ICS/OT Cybersecurity Leadership: The Mission is Safety and Fundamentals First

In my recent field work leading ICS/OT incident response tabletop exercises with ICS Defense Force, and also in supporting real-world ICS/OT responses, one of the most consistent and dangerous gaps we see isn’t a gap in tools or technology, but a gap in leadership. Specifically, clearly defined roles and responsibilities are missing when incidents actually unfold.

Kinetic Consequences: Safety First Principle

In organizations that operate ICS/OT environments, those ICS/OT systems are the business. The systems run critical infrastructure, drive production, and directly impact public safety and economic stability. A cyber incident in OT is not a data event; it is a physical event with potential consequences that include operational disruption, environmental impact, and loss of life.

This requires a shift in mindset for cybersecurity leaders coming from traditional IT security, as the mission and response model are fundamentally different. In ICS/OT, cybersecurity exists to ensure safe and reliable operation of physical processes, such as maintaining pipeline pressure, stabilizing grid voltage, controlling chemical dosing, and preventing equipment damage on production lines.

Every decision — whether considering an adversary’s action or a defender’s response — must be evaluated against one question: Does this action introduce risk to safety?

Applying traditional IT controls or response actions without ICS context can disrupt control systems and create unsafe conditions. This is why mature ICS/OT cybersecurity programs treat risk as a safety-driven operational function, grounded in engineering-led response and ICS-specific controls, such as the Five ICS Cybersecurity Critical Controls.

Evaluating Risk in ICS/OT Environments

Evaluating risk in ICS/OT may begin with traditional vulnerability scoring, but it must be grounded in engineering context to be meaningful.

The critical question is not “Is this system vulnerable?” but:

“If this system is compromised, what is the impact on the physical process, and what are the safety consequences for people, equipment, and the environment?” From there, risk evaluation must focus on operational impact: whether ICS-specific controls can detect abnormal engineering or protocol-level behavior, whether the architecture limits spread from IT into OT, and how exposed the asset is based on its role and connectivity.

Just as important is how adversaries operate in ICS environments. Many do not rely on exploiting vulnerabilities. Instead, they use valid credentials, native engineering tools, and trusted pathways to blend into normal operations where traditional controls such as anti-virus have lower threat detection value than expected. In this context, the greatest risk often comes not from a CVE, but from what the environment natively provides once adversaries gain access.

As outlined in the SANS strategy guide, Fortify Your ICS Security Program and Safeguard Operations, the most concerning OT incidents are high-impact, low-frequency events — attacks that may be less common but can lead to more severe operational disruption and safety consequences. This is why ICS/OT cybersecurity leaders must assess OT risk through the lens of engineering process impact and adversary behavior, not just traditional technical weaknesses

The Role of a True ICS/OT Risk Register

Leadership must ensure the ICS/OT risk register reflects how the control system can fail under cyberattack conditions. Each risk should be tied to a specific process impact: loss of control (PLC logic manipulation), loss of view (HMI, OPC protocol, or historian loss), or degradation of safety functions (safety instrumented systems, alarm servers etc.). Risks should be structured around OT-specific threat-driven attack paths and operational dependencies, such as IT-to-OT pivot through remote access, misuse of engineering workstations with valid credentials, or lateral movement across flat network segments.

For governance purposes, leaders may wish to maintain a separate ICS/OT risk register aligned to the enterprise risk framework. The impact model — safety, process integrity, and physical consequences — requires different evaluation than IT data-driven risk. Leaders for ICS/OT cybersecurity programs must ensure ownership of the ICS/OT risk register includes engineering staff and leaders to validate process impact and safe operating limits.

At a minimum, every ICS/OT risk entry should answer:

• What is the impact to the physical process?
• What safety functions are affected or degraded?
• How would this manifest operationally (loss of control, visibility, integrity)?
• What detection and containment capabilities exist today?
• What is the realistic attack path and likelihood in this environment?

A mature ICS/OT risk register can enable defensible, safety-aligned decision making for leadership, as it clearly communicates the modern cyber risk in our critical infrastructure.

High-ROI Opportunities: OT Tabletop Exercises

Dedicated ICS/OT tabletop exercises are one of the highest return-on-investment activities that leaders responsible for ICS/OT risk management can run to start understanding OT risk. When designed with engineering-driven scenarios, these exercises quickly align IT, OT, and operational teams around the realities of an OT cyber incident. Exercises should be grounded in the actual environment — focusing on OT assets, safety constraints, and real operating conditions — with participation from engineering staff, operators, physical safety, OT security, and IT security teams from the design phase. Tabletops can reveal how decisions are made under pressure, can clarify roles and responsibilities, and can determine whether safe operations can be maintained during an incident.

From Strategy to Execution

Leaders can look into SANS ICS418: ICS Cybersecurity for Leaders to drive effective ICS/OT security strategy at the executive level. Technical teams can check out SANS ICS515: ICS Visibility, Detection, and Response to build the hands-on capabilities required to defend industrial environments.

To take the next step, join ICS515 at SANS Security West 2026 (May 11–16) or SANS Network Security 2026 (September 21–26) and gain the practical experience needed to defend real-world industrial environments.