Skip to main content

OT/ICS Cybersecurity

Shifting Perspectives in OT Cybersecurity: From External Threats to Holistic Risk Management

Author Nick Cappi

In my last blog, I discussed the evolving landscape of OT cybersecurity, where the focus has moved from competition between vendors to collaboration. Previously, many conferences were centered around "bake-offs," where vendors competed to identify the most assets or threats. These tests, however, often failed to reflect the complexity of real-world industrial environments. Today, the conversation has shifted towards integrating solutions to strengthen overall risk management. 

I also highlighted the rise of strategic partnerships between Deep Packet Inspection (DPI) vendors, which provide real-time network visibility, and ICS configuration management solutions, which document system design and reveal deeper insights into lower levels of the technology stack. Organizations are beginning to recognize that no single technology is sufficient on its own. Instead, the focus is on how these solutions can work together to enhance both security and operational efficiency. This integrated approach is gaining traction among Global System Integrators (GSIs) who are adopting technology integration over technology replacement. These trends point to a maturing industry—one that prioritizes risk reduction over competition. 

At the end, I hinted at another significant shift—one that focuses on identifying where the biggest threats truly exist within industrial environments. I left that thought hanging, but now, let’s dive deeper into this shift and explore how the industry is rethinking the concept of threats. Understanding this change will drive the next phase of OT cybersecurity maturity. By refining our risk assessment processes, we can better align our security strategies with the challenges we face in the real world—ultimately strengthening defenses and advancing the industry.

 

Rethinking Risk: It’s Not Just About Probability 

The simplest, and perhaps most effective, risk formula is risk = probability × consequence. 

There are numerous factors that can influence both sides of this equation, either increasing or decreasing the probability or consequence. 

For the longest time, the industry has been primarily focused on probability. Risk has often been framed around the likelihood of a malicious outsider attempting to breach an industrial control system. However, I’m seeing a shift in the conversation. More attention is now being given to a broader range of impact factors affecting probability. Just as import, we’re also seeing an increased emphasis on incorporating consequence into the equation. This shift toward a more comprehensive approach marks a significant step forward in OT cybersecurity maturity. 

Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), shared a LinkedIn post titled "Ode to an Outage," that reflects on the CrowdStrike event. In the post, she quotes Bob Lord, Senior Technical Advisor at CISA, who stated, "We don’t have a cybersecurity problem, we have a software quality problem." Jen emphasizes that disruptions—whether caused by faulty code or cyberattacks—are inevitable: “Whether it’s a technology outage caused by faulty code or a cyber-attack (...) we must expect there to be disruption.” 

What stands out to me here is that the discussion isn’t solely about a malicious cyberattack but rather a software change that had a widespread impact. This is a crucial reality: disruptions are not just possible; they are inevitable. We cannot reduce the probability of failure to zero. Our ability to respond and recover effectively is what ultimately determines business resilience during periods of disruption. 

 

The Silent Threat: Internal Changes and Configuration Management 

If we revisit the risk formula risk = probability × consequence, and break down the factors influencing the probability variable, we typically think about things like connectivity, vendor conformance, known vulnerabilities and access control. However, what is often overlooked are factors like running configuration documentation, interoperability insights and configuration validation. 

These factors are often the most critical, and if we are serious about reducing risk, we must acknowledge that changes to industrial control systems (ICS) happen frequently—many of them without the proper running configuration information that maps dependencies across vendors and technology stacks. The fact is, unintentional or unknown consequences caused during standard system configuration changes—rather than malicious cyberattacks—have historically caused more widespread failures in ICS environments. 

This is a matter of simple probability. We modify ICS environments to ensure continued operation, but over time, unplanned consequences are inevitable. The likelihood of disruptions increases when we lack visibility into the intricate relationships between internal and external system configurations. 

Here’s an interesting thought: Nowhere in the risk equation does intent appear, yet market analysts, system owners and even practitioners often cannot move past the assumption that most disruptions come from external malicious actors. It's much easier to focus on threats from outside than to acknowledge that the greatest probability of disruptions arises from within the system—through changes that are unintentional and unknown in terms of consequence. 

 

Addressing Consequence: Backup and Recovery as Key Risk Factors 

On the other side of the risk formula, when we examine the factors influencing consequence, we typically focus on financial impact, safety, environmental risks and intellectual property loss. Backup and testing procedures are also common discussion points in this context. 

One of the core components of Hexagon’s OT Integrity platform is system backups. Over my nearly 30 years of experience with this software, I’ve had countless conversations with customers about backups—spanning the entire lifecycle of the asset, from initial purchase decisions to deployment, maintenance, recovery and even decommissioning or migration of ICS. 

A common issue that arises in these conversations is the overestimation of the effectiveness of backup processes. In reality, when we visit sites, we often find that backups are outdated—or sometimes, non-existent at all. Across the ICS asset lifecycle, having well-documented and easily accessible configuration data, typically sourced from control system backups, plays a crucial role in quickly understanding the impact of changes. This approach helps minimize the risk of errors by facilitating efficient changes and documenting them properly. 

In terms of recovery, it’s vital to have multiple trusted restore points. I emphasize multiple because, time and again, when we are involved in recovery efforts, it’s due to a failure in the disaster recovery process. Whether the primary backup is corrupted, outdated, or simply wasn’t created as planned, having multiple, reliable backups is essential for resilience. Over the years, I’ve been part of several minor recovery activities and three major ones—none of which were caused by a malicious event. In each case, the primary backup had issues, and recovery was only possible using data stored in Hexagon’s system. 

 

Conclusion 

The OT cybersecurity landscape is undergoing a fundamental shift. We are moving from an emphasis on external threats and probability reduction to a more holistic approach that accounts for the inevitability of disruptions. 

Key takeaways: 

  • Collaboration Over Competition: The industry is moving away from vendor “bake-offs” and towards strategic partnerships that integrate solutions to strengthen risk management.
  • Beyond Malicious Threats: While traditional cybersecurity has focused on external attacks, unintentional system changes have historically caused more widespread failures. A mature approach must account for both.
  • A More Comprehensive Risk Perspective: Instead of solely reducing probability, organizations must also address the consequence by improving visibility, documentation and response readiness.
  • Backup and Recovery as Critical Factors: Many organizations overestimate their backup and restore capabilities. Having multiple, trusted restore points is essential for business resilience, as primary backups often fail when needed most. 

Ultimately, risk reduction is not just about preventing failure but about preparing for and recovering from inevitable disruptions. By taking a more integrated, informed and proactive approach to managing ICS environments, we will drive the next phase of OT cybersecurity maturity. 

About the Author

Nick Cappi is Vice President, Portfolio Strategy and Enablement for OT Cybersecurity in Hexagon Asset Lifecyle Intelligence division. Nick joined PAS in 1995, which was acquired by Hexagon in 2020. In his role, Nick oversees commercial success of the business, formulates and prioritizes the strategic themes, and works with product owners to set strategic product direction. During his tenure at PAS, Nick has held a variety of positions including Vice President of Product Management and Technical Support, Director of Technical Consulting, Director of Technology, Managing Director for Asia Pacific Region, and Director of Product Management. Nick brings over 26 years of industrial control system and cybersecurity experience within the processing industries.

Profile Photo of Nick Cappi
More Content by Nick Cappi