Ask a CISO at a utilities company to describe their cyber risk. You’ll likely hear about phishing resistance, patch cadence, endpoint detection coverage, and the results of the most recent penetration test. These are the right questions for an IT estate.
Ask the same CISO about their operational technology — the SCADA systems managing water pressure, the distributed control systems regulating power distribution, the historian servers logging plant data — and the answer will often change character. Coverage will be described in terms of physical security and vendor support contracts. Detection will be described as “the engineers would notice if something was wrong.” The patch cadence question will reveal systems running Windows XP embedded, unsupported PLCs, and software stacks that haven’t seen a security update in a decade because updating them requires recertifying the process they control.
This is not a failure of individual CISOs. It is a structural feature of how industrial environments have been built and governed — and it is now one of the most significant security exposures in the Western economy.
The Air Gap That Isn’t
The traditional justification for lighter security controls in OT environments was the air gap: industrial systems were physically separated from corporate networks and the internet, so the attack vectors that threatened IT systems simply didn’t apply.
This was approximately true in the 1990s. It has been progressively less true ever since.
The pressure to connect OT systems to corporate networks came from legitimate business needs: real-time production monitoring, remote maintenance by vendor engineers, supply chain integration, and the data analytics initiatives that promised to optimise industrial processes. Each connection made sound commercial sense in isolation. Collectively, they demolished the air gap.
Today, a typical manufacturing plant or utility operator has dozens of pathways between its OT environment and the outside world — some well-documented, many not. Remote access for vendor support. Corporate historian servers pulling data from plant systems. Engineering laptops that move between the corporate WiFi and the OT network. Industrial IoT sensors with direct internet connectivity. Jump servers with weak authentication sitting at the IT/OT boundary.
The air gap is a comfort blanket that most OT environments shed years ago. The security model built on it remains.
What Attackers Know That Boards Don’t
State-sponsored threat actors, and increasingly sophisticated criminal groups, have been studying OT environments for over a decade. The Stuxnet operation, which destroyed Iranian uranium centrifuges in 2010, demonstrated that physical destruction through software was possible. The attacks on Ukraine’s power grid in 2015 and 2016 demonstrated that a determined adversary could cause real-world outages. The Triton/TRISIS attack on a Saudi petrochemical facility in 2017 targeted safety instrumented systems — the last line of defence against catastrophic physical failure.
The techniques have been documented, published, and incorporated into the toolkits of multiple state actors. What was once the domain of specialist nation-state capability is now understood broadly enough that sophisticated criminal groups have begun exploring OT targets.
The attackers have a detailed picture of your OT vulnerabilities. Most boards do not.
A Framework for Boardroom Questions
If you are a board member, NED, or senior executive at an organisation that operates industrial processes, utilities, transport systems, or physical infrastructure, these are the questions you should be asking — and expecting substantive, evidence-based answers to:
Inventory: Can you show me a complete inventory of OT assets, their network connectivity, and their patch status? (If the answer takes weeks to compile, that is itself an answer.)
Segmentation: How are our OT and IT networks separated? Has that separation been tested by an independent party in the last 12 months?
Detection: Do we have the capability to detect anomalous behaviour on our OT network? Who monitors it, and what is the response process?
Vendor access: Who has remote access into our OT environment, under what controls, and when was that access last reviewed?
Resilience: If our OT systems were disrupted or unavailable for 72 hours, what is the operational impact and what is our recovery plan?
The organisations that have answered these questions honestly have, without exception, identified gaps. The ones that haven’t asked are the ones you read about in incident reports.
The Governance Question
The deeper issue is that OT security tends to fall between organisational ownership structures. IT security teams don’t own OT systems and often lack the engineering knowledge to assess them. OT engineers understand the systems but don’t think in terms of cyber threat. The CISO’s remit may formally include OT but their team has neither access nor tools configured for industrial environments.
Resolving this requires a deliberate governance decision — usually one that only a board or CEO can make — to assign clear accountability, fund a baseline assessment, and integrate OT risk into the enterprise risk picture alongside IT risk.
This is not a technology problem. It is a governance problem. And it is one with a narrowing window for action.