Often times I hear questions on risk reduction in OT cybersecurity. It is a very reasonable question thinking about whether or not the next security control is worth the cost to reduce the risk and whether or not the risk is high enough to really care. This question can also be made even more difficult if we do not fully understand the risks. Often people may ask: if we don’t have reliable data showing how many real threats exist in OT networks, why would we invest heavily in detection? Why not focus only on prevention and keep adversaries out in the first place?
This question is fundamentally flawed though especially for organizations that have historically underinvested in OT cybersecurity relative to their IT cybersecurity. It is also massively misaligned, in my experience, with the expectations of CEOs and non-security executives. Understanding why requires us to step back from the cyber risk debate entirely and look at what industrial organizations are actually being asked to accomplish especially as our businesses are evolving with more automation, AI, and complexity.
Asking “how many incidents are we really seeing” assumes we have enough visibility into OT environments to make a reliable assessment. But we don’t. Fewer than one in ten OT networks worldwide has network monitoring in place. The incidents we know about come from that fraction. The threats in the other 90 percent are largely invisible, but that doesn’t mean they’re absent. And what we are seeing is already alarming.
Asking for census-level data on OT incidents before committing to investments seems reasonable. However, the absence of recorded incidents is not evidence of safety. In most cases it is evidence of a monitoring gap. More importantly though, regardless of the number of incidents or whether or not someone cares about state and non-state cyber actors, there is a related problem that gets less attention.
When organizations are not monitoring their OT environments, they may also have a false sense of how effective their prevention is. You cannot confirm that adversaries are being kept out if you have no visibility into whether they are getting in and your preventive controls atrophy over time through changes, misconfigurations, and human interaction. That prevention atrophy leaves most organizations thinking they have more prevention capabilities than they do in reality when not reinforced with visibility. Prevention and detection are not competing investments. You need both, and without the monitoring foundation, you cannot adequately assess how well either is working.
And regardless of anyone’s view on the prevention and detection topic, or the levels of risk they face, it is all underpinned by a much larger problem that needs to be addressed. Most organizations do not have the fundamentals in place required for business operations. It is actually not a risk conversation at all at some levels but a business capability discussion.
Most of the community has not caught up on the foundational investment it needed to operate modern OT environments in a way that satisfies the requirements of the business or, in some cases, the requirements of the law.
For an easy way to visualize and think through this imagine a pyramid of investments that can be made relative to your OT cybersecurity program.
The tiers are not a strict sequence. You should be thinking about all three at once when designing a program, because the investments overlap substantially and a program built in silos will cost more and deliver less. The pyramid also reflects a maturity reality, and understanding where an organization stands across each tier helps clarify the right investment levels.
The base of the pyramid represents legal and regulatory requirements. NERC CIP, NIS2, SEC disclosure requirements, regional standards, and health and safety regulations are things organizations must invest in regardless of the threat calculus and regardless of their desire to reduce risk. There is no debate about whether the dollar goes to compliance because the law requires it. The electric sector has built the strongest security posture of any industrial sector largely because NERC CIP has driven sustained investment over many years. Compliance drove capability, even when the motivation was obligation rather than threat response. That said, the base tier is not complete. Regulations are expanding faster than most organizations can keep up, with newer requirements like NIS2 and emerging regional standards continuously raising the floor. The base is the most developed tier in most organizations, but it is still a moving target.
The middle tier is business capability. These are the things executives, boards, investors, and operations leaders expect an organization to be able to do, regardless of whether a cyberattack is involved. Root cause analysis when something goes wrong. Visibility into what is happening across operations. Recovery within defined time windows. The ability to understand whether an outage was caused by a cyber event, a contractor mistake, a configuration change, or equipment failure. These are not cybersecurity investments in the narrow sense. They are operational and business investments. And this tier is significantly underdeveloped at most organizations, partly because the fast-changing nature of automation environments, including AI, digitization, and systems of systems, means that simply maintaining the same level of capability requires ongoing investment. The expectations placed on operations leaders are rising faster than most programs are keeping pace. In a significant number of incidents I am involved in I feel I play therapist to the CEO and board – explaining they cannot do what they thought they could do. Green dashboards and KPIs focused on IT cybersecurity misrepresented the state of maturity of OT security and business capability. There are fundamental business expectations that are not met with a “prevent the bad” strategy when root cause analysis cannot be done effectively.
The top of the pyramid is cyber risk reduction, which are investments made specifically to reduce the probability and impact of adversary action, above and beyond what compliance and business capability require. This is where an intelligence-driven approach, knowing what adversaries are actually targeting in your sector and building controls around that picture rather than gold-plating every possible risk, is the right guide to prioritization. The Five ICS Cybersecurity Critical Controls, which Tim Conway and I developed at the SANS Institute, provide a guide. And many of the IT security controls that provide detection capabilities, like endpoint detection and response (EDR) capabilities, work in an IT world but fail to provide detection against the types of OT attacks we are seeing such as mis-operation of equipment. So many organizations think they have a prevention/detection/response strategy and actually have a prevention/policy-level-response strategy. It is ok to execute any strategy you want but you must be honest with yourself, and your executives, on what you can and cannot do to avoid misalignment. The problem relative to the pyramid is that most organizations are still struggling to fully build the first two tiers, and yet the debate keeps centering on the top, as if the lower tiers were complete. You cannot have a productive conversation about optimizing the top of the pyramid if the foundation underneath it has not been adequately addressed.
When the conversation focuses on “how many incidents justify detection investment,” it treats OT security as if it were a purely cyber risk problem. But a significant portion of the investment case for visibility and monitoring has nothing to do with adversaries. It has to do with understanding your operations — root cause analysis for a plant trip, knowing what changed when something breaks, meeting disclosure obligations, and demonstrating operational resilience to regulators and investors. People can die in operations environments. Debating whether or not we covered a risk to human life based on our limited understanding of cyber threat activity is naïve at best and malicious at worst.
This matters whether you are a CISO building a security program or a CEO or board member trying to understand what your organization actually needs. The question is not just “are we protected from attackers” but “do we have the operational insight to run the business, meet our legal obligations, and recover when something goes wrong?”
When you design a program with all three tiers in mind at the same time, the investments overlap substantially. And this is where the Five ICS Cybersecurity Critical Controls reveal their full value. They were designed around exactly this logic. An incident response plan that is tested and maintained satisfies a compliance requirement, prepares the organization for operational disruption of any cause, and builds the muscle memory for a cyber incident response. Network visibility and monitoring gives operations the situational awareness they need day-to-day and gives security the detection foundation they need when an adversary appears. The controls are not purely cyber controls. They are operational resilience controls that are also effective cyber defenses. If you think about all three tiers upfront, you will find that a significant portion of what you need at the top you are already building at the lower tiers. Organizations that build these capabilities for operational and business reasons get cyber defense as part of the return.
The question of where to put the next dollar is real and resources are finite. But the framing that asks “are there enough incidents to justify detection investment” is the wrong frame. The right questions are: Have we met our legal and regulatory requirements fully, including the ones that are still expanding? Have we built the operational and business capability our leadership requires, in an environment that is growing more complex every year? Are we giving our security teams the tools and intelligence they need to do their jobs?
For the vast majority of organizations, the answer to at least one of those questions is no. The broad community is not at risk of overinvesting in OT security currently. We are at risk of continuing to debate the marginal value of the next dollar while the foundation remains incomplete, treating cyber risk as if it were isolated from the broader operational and business needs it is inseparable from.
Design the program as a system, assess where your organization actually stands across all three tiers, and the right investments become much clearer.
