Greater recognition of the fragility and interdependence of critical manufacturing systems is reflected in the move toward sustainable industrial cyber risk management. Treating cybersecurity as a one-time expense or as an IT problem that should be ignored is no longer sufficient. The complexity and accuracy of contemporary threats, along with the fact that digital systems now directly manage physical infrastructure, and where even a brief malfunction could endanger lives, halt production, or have an impact on supply chains, are what is causing this shift.
Increasingly, organizations are beginning to go beyond responding to cybersecurity crises. They are realizing that cyber resilience needs to be a dynamic aspect of their operations, one that is constantly changing, based on governance, and supported by leadership. The question now is not whether a disruption will occur, but rather how ready organizations are for it, mainly entails integrating security into operations rather than adding it after the fact. The ability of a business to adjust, absorb, and continue operating under pressure is becoming a performance metric in and of itself. It is measured not only in uptime or safety statistics. It’s not a technical checkbox; it’s a strategic commitment that is becoming the new baseline for industrial trust and continuity.
At the heart of this change lies security by design. Organizations are working to integrate security into OT (operational technology) environments, working their way up from system architecture to vendor procurement and lifecycle management, rather than adding protections along the way and after deployment. Legacy procedures need to be reconsidered, and the engineering, IT, and security teams need to change their culture.
The path is made more difficult by the acute lack of OT cyber skills, which could be overcome by employing specialists and establishing long-term pipelines through internal reskilling, knowledge transfer procedures, and partnerships with universities.
Building sustainable industrial cyber risk management can be made more organized using the ISA/IEC 62443 industrial cybersecurity standards. Cyber defense is now a continuous, sustainable discipline rather than an after-the-fact response thanks to these widely recognized models, which also allow industries to link risk mitigation to real industrial processes, guarantee system interoperability, and measure progress against common benchmarks.
Developed by practitioners, for practitioners, the inaugural ‘Industrial Cyber Days Manufacturing’ conference, focused on the APAC region, will address these issues.
What’s driving sustainable cyber risk management?
Industrial Cyber consulted with experts to explain how in their industry does specific operational pressures, like regulatory requirements, safety concerns, or uptime demands, shape the way organizations approach sustainable cyber risk management.
“These factors necessitate a customized approach, wherein risk management must be integrated into operational priorities,” Shiv Kataria, a senior key expert for R&D at Siemens India, told Industrial Cyber. “For instance, in highly regulated sectors such as energy or pharmaceuticals, compliance with frameworks like NIS 2 or NERC CIP necessitates investment in fundamental cybersecurity capabilities. Safety concerns further influence the requirement for cybersecurity programs, especially post an incident. Downtime is not merely a financial risk; it is a systemic one, therefore security strategies must harmoniously integrate with availability objectives, not impede them.”
Ravindra S Gotavade, senior domain architect for external OT security at Tetra Pak, identified that the food and beverage sector to which he belongs is currently heavily regulated to ensure product safety and quality, which means cybersecurity measures must align with these stringent regulations.
“Safety concerns are paramount, given the potential health implications of any cyber-related disruptions, leading to robust and proactive cybersecurity strategies,” Gotavade told Industrial Cyber. “Additionally, the industry’s reliance on continuous production processes means that uptime demands are critical, requiring resilient cyber defences to minimize downtime and maintain operational efficiency.”
“I would consider the perspective of a product development organization and component security. The product development organizations navigate stringent security certifications like FIPS 140-3 and Common Criteria to meet government and enterprise security requirements,” Mini TT, a software security architect at Celestica, told Industrial Cyber.
Highlighting FIPS 140-2, Mini said that vendors developing cryptographic modules must ensure compliance with the Federal Information Processing Standards (FIPS). “This involves rigorous testing of encryption algorithms, key management, and physical security to obtain validation from the Cryptographic Module Validation Program (CMVP).”
She added that vendors seeking global recognition for security assurance must undergo Common Criteria evaluations, which assess security functionality based on predefined Protection Profiles. “This certification is crucial for selling security products to government agencies and regulated industries. Both certifications require extensive documentation, testing, and collaboration with accredited labs to achieve compliance, ensuring products meet high-security standards.”
