The OT (operational technology) cybersecurity landscape is constantly evolving to adaptive OT cybersecurity, which traditional defenses have often overlooked. Latest OT security features use AI-powered anomaly recognition, sophisticated network micro-segmentation, and flexible encryption to secure the connection of the industrial systems more efficiently. These advances form the foundation of adaptive OT cybersecurity, closing invisible gaps without operational disruption, thus allowing continuous verification and adaptive defenses that are specifically customized for legacy environments that were not initially developed for modern cybersecurity.
The adoption of evidence-based risk models that are changing the way OT cyber risk is evaluated is a very significant shift in position. By leaving behind the qualitative assessments, these models quantify both operational and financial impacts, providing executives and boards with the practical insights needed for investment prioritization and holistic risk management. Such quantification aims to put OT cyber risk on par with the rest of the business resilience frameworks, thereby facilitating regulatory compliance under the changing standards, such as NIS2 and ISA/IEC 62443.
As supply chains turn into a vulnerable part of the attack surface, the OT defense must abandon the concept of the traditional boundary to remain effective. Present-day security strategies include plant facilities as well as suppliers, third-party vendors, and partner ecosystems. To mitigate the risks of external dependency while retaining operational agility, organizations must engage in supply chain telemetry, real-time risk monitoring, and vendor risk management with great diligence.
The issue of closing the innovation gap is tied to the matter of how the adaptive OT cybersecurity function should be transformed from a reactive visibility tool to a adaptive OT cybersecurity, autonomous defense force. Shifts of this nature depict, among others, the increase of AI-driven threat response, the incorporation of cyber-by-design principles in new industrial builds, and the merging of cyber risk quantification with corporate governance. All these elements will have a positive impact on resilience, enabling industrial environments to gain the upper hand over attackers in terms of adaptability and sustainably secure their digital transformation journeys.
The subsequent wave is expected to bring about a harmony between security and operational flexibility, reshaping OT cybersecurity as one of the strategic business enablers that protect the core infrastructure from the increasing and ever-changing threats.
Newer OT defenses set to tackle industrial blind spots
Industrial Cyber reached out to executives to discuss the lingering blind spots in defending increasingly interconnected industrial systems. They also address how new approaches to adaptive OT cybersecurity aim to close those gaps without introducing operational risk.
“ICS protocols are unencrypted, creating risks for remote protocol exploits. The FrostyGoop malware was reported in 2024 as a first-of-its-kind malware that performed remote exploits targeting the Modbus protocol,” Sreenivas Gukal, co-founder and chief product officer at Acalvio, told Industrial Cyber. “Similar remote protocol exploits targeting ICS protocols (Modbus, BACnet, Ethernet/IP) represent an important blind spot.”
Identity is a huge blind spot in OT environments, Gukal mentioned, adding that these “OT environments typically have their own Active Directory to ensure attacks cannot move from IT to OT through shared AD. OT security rarely includes monitoring AD and identity exploits. Usage of old, unsupported, and vulnerable versions of software is still an issue. For example, SMBv1 (Server Message Block 1.0) persists in many OT networks. SMBv1, originally from the 1980s, has severe security vulnerabilities, including susceptibility to ransomware like WannaCry.”
He pointed out that with AI-assisted and increasingly agentic AI-driven attacks, the only approach that will help OT environments is preemptive cyberdefense.
Joseph M. Saunders, founder and CEO of RunSafe Security, told Industrial Cyber that the biggest blind spots for connected industrial systems are vulnerabilities in the software supply chain and patching challenges, where suppliers are either unaware that a patch is available or a patch is not readily available at all. “Operators of industrial systems can get greater visibility into device vulnerabilities by asking for build-time SBOMs from vendors, so both parties have complete transparency into the security risks in the network.”
“The gaps are real – ungoverned remote access, transient/vendor devices, segmentation drift, cellular backdoors, and untracked PLC changes without configuration backups, especially at ‘non-critical’ remote sites that don’t have visibility sensor deployments,” Tony Turner, vice president of product at Frenos, told Industrial Cyber. “Additionally, we’ve heard a lot about supply chain transparency, but even when we get it, it’s challenging to map this to operational risk. The lack of cyber risk to operational impacts may be the biggest blind spot of all.”
Turner identified that “We need to understand dependency relationships, but today’s quant platforms are still missing ICS-specific insights. Simulation modeling is helping to advance the craft, but we still have more work to achieve the necessary understanding.”
The majority of industrial environments are interconnected (converged) today, Jori VanAntwerp, founder and CEO of EmberOT, said. “Purdue Levels 1 and 2 are where operations happen and are rarely monitored, leaving huge blind spots where adversaries can move undetected. The challenge is multifaceted and can’t be solved by one magic control.”
