind of culture to exist, and they need to address it.”
He concluded that every moment of division is really just a moment for collaboration that’s lost its way.
