OT Security Is Becoming a Board-Level Issue
Executive Summary
Operational technology security was, for most of its history, an engineering discipline. The people who understood it were process engineers, control system specialists, and plant operators. Security, where it existed at all, was largely a function of physical isolation — air gaps between industrial control systems and the broader network that meant cyber threats could not easily reach the processes they controlled.
That isolation is gone. The efficiency imperative of the past two decades has driven IT-OT convergence at every level: remote monitoring of industrial systems, predictive maintenance platforms, cloud-connected operational data, vendor remote access for support and maintenance, and enterprise integration for production reporting. Each of these connections has delivered genuine operational value. Each has also eliminated a segment of the isolation that made OT environments relatively resistant to cyber threats.
The result is that the industrial attack surface has become genuinely material to business continuity, safety, and financial performance in ways that most boards have not fully internalized. The incidents that demonstrate this — ransomware attacks that shut down production lines, intrusions that disrupted pipeline operations, attacks on water treatment infrastructure — are no longer hypothetical. They are documented, recurring, and increasingly targeted at the specific systems that control the most consequential industrial processes.
Why This Matters Now
The threat landscape for OT environments has matured significantly. A decade ago, industrial control system attacks were predominantly the domain of nation-state actors with specific strategic objectives — the kind of attacks that Stuxnet represented. The target set was narrow, the capabilities required were substantial, and most industrial organizations were not primary targets.
That calculus has changed. Criminal ransomware groups have developed specific capabilities for industrial environments, understanding that organizations with operational downtime costs measured in millions of dollars per hour have strong incentives to pay quickly. The Colonial Pipeline attack — which shut down fuel delivery across a significant portion of the US eastern seaboard because of a ransomware attack on the IT network, not the OT systems — demonstrated the business impact that operational disruption can produce even without directly compromising control systems. It also demonstrated that the boundary between IT and OT risk is porous in ways that most organizations had not fully modeled.
The regulatory environment has intensified in parallel. Critical infrastructure sectors — energy, water, transportation, manufacturing, healthcare — face increasing regulatory requirements for OT security across multiple jurisdictions. The EU's NIS2 directive significantly expanded the scope of covered entities and strengthened requirements. US CISA guidance and sector-specific regulations have created accountability frameworks that were previously absent. Board members at organizations in these sectors face a regulatory environment that is actively scrutinizing OT security governance.
CISO2CISO Insight
The OT security conversation becomes a board conversation the moment someone asks "what happens to production — and to safety — if our most critical control systems are unavailable for 72 hours?" Most organizations have not honestly answered that question. The boards that should be asking it often do not know to ask it.
The Four Dimensions That Make OT Security Different
Legacy architecture at scale. Industrial control systems were designed with a primary objective of reliability and availability — not security. Many of the PLCs, SCADA systems, DCS platforms, and HMIs in production environments today were designed in an era when network connectivity was not a design assumption, and security was not a design criterion. These systems often run on operating systems with no patch support, have no authentication mechanisms, and communicate on protocols designed for efficiency rather than security. The challenge is not merely that these systems are old — it is that they are deeply integrated into physical processes that cannot be stopped for the weeks or months a comprehensive modernization would require.
Safety-availability-security tension. In IT environments, security and availability are sometimes in tension, but the resolution is usually clear: security controls that create some operational friction are worth implementing because the alternative risk is worse. In OT environments, the tension is three-way — and safety is the non-negotiable constraint. Any security control that introduces even a small risk of disrupting a safety-critical process must be evaluated against a consequence set that includes not just business continuity but physical safety. This constraint makes many standard security approaches inapplicable or requires their careful adaptation.
IT-OT convergence governance gap. The convergence of IT and OT networks has created a governance gap that most organizations have not yet closed. IT security teams typically do not have the engineering knowledge to assess control system risk. OT engineering teams typically do not have the security expertise to evaluate cyber threats or implement security controls. The organizational model that worked when these were separate domains — IT security managing IT, engineering managing OT — does not work in an environment where the connections between them create shared risk. Building the joint governance model is a structural challenge that requires both organizational change and new competency development.
Vendor and remote access exposure. Industrial control system vendors, integrators, and maintenance contractors represent a significant and often underappreciated attack surface in OT environments. Vendor remote access — essential for support and maintenance of specialized systems — creates persistent connectivity to production environments that is often governed with less rigor than equivalent IT access. The understanding that supply chain attacks can reach OT environments through trusted vendor relationships is well-established in threat intelligence. The governance of vendor access in most OT environments does not reflect that understanding.
Executive Framework
| OT risk dimension | Business consequence | Governance requirement |
|---|---|---|
| Legacy system exposure | Production disruption, safety risk | Risk-prioritized segmentation and monitoring |
| IT-OT convergence | Expanded attack paths from IT to OT | Joint governance model and network architecture review |
| Vendor remote access | Supply chain attack paths | Scoped access, monitoring, and regular review |
| Recovery readiness | Extended downtime for complex restoration | OT-specific DR planning and tested recovery procedures |
| Regulatory compliance | Sector-specific liability | Compliance mapping and evidence architecture |
What CISOs Should Do Next
- Commission an OT asset inventory if one does not exist — the most fundamental requirement for OT security governance is knowing what is in the environment, and the gap between documented and actual assets is consistently significant.
- Model the business impact of OT disruption scenarios for your most critical systems: what are the safety, production, financial, and regulatory consequences of specific system unavailability, and over what time horizons?
- Assess your IT-OT network connectivity: map the actual paths between corporate IT and industrial control environments, including vendor access paths, and evaluate each connection for necessity and governance quality.
- Establish a joint IT-OT security governance function: the organizational separation that made sense before convergence is now a governance gap — building the joint model requires executive sponsorship.
- Develop OT-specific incident response and recovery plans: IT incident response procedures are not applicable to industrial environments without significant adaptation, and the differences matter in a crisis.
- Present OT risk to the board as a business continuity and safety governance issue — not as a technical security matter — with specific scenarios, consequence estimates, and investment options.
Board-Level Questions
- Do we have a clear understanding of what happens to our critical operations — and to safety — if specific control systems are unavailable for 24, 72, or 168 hours?
- Are we governing vendor and contractor remote access to our OT environments with the rigor that the access level warrants?
- Have we mapped the actual connectivity between our IT and OT environments — and assessed the security implications of each connection?
- Does our board cyber governance explicitly include OT risk, or does our reporting focus primarily on IT and data security?
Final Executive Takeaway
OT security has become a board-level issue not because the risk is new — the risk has been building for years — but because the consequences have become too large and too direct to treat as an engineering matter. Production disruption, safety incidents, regulatory liability, and the reputational consequences of a significant OT incident are all board-level outcomes that require board-level visibility and governance.
The organizations that are ahead of this issue have made a structural decision: they have integrated OT security into enterprise cyber governance rather than leaving it in the operational technology domain where it has traditionally lived. That integration is harder than it sounds — it requires new competencies, new governance structures, and new ways of modeling and communicating risk. But the alternative is a significant exposure that the board cannot govern because it has not been made visible.
The board question that should be asked in every organization with significant OT exposure is simple: if our most critical industrial systems were disrupted by a cyber incident today, do we know what would happen, and are we satisfied with our readiness to respond?