VanAntwerp told Industrial Cyber that the new approaches must leave no trace by being passive or having very low interaction, enabling true east-west traffic monitoring and analysis that includes dynamic, contextual, and deterministic detection. “Understanding how devices interact, quantifying the actual risk of those interactions, and prioritizing what matters most.”
Evidence-based models redefine OT cyber risk
Cyber risk in OT is often evaluated qualitatively. The executives look into how emerging solutions are shifting toward quantifiable, evidence-based assessments that measure both operational and financial impact and what this shift means for boards and regulators.
Gukal observes that emerging solutions, such as automated red team testing and increasingly AI-driven red teaming (for example, the open-source Cybersecurity AI (CAI) framework), can be used to assess quantitatively the operational impact of not just historical attacks but also emerging threats.” This, in turn, can drive the financial risk quantification based on the potential revenue and reputational damage.”
He mentioned that MITRE has published an open-source OT attack framework, known as Caldera for OT, that performs OT protocol-specific exploits as a measure of quantifying OT risk.
“One solution that provides a quantifiable, evidence-based assessment of cyber risk in OT devices is build-time SBOMs paired with vulnerability identification,” Saunders said. “Build-time SBOMs that are 100% complete and correct allow providers to accurately quantify vulnerability management status and avoid false positives and negatives. With build-time SBOMs, you can find transitive dependencies lurking within systems that could yield risk not previously identified.”
Even more importantly, Saunders noted that the tools to analyze deployed binaries are now able to quantify the underlying potential zero-day risk in OT device software. “When companies can quantify potential risk, they can better assess their risk priorities and make strategic decisions to reduce that risk with business goals in mind. For example, identifying and upgrading the most risky devices.”
“OT cyber risk is shifting from color charts to quantified, evidence-backed estimates. But overreliance on quant scores without context can be inaccurate, and misguides spending,” Turner said. “Augmenting quantification (useful shorthand) with threat-informed risk modeling to test exploitability conditions, map likely attack paths to adversary objectives, and estimate downtime/loss via Monte Carlo.”
He also called for prioritizing what’s actually targetable, not just high-scoring. “This approach gives boards defensible ranges and trade-offs while avoiding the false confidence that creates blind spots and wasteful security toil, proving which controls truly reduce risk before touching production.”
“In OT, we need to capture physical and operational context. At some point, an operator or defender (expert) must still be in the loop,” VanAntwerp said. “The way forward isn’t about replacing one model with the other. It’s about melding them together to get a more honest, actionable view of risk. A hybrid model: qualitative ‘red/yellow/green’ combined with quantitative ‘X hours of downtime, Y dollars of impact.’”
For boards, he observed that the challenge is translating the familiar qualitative language into something that maps to compliance and financial impact. “For regulators, a one-sided push could actually harm defense by funneling funds and attention into the wrong buckets.”
Modern security strategies meet legacy industrial reality
Legacy systems remain at the core of critical infrastructure. The executives examine which strategies are proving most effective in extending concepts like zero trust and continuous verification into environments that were never designed to support them.
“Patching or making changes to legacy systems is often challenging for critical infrastructure. Micro segmentation and Identity and Access Management (IAM) have proved most effective for zero trust in critical infrastructure as a preventative control,” Gukal said. “For threat detection, cyber deception, introducing decoys representing legacy infrastructure, represents an effective strategy to detect and divert OT attacks without impacting legacy systems.”
Turmer called for applying zero trust to legacy OT by controlling paths, not retrofitting devices. “Put identity-aware zones at conduit boundaries, use brokered JIT remote access with MFA and session recording, and wrap fragile assets with segmentation controls and DPI-informed policies.”
He also suggests enforcing allow-lists per protocol and function code. “Use advanced simulation capabilities to model attack paths continuously and test policies offline. Start read-only, prove stability, utilize what-if style simulation, and then ratchet to enforcement to shrink blast radius without process risk.”
“We tend to throw around the word ‘legacy’ when, in reality, these are purpose-built, resilient, and efficient devices used for complex and robust operations, designed to run for 20-40 years,” VanAntwerp said. “That’s not legacy, it’s a practical design choice. Because of this, traditional ‘zero trust’ doesn’t fit. You can’t force these systems to authenticate and revalidate every single operation without breaking what makes them work. We must apply the elements of zero trust that translate in a way that doesn’t interfere with operations.”
He added that protecting environments as they are today, while laying the groundwork for when the next generation of equipment arrives. “Implement identity and access management and data protection where applicable. Combine this with micro/segmentation, contextual monitoring, logging, and data verification, and we can support ‘legacy’ systems while still enhancing security and accountability.”
As supply chains become attack vectors, OT defense must redefine boundaries
With attackers increasingly exploiting supply chains and partner ecosystems, the executives focus on how OT security must evolve beyond the plant or facility boundary to manage risks tied to external dependencies.
