Prayukth KV
November 4, 2025
Why OT security governance can no longer wait: A CISO's call to action
Legacy governance approaches and frameworks are leaving your critical infrastructure exposed. In today OT security blog post, we find out why OT security governance is essential for resilience and how to build your framework.
Why OT security needs a governance upgrade
For decades, the world of Operational Technology (OT) which are the systems controlling manufacturing lines, power grids, and water treatment plants was protected by the mythical air gap and obscure security measures tied to the belief that if the system is older than the employee managing it, then it doesn’t need any additional security measures (this is one of the lines I heard on the shop floor of a power plant a few years ago).
That era is as alive as the Iron Curtain.
Beyond the IT-OT convergence that we have seen over the last few years, there is also the challenge that lack of OT asset and process visibility that have emerged. In addition to these, the ownership of OT security in parts and as a whole is also an aspect that is often considered as a grey area.
In cyberspace, malware attacks no longer just encrypt spreadsheets or laptops; they shut down pipelines, modify process settings and halt production lines. The problem isn't just a lack of new firewalls or those fabled diodes. Instead, there is a critical governance gap that we are seeing. The old rules simply don't apply anymore, and applying IT security rules directly to an OT environment can be ineffective or, worse, dangerous.
Here’s why your OT security strategy is likely failing and how to fix it with a top-down governance upgrade.
What OT security conversations will dominate AISS 2025? Find out here.
The "why": Key drivers for enhancing OT governance
Simply buying more piecemeal security "tools" won't solve the problem. The core issue is a mismatch between the new, converged reality and the outdated governance frameworks (or lack thereof) used to manage it. Such policies can prove to be a hindrance across:
Managing employee security awareness needs
Ensuring the prevalence of an integrated approach towards security
Ensuring holistic compliance
Operating with the right levels of security visibility
The IT vs. OT mindset
This appears to be the most fundamental challenge. IT and OT are governed by different, often conflicting, priorities:
IT Security: Prioritizes the "CIA Triad" - Confidentiality, Integrity, Availability. Protecting data is paramount.
OT Security: Prioritizes Availability and Safety. An unexpected system reboot to apply a patch isn't an inconvenience; it could cause a production-halting or life-threatening incident.
Superimposing IT-centric governance (patch all systems within 45 days) directly to OT leads to confusion and chaos. OT governance must be instead built from the ground up, with safety and operational continuity as its non-negotiable foundation while keeping operational and compliance realities on the radar.
Soaring attack surface
Your OT network was never an island. In fact, at its best it is a connected peninsula surrounded on most sides by some form of connectivity. Consider
Remote vendor access for maintenance.
IIoT sensors sending data to a cloud platform.
Production data feeding into the corporate ERP system.
Employee walking around with pen drives
Deploying intrusive security means that could open up an attack surface
Each connection point is a potential gateway for an attacker. Without a governance framework that defines who can connect, what they can access, and how that access is monitored, you are operating on a model of zero verification trust.
Legacy systems were never built for all these needs
OT environments are full of "legacy" assets. This includes systems running Windows XP, 20-year-old PLCs, and devices with hard-coded passwords. These systems were designed to run for decades, not to be patched weekly. I in fact someone who knows a vendor who is actually selling Windows XP, Windows 7 licenses to OT operators. That should drive home the challenge of securing such systems.
You cannot "patch" your way out of this problem. Governance provides the solution through compensating controls. If you can't patch a system, your governance model should dictate that it must be isolated via network segmentation, have its access strictly controlled, and be placed under continuous monitoring for anomalous behavior.
Ambiguous ownership equates to zero accountability
When a security incident happens, who is responsible?
The CISO, whose team may not understand the engineering processes?
The Plant Manager, who is responsible for uptime but not cybersecurity?
The Engineering team, which "owns" the equipment but not the network?
This confusion leads to inaction. A strong OT governance model explicitly defines roles and responsibilities. It creates a committee or task force with clear authority, drawing stakeholders from IT, OT, engineering, and executive leadership to collaboratively own and manage the risk.
Further, there is no cohesive and tested incident response plan in place. Which means that when an incident happens everyone is free to do whatever they want.
