Accelerating OT Risk Assessment in Asset Rich Environments

Abstract

Operational Technology (OT) environments are increasingly vulnerable to cyber risks as connectivity, automation, and digitalization expand across industries. Yet traditional OT cyber risk assessments are often complex, resource-intensive, and disconnected from real-world threat scenarios and business priorities. This article presents a practical, business-focused approach to OT cyber risk assessments, grounded in a structured Business Impact Assessment (BIA) aligned with Confidentiality, Integrity, and Availability (CIA). By emphasizing business impact over speculative probability, organizations can develop proportionate, actionable security controls and prioritize risks effectively across diverse OT environments. A practical example shows how this approach supports informed decision-making, targeted investments, and better alignment among cybersecurity, operational resilience, and governance goals.

1. Introduction: Evolving Operational Technology

Operational Technology is receiving increased attention from cybersecurity and risk professionals due to a growing threat landscape, high profile nation state activity, expanding IT and OT integration, and wider adoption across industries. OT includes systems that monitor, control, or influence physical processes, and its relevance now extends far beyond traditional manufacturing, energy, and chemical sectors.

In large, asset-intensive organizations, OT environments typically consist of many sites distributed across regions and countries, built up over decades. These environments are often highly heterogeneous, with plants of different ages, technologies, and levels of automation operating side by side. As a result, OT landscapes vary significantly in maturity, criticality, and operational practices, making consistent oversight and risk decision-making inherently difficult.

At the same time, modern OT environments increasingly incorporate industrial IoT sensors, automated warehouse vehicles, electric vehicle charging infrastructure, and renewable energy assets. As these technologies become more interconnected and essential to business operations, the impact and frequency of cyber incidents affecting OT environments continue to rise. Recent findings from the Dragos Year in Review highlight a shift from adversary prepositioning toward attempts at operational disruption[1], alongside significant growth in ransomware activity that extends into OT networks. Separately, a Waterfall Security report indicates a year-over-year increase of 146 percent in the number of sites impacted by attacks with physical consequences[2]. The scale of potential impact is illustrated by the 2025 cyberattack on Jaguar Land Rover, which is considered the most financially damaging cyber event in UK history and is estimated to have cost the UK economy approximately 1.9 billion pounds due to prolonged production outages and cascading supply chain effects [3].

Against this backdrop, organizations are under pressure to better understand and manage OT cyber risk. However, the core challenge is not a lack of frameworks or assessment techniques but the growing complexity of applying them consistently and meaningfully across diverse operational environments.

2. The Challenge with Traditional OT Risk Assessments

Traditional OT cyber risk assessments aim to account for multiple risk dimensions simultaneously, including safety, availability, integrity, regulatory compliance, environmental impact, people, community, financial loss, reputational damage, and shareholder value. While each dimension is relevant, addressing them all in a single assessment often leads to excessive complexity. These assessments typically require multidisciplinary teams, lengthy workshops spanning several weeks, and extended timelines, as reflected in standards such as NIST SP 800-30 and IISA/IEC 62443 part 3-2.

In practice, these assessments tend to produce extensive documentation but offer limited support for clear prioritization or decision making. The complexity makes it difficult for both risk managers and plant managers to understand which risks truly matter most, which controls are proportionate, and how cyber risk relates to credible attack paths and operational reality.

Assessing inherent risk in OT environments is generally feasible. However, determining residual risk is extremely difficult. OT environments are large, heterogeneous, and closely interconnected, and they often contain legacy or obsolete systems that cannot be upgraded, patched, or equipped with modern security controls. As a result, it is nearly impossible to quantify how combinations of technical and procedural controls reduce risk in practice.

Although detailed assessments can provide value, they do not scale effectively, particularly for multinational organizations that operate many sites across different business types, regions, and legal entities, where these challenges are further amplified. Estimating cyber likelihood is inherently uncertain, reputational impact is difficult to measure, and many threat scenarios are hypothetical rather than based on credible threats. Well-known frameworks, including the IEC standards and the MITRE ATT&CK framework for Industrial Control Systems, offer useful structure, but their use must be proportional to the actual level of risk, the business context, and the resources available. In such circumstances, ruthless prioritization and a business-focused view of risk are essential to ensure that effort is directed toward the areas that matter most.

3. A Streamlined, Business-Driven Alternative

This article proposes a simplified, high-impact approach to OT cyber risk assessment that begins with a BIA tailored to OT environments. The objective is to help risk and plant managers accelerate their work by producing actionable, proportionate security controls directly linked to business outcomes, governance priorities, and the day-to-day realities of plant operations. By grounding the assessment in business impact and operational context, the approach is designed to make OT risk assessment more intuitive and easier to apply in practice.

The approach is not intended to replace detailed, hazard-focused risk assessments required in high-risk environments, nor does it aim to deliver absolute precision. Instead, it offers a practical way to identify which OT environments are genuinely critical to the business and to apply consistent risk profiling across different OT archetypes.

4. OT Business Impact Assessment

This approach is informed by the authors’ individual experience of more than ten years each translating risk management theory into practice across asset-rich OT environments.

