When people talk about cybersecurity in industrial environments, the conversation usually jumps straight to threats: ransomware, phishing, supply chain attacks. But after spending years working with manufacturers on OT security, I think the biggest risk isn’t an external one. It’s internal – and it’s alignment.
Or more accurately, the lack of it.
Too often, OT security projects get stuck or backfire because the people involved aren’t working from the same map. You’ve got IT teams focused on frameworks and firewalls.
You’ve got OT teams focused on uptime and availability. Then you have leadership chasing certifications or reacting to regulations. Everyone wants better security, but they’re rarely aligned on what that actually means – or how to get there.
I was recently working with a large manufacturer that had just launched a security initiative for its production sites. Great leadership buy-in, a substantial budget, and even a dedicated cross-functional team. But right out of the gate, things got rocky. The IT folks were pushing for full network segmentation and centralized visibility. The OT engineers were concerned about disrupting established processes. Operations didn’t understand the sudden push for change.
Six months later, nothing had been implemented. The result? Missed deadlines, wasted budget, and a lot of frustration.
The problem wasn’t the tech. It wasn’t even the strategy. It was misalignment. And in OT security, that’s more dangerous than any zero-day exploit.
So, how do you fix it?
Shared Understanding, Not Technology
It’s tempting to start with tools – firewalls, monitoring platforms, segmentation plans. But those things fall flat fast if the people involved aren’t aligned. Before jumping into tools or frameworks, gather everyone in a room (yes, even if it’s virtual) and discuss what matters.
IT security, OT engineers, site managers, and ideally someone from operations and leadership – they should all be there to answer critical questions:
- What are the most business-critical processes?
- What’s the worst-case scenario from a production point of view?
- What are the biggest fears from a cybersecurity perspective?
The goal isn’t agreement on every detail – it’s visibility into each other’s priorities. You’re looking for a clear picture of what matters to each stakeholder – what they’re worried about, what they rely on, what they need to keep the lights on. I once sat in on a security planning call where IT was pushing hard for full network segmentation. It sounded great – until a control engineer spoke up and explained that two of their machines rely on hard-coded IPs and crash if traffic is rerouted. That one comment saved weeks of rework and a potential shutdown. When IT teams hear what’s actually at stake on the shop floor, they’re more willing to adapt their approach.
Define What “Secure” Actually Means
For one plant, it might mean preventing unsupervised remote access. For another, it might be about isolating legacy systems that can’t be patched. Your security priority for a specific site might be minimizing exposure during a maintenance window, or making sure vendors can’t touch anything outside their scope.
The point is: “secure” looks different depending on your architecture, legacy constraints, and risk tolerance. The key is grounding “security” in how your operations actually run. Ask: what are the systems we absolutely cannot afford to lose? What kind of incident would cause real-world disruption? If the definition of security isn’t clearly tied to how the operation runs, it becomes a vague goal that no one owns.
Make Trade-Offs Visible
In OT, you’ll never be able to eliminate all risk without affecting availability. Every security control introduces some level of operational friction – that’s just the nature of the environment. That doesn’t mean you abandon the control. It means you weigh the impact and make a conscious call.
The important thing is to surface those trade-offs early and openly. If a certain security control could delay production by 10 minutes or trigger a false alarm during startup, everyone should know that upfront – and agree on whether it’s worth it. If patching a system means introducing potential downtime, that should be a conscious decision, not an accidental one.
When trade-offs are identified, discussed by all parties, and documented, they lead to smarter, shared decisions that avoid future conflicts. When they’re hidden, they turn into friction and blame. Someone will work around it quietly. And that’s when things go sideways.
Progress, Not Perfection
Many OT security programs stall because people try to tackle too much at once. They try to build the perfect security program from day one, and the ideal future state feels too far away. Chasing perfection can lead to analysis paralysis.
Instead of aiming for 100 percent compliance with some ideal-state model – where everything is mapped, documented, and funded – pick a few realistic wins that reduce risk now and build momentum. Start with one site, one known risk you can reduce. Maybe you focus on your top five most exposed assets. Or maybe you fix the one thing that keeps coming up in audits – like shared credentials or outdated firmware. Whatever it is, make it achievable.
I worked with a packaging facility that couldn’t afford full segmentation, so they started with one subnet and got MFA rolled out for third-parties. That single change reduced their exposure dramatically and gave them a template to expand. Those small wins help you build confidence and show value, and they are often what earn you the trust and alignment needed for the harder stuff later on. One well-executed change does more than ten unstarted initiatives.
Misalignment isn’t just a project risk – it’s a security risk. Because while teams argue over ownership, responsibility, and tools, attackers don’t wait. They don’t care if your OT and IT teams are on the same page. But you should.
The more cross-functional alignment you build up front, the less friction you’ll have when it comes time to deploy real controls – whether that’s segmentation, monitoring, or anything else. Because when people are aligned on the why, they’ll figure out the how together.