Gukal said that defense-in-depth is required to manage risks, whether due to external dependencies, supply chain risks, insider threats, or AI attacks. “OT Security must deploy preventive measures, such as requiring SBOMs (Software Bill of Materials) and compliance certifications from all software suppliers and partners.”
“ZTNA (Zero Trust Network Access), micro-segmentation, IDMZ, and IAM are necessary perimeter security components for reducing risks from external dependencies,” according to Gukal. “Continuous network monitoring and cyber deception are required for further risk reduction to detect threats that have bypassed preventative security controls.”
Saunders identified that operators and suppliers need to work together to understand the full scope of risk introduced throughout the software supply chain, whether through first-party proprietary code, third-party code, or open source software. “These risks must be understood from the operating system to the application. Operators also must take into consideration any devices connected to internal enterprise IT systems or cloud networks, looking for additional entry points and indicators of potential compromise.”
“We must treat suppliers and partners as untrusted. Put connectivity through identity-aware zones with brokered, just-in-time vendor access, device posture checks, and full session recording. Isolate vendor networks in untrusted or semi-trusted zones,” Turner said. “Require signed builds, evidence of software assurance and secure SDLC, and quarantine updates for offline verification before promotion. Implement robust change management. Monitor and rate-limit data backhauls to cloud services, and enforce protocol allow-lists or data diodes at boundaries.”
Furthermore, he added model partner pathways to test exploitation and adversary-based scenarios. “Bake obligations into contracts to include vulnerability and breach notification SLAs, evidence logging, and remediation timelines. Continuously re-verify trust and access, and revoke stale integrations.”
VanAntwerp said that individual organizations can’t secure every external dependency. “This isn’t so much about evolving beyond the plant boundary as it is about hardening what comes in and out of it. At the end of the day, segmentation and contextual monitoring within your environment remain some of your most effective tools.”
He added, “You can’t control the entire ecosystem, but you can control how ‘external’ interacts with your operations. This means verification and acceptance testing, limiting external devices, enforcing least privilege, and strict remote access that is heavily limited, closely monitored, and thoroughly logged.”
Closing innovation gap by shifting balance in OT cyber defense
Innovation in OT cybersecurity often lags behind attacker agility. The executives go into what signals will indicate that the next generation of tools and frameworks is genuinely shifting the balance of power, rather than simply adding another layer of visibility.
“Attacks have moved by a leap, leveraging advances in Gen AI. Recent CTF (Capture the Flag) results show that AI Agents rival top hackers. All this power is now available to even script kiddies,” Gukal said. “Gen AI requires a paradigm change in cybersecurity. As Gartner has recently highlighted ‘The age of reactive cybersecurity is over. As AI-powered threats proliferate, only AI-driven preemptive cybersecurity offers a viable defense.’”
He added that the next generation of tools in OT are evolving from reactive approaches that needed a priori knowledge of threats to proactive and preemptive approaches that anticipate threats and are not dependent on specific known threat TTPs. “Preemptive security based on the three D’s (Deceive, Detect, Delay) has been widely accepted as the only effective approach to combat modern AI-assisted attacks.”
Saunders said that to move from visibility to actual prevention of attacks, cybersecurity needs to be built into OT devices from the very beginning. “OT devices have long lifespans and often go unpatched, even when patches are available, because of the difficulty of updating systems and devices. This leaves OT devices vulnerable, even when the risk is known.”
To shift the balance of power, he added that product manufacturers and suppliers must build security into devices from the start, with one example being memory safety techniques that prevent exploitation at runtime, protecting devices even when a patch is not available.
“Look for indicators that defenses change attacker economics, not just dashboards. Closed attack paths verified in red-team scenarios and validated through SOC metrics. Measurable blast-radius reduction and fewer reachable conduits in assessments,” Turner said. “Faster, safer change management means network and policy updates can be validated offline with high predictive accuracy and no unplanned outages.”
He added that vendor access is ephemeral and recorded, and time-to-isolate remote sessions shrinks. “Detection quality improves with fewer false positives and earlier catches at the protocol/function-code level. Loss-exceedance curves tighten after mitigations, and incidents stay contained rather than plantwide. Most telling, adversaries retool because yesterday’s TTPs stop working; that’s power shifting, not more visibility. Clearly, this retooling will require continuous adjustment for defensive tooling and strategies as well.”
“It’s less that defenders are ‘behind’ and more that defenders and attackers trade the upper hand,” VanAntwerp mentioned. “A major catalyst for shifting the balance will be meeting organizations where they are today and providing intelligence that leads to operationally relevant action. That’s how attackers lose the advantage.”
He concluded that “We’ll know the balance has shifted when operators and defenders have a complete view of their assets and how they interact, contextually. Giving them immediate, actionable insights with less noise, faster detection, and true context that drives decisions.
The next wave will harmonize security and flexibility, establishing adaptive OT cybersecurity as a strategic enabler of industrial resilience