What is OT security governance?
Governance isn't a single product; it's the formal framework of rules, policies, standards, and processes that dictates how OT security is managed, measured, and maintained.
A mature OT governance framework includes:
An unambiguous charter and policy: A high-level document, signed by executive leadership, stating the organization's commitment to securing OT systems, with a clear focus on safety and resilience.
Well defined roles and responsibilities: A RACI (Responsible, Accountable, Consulted, Informed) chart that specifies who is accountable for OT risk, who implements controls, and who responds to incidents. With informed consent from the employee or the role owner.
A risk management program with risk ownership: A process to identify, analyze, and evaluate OT-specific risks (e.g., "What is the impact of a ransomware attack on Plant A's primary controller?"). This must involve OT asset owners, not just IT security. Risk owners should also be identified and documented.
OT-specific security policies: These are the "how-to" guides based on the main charter. Examples include:
Network Segmentation Policy
Remote Access Policy (for vendors and employees)
System Hardening Standards (for new OT assets)
Incident Response Plan (that includes physical-world scenarios)
Removable Media Policy (no more random USB drives)
A compliance framework: A roadmap for implementation, often based on industry standards like IEC 62443 or the NIST Cybersecurity Framework (CSF).
Actionable steps: How to build your OT governance framework
Ready to move from chaos to control? Here are the actionable steps to upgrade your OT governance.
Start with the governance committee
You cannot do this in a silo. Your first step is to create a cross-functional steering committee. This group must include:
Executive Sponsor (e.g., COO, CIO, or CISO)
OT/Operations Leaders (Plant Managers, Operations Directors)
Engineering Leaders
IT/Security Leaders (CISO, IT Director)
Physical Safety Officer
This group's first task is to draft the high-level charter that gives them the authority to act.
Build your crown jewel inventory and monitor it
You cannot protect what you do not know you have. Traditional IT asset management tools often fail in OT environments. You must initiate a project to identify, classify, and categorize all OT assets. This should include details like:
What is it? (PLC, HMI, Engineering Workstation)
Where is it? (Network location, physical location)
What does it do? (The physical process it controls)
What is its "criticality"? (How bad is it if this fails?)
An OT security tool with OT-specific asset inventory capabilities such as Shieldworkz will help in this goal.
Conduct an OT-Specific Risk Assessment
Using your new asset inventory, conduct an IEC 62443-based risk assessment through an OT lens. Don't just run a vulnerability scan. Ask the right questions:
Instead of asking "Does this server have unpatched vulnerabilities?"
Ask: "What is the operational impact if this server is compromised? Can it cause a physical safety event? Can it halt our main production line? What is the financial cost per hour of downtime?"
Adopt a standard and build your OT security roadmap
Don't reinvent the wheel. Use an established framework like IEC 62443 (the leading international standard for industrial security) or the NIST CSF or NIS2 as your guide. Perform a gap analysis to see where you are today versus where the standard says you should be. This gap analysis becomes your multi-year strategic roadmap.
Evolve, deploy and enforce OT-specific security policies
Start with the highest-risk areas identified in your assessment. The "big three" policies to tackle first are almost always:
Network segmentation: Create rules to stop an attack from spreading from IT to OT, and between different OT zones.
Remote access: Enforce multi-factor authentication (MFA) and "jump hosts" for all vendor and remote employee access. Log everything.
Patch and vulnerability management: Create a risk-based policy. Not "patch everything," but "patch critical systems during planned downtime, and apply compensating controls to everything else."
Media scanning: To secure systems against accidental introduction of risks
You can also talk to a neutral vendor like Shieldworkz for help with developing and implementing your OT security governance model.
Governance is the foundation for resilience
Tools are important, but governance is what makes them effective. An advanced OT monitoring tool is useless if no one is defined as "accountable" for responding to its alerts.
Upgrading your OT security governance isn't just an IT project; it's a core business function. It is the framework that enables operational resilience, protects your workforce, and secures your revenue. The threats are real and the stakes, physical safety, regulatory fines and massive financial loss are too high to ignore. Start the conversation between your IT, engineering, and leadership teams today.
Talk to a Shieldworkz OT security governance expert.