Mini mentioned that the selection of the underlying chipset and the design play a crucial role in achieving the goals. “Hardware security modules, trusted platform module, and hardware root of trust are extensively used to achieve the security goals.”
Nrusingha Padhy, senior manager for IACS/OT cybersecurity at Viatris, told Industrial Cyber that operational integrity as per approved SOPs is a non-negotiable practice in the pharmaceutical industry. “Penalty could mean zero bottom line. So, intertwining cyber risk postulates in existing mandates efficiently is the key to achieving the desired risk level.”
Turning cyber resilience into ongoing commitment
Drawing on their experience, the executives explore what a sustainable cyber resilience strategy truly entails for industrial organizations and how companies can ensure it is an ongoing, evolving effort rather than a one-time initiative.
“In my experience across the Asia Pacific region, a sustainable cyber resilience strategy is predicated on three fundamental pillars: governance, operational integration, and iterative improvement,” Kataria said. “Organizations that achieve success typically establish a cybersecurity governance framework that aligns seamlessly with their business objectives, underpinned by clear and accountable leadership. Operationally, they integrate threat modeling, asset visibility, and incident response exercises into their daily workflows, thereby transforming security from a periodic audit exercise into a dynamic and ongoing operational discipline.”
He added that sustainability also entails adapting to the evolving threat landscape. “I have observed leading firms establish internal cyber task forces and community threat-sharing groups to maintain their adaptability, particularly in the face of increasingly sophisticated threat actors targeting operational technology (OT) environments.”
Gotavade said that where he currently works, a sustainable cyber resilience strategy for industrial organizations involves a comprehensive, multi-layered approach that includes continuous monitoring, regular updates, employee training, and adaptive measures.
“Companies today ensure it evolves by investing in ongoing risk assessments, staying informed about emerging threats, and adopting advanced technologies to bolster their defenses. Organizations must view cyber resilience as an ongoing commitment rather than a one-time effort, embedding it into their culture and operations of any organization to keep up with the ever-changing threat landscape, would be critical to stay ahead of any cyber threats.”
“To achieve a sustainable strategy, adaptive security measures and continuous innovation are key elements,” Mini said. “I see that the internal compliance requirements for secure product development are designed for evolution. While the secure development compliance requirements are designed to take care of the state-of-the-art practices, they are also designed for evolution. Processes are put in place to evolve the baseline security requirements as the industry and compliance requirements evolve. For example, we have seen the focus on hardware supply chain security as well as software supply chain security in recent years, promoting transparency using SBOM.”
She added that the capability to adapt the internal processes and lead the adoption by developing capabilities, employing tools, and processes is what makes processes sustainable. “Product development companies embed resilience into their design by prioritizing secure-by-design principles, ensuring SDL practices, and fostering a culture of continuous improvement.”
Padhy said that it is still being upheld by the cybersecurity department. “Mainstream acceptance and routine application of cybersecurity requirements ask for a paradigm cultural shift, and it is happening at a much slower pace compared to the rise of cyber threats.”
Focus on integrating security by design across OT environments
As digital transformation accelerates in the APAC region, executives explore how organizations are effectively balancing the adoption of advanced technologies with the integration of security by design into OT and control systems.
Kataria noted that organizations that strike the right balance are those that embrace the risk-based ‘security by design’ principle in their OT and control systems. “This is evident in the procurement stage, where security baselines are integrated into request for proposals (RFPs), and in system integration, where network segmentation, secure remote access, and asset-hardening practices are being adopted proactively. Consequently, progressive organizations are now conducting security architecture reviews before the implementation of digital initiatives.”
“Not only for APAC, it applies to every region in the world,” according to Gotavade. “This involves incorporating security protocols during the development and implementation phases, ensuring that new technologies are secure by default. Regular risk assessments, employee training, and continuous monitoring are key components in maintaining this balance, allowing organizations to innovate while safeguarding their operations.”
Mini does not perceive advanced technologies and security in conflict; instead, she looks at them as being complementary to each other. “For instance, AI-driven threat detection, machine learning based models for component attestation are the advances happening in ensuring the security of hardware components. While technological advancements are progressing rapidly, the risk of inadequate security assessments and controls continues to grow.”
Padhy observed that security by design is still the next level for many organizations. “Now, typically, most of them are still trying to make OT cyber defense an adjunct to the mainstream business operation.”
Applying ISA 62443 standards to strengthen industrial cyber defense
The executives highlight how frameworks like ISA/IEC 62443 can be applied in real-world scenarios to help industrial organizations move from reactive to proactive risk management, especially in the context of supply chain and ecosystem-wide security.
Kataria said that frameworks such as ISA/IEC 62443 provide a structured approach from reactive to proactive risk management. “In practice, applying the 62443-3-3 security levels to segment assets and prioritize controls establishes a robust foundation.”
He added that organizations are utilizing 62443-2-1 to develop cybersecurity management systems that span their supply chain, encompassing original equipment manufacturers (OEMs) to system integrators. “By adopting these standards not merely as checklists but as strategic tools, companies establish repeatable, auditable, and ecosystem-aware risk management programs that can be scaled effectively.”
“Frameworks like ISA/IEC 62443 can be applied in real-world scenarios to help industrial organizations move from reactive to proactive risk management, which is the need of the day, particularly in the context of supply chain and ecosystem-wide security,” according to Gotavade. “By implementing these frameworks, organizations can establish standardized security practices, enhance collaboration among key stakeholders, and ensure that cybersecurity measures are integrated throughout the entire supply chain.”
He recognizes that this proactive approach helps identify vulnerabilities early, mitigate risks, and maintain a resilient and secure operational environment.
“ISA/IEC 62443-4-1 and 4-2 help industrial organizations transition from reactive to proactive risk management by embedding security into product development and system components,” Mini said. “IEC 62443-4-1 focuses on secure development practices, ensuring that manufacturers integrate cybersecurity from the design stage, reducing vulnerabilities before deployment. IEC 62443-4-2 establishes technical security requirements for industrial components, ensuring they meet robust protection standards. 62443-4-1 is usually used for deriving SDL process requirements, including handling product vulnerabilities and patch management.”
“An exhaustive gap assessment based on ISA 62443, followed by a well-researched set of mitigating controls, both technical and procedural, is necessary to build up the CSMS (Cybersecurity Management System),” Padhy said. “Time-tracked routine review is key to ensure that the momentum stays sustained.”
OT cyber talent shortage demands long-term solutions
Looking at talent as a recurring challenge, the executives identify practical steps that help build up local OT cybersecurity expertise and leadership for the long haul.
Recognizing talent as a significant constraint, Kataria said that several practical initiatives are gaining momentum in India and Southeast Asia. “Firstly, industry-academia collaboration is promoting domain-specific curricula, particularly in electrical, instrumentation, and automation programs. Secondly, companies are investing in internal OT cyber labs for practical learning and red-teaming exercises. Additionally, mentorship-driven communities, such as the OT Security Huddle, BesidesICS, etc., have gained popularity, effectively bridging knowledge gaps through practitioner-led dialogue and case study sharing.”
“OT Cybersecurity Awareness is the ‘Key to the kingdom,’” Gotavade said. “A lot of small OT Security forums/communities have come up in the last 2 years, like OT Security Professionals, ISA active sections across India in regions like Pune, Bangalore, Delhi, Gujarat, are increasing the overall awareness across sectors and developing the future leaders who know both IT and OT.”
Mini recognizes that talent development in security is evolving rapidly, with communities playing a crucial role. “These communities foster growth through expert-led webinars, knowledge-sharing sessions, and collaborative learning opportunities. OT Security Professionals is one of the active communities highly focused on OT security. There is a growing interest in security certifications, as professionals seek to validate their expertise.”
She highlighted that organizations actively support talent development by offering structured certification programs and progressive learning pathways. “By bridging skill gaps and encouraging continuous education, both industry groups and businesses are helping build a robust cybersecurity workforce. These collective efforts ensure security professionals stay ahead of emerging threats and technological advancements, strengthening the overall security landscape.”
Padhy identified that a group of diverse but contextual skills is sought to stitch together to form an OT cybersecurity team. “I’ve seen, at least one member each from – ICS/OT, networking, apps, IT infrastructure, and IT security. Typically, IT and OT security meet at common leadership even now, in most places. But, the best repertoire for an industrial CISO is a balanced mix of IACS, IT security, and IT infrastructure with stakeholder management skills,” he concluded.