The OT BIA evaluates five impact dimensions aligned with the Confidentiality, Integrity, and Availability (CIA) triad. All responses are classified as Low, Medium, or High using organization-specific thresholds and consequence criteria. Although the assessment is qualitative, these thresholds help ensure consistency and comparability across sites.

The BIA then extends the familiar CIA IT concepts by adding factors essential in OT environments. These include Health, Safety, Security, and Environment (HSSE), operational consequences, and regulatory exposure, which are not fully addressed by the confidentiality, integrity, and availability model alone. The approach aligns with ISO/TS 22317:2021 for Business Impact Analysis, broadens impact considerations in line with NIST IR 8286D, extending to confidentiality and integrity impacts, and reflects the consequence categories found in ISA/IEC 62443.

Step 1 – Assessment Questionnaire

Availability	Operational Impact	A1	• What is the estimated business loss per day if critical OT systems are unavailable and manual workarounds are required?
	Operational Impact	A2	• How long would it take to restore or rebuild critical OT systems required to operate the site?
	Strategic & Market Relevance	A3	• Would downtime significantly impact the supply chain, market or region, considering fallback or Business Continuity Planning (BCP) measures?
Integrity	HSSE & Cyber-Physical Risk	I1	• Are there safety critical components or functions that could be compromised through a cyberattack, potentially leading to hazardous outcomes?
Integrity	Legal, Regulatory & Contractual Exposure	I2	• Are there legal, regulatory, or contractual obligations that could be affected by a cyber incident?
Confidentiality	Commercial Sensitivity	C1	• Do OT systems store commercially sensitive information, such as formulas or proprietary processes that, if exposed, could realistically harm competitiveness or reputation?

Step 2 – Tailored Security Controls Based on Impact Tiering

Security controls are prioritized based on which CIA dimensions are rated Medium or High.

Availability (A) – Driven by potential business loss and continuity impact. Controls focus on:

Network availability and segmentation
Redundancy and failover
Business continuity planning
System dependencies and recovery processes

Integrity (I) – Driven by HSSE and regulatory obligations. Controls focus on:

Protection of safety-critical logic solvers and barriers
Hardening against credible attack paths
Compliance with applicable regulations (e.g., NIS2)

Confidentiality (C) – Driven by commercial sensitivity. Controls focus on:

Access control
Encryption
Data loss prevention mechanisms

When several CIA dimensions are rated as Medium or High, a multidimensional control strategy is implemented.

Step 3 – Business Modifiers Influencing Security Controls

Recognizing that not all relevant information can be captured through standardized questions, business modifiers are used to refine Security Controls. These modifiers reflect informed management judgment and may include strategic importance, customer criticality, or technical complexity.

This step ensures that risk decisions reflect more than technical factors and supports transparent, consistent prioritization, avoiding both under- and over-engineering of controls.

Step 4 – Focused Threat Modeling

For OT environments rated Medium or High impact, a focused threat-modeling exercise is performed to:

Identify relevant threat actors and realistic attack paths
Validate control priorities against credible scenarios
Ensure mitigations remain context-aware and risk-relevant

This prevents teams from spending effort on theoretical threats that have little operational relevance, since these should already be addressed by foundational security framework controls.

Threat‑modelling exercises should typically be performed using credible attack scenarios observed in the industry, supported by pen testers or red‑teamers who can test these scenarios together with the business.

5. Practical Example: Applying the OT BIA

A fictional manufacturing company applied the BIA to its storage warehouses, which serve as critical nodes for receiving, storing, and dispatching customer products. Defining impact thresholds in advance ensures consistency and comparable outcomes across sites. Even when assessing a single site, completing the OT BIA provides valuable insight into business-contextualized risk areas that require attention. For organizations with multiple sites, this approach is particularly effective because it scales naturally and supports clear prioritization across the enterprise.

When ranking responses in the OT BIA, organizations may choose to reuse existing IT impact thresholds to align with senior leadership’s risk appetite, or to define OT-specific thresholds when operational characteristics differ. Financial figures in the example are illustrative and should be calibrated by each organization based on its own context.

To ensure that impact ratings are meaningful and aligned with business reality, the Low, Medium, and High impact categories were developed in collaboration with business stakeholders. Rather than relying on abstract or generic definitions, the thresholds were derived from key business characteristics, including production or throughput volume, the criticality of the product or service, the presence of hazardous goods, and potential safety or regulatory consequences. This approach makes the impact classification intuitive for both risk and plant managers and ensures that assessments reflect how the business actually operates.

		Consequence matrix
	Severity	People	Operational	Financial
Very Low	1			>10
Low	2			<10
Medium	3			<100
High	4			<500
Very High	5			>500

Taking financial impact as an example, the realistic estimated effect across the assessment dimensions is compared with the defined consequence criteria. Financial loss can result from a loss of confidentiality, integrity, or availability. The answers to the six questions should then be placed on the consequence matrix to determine their severity rating.

Recognizing that cyber risk management is more of an art than a binary process, it acknowledges that judgment is necessary. It fundamentally depends on using common sense, rooted in the business context, to guide effective decision-making. The challenge is to avoid getting lost in technical details and instead focus on business goals, keeping the bigger picture in view.

Date	Region	Location	C	I	A	Modifier	Rating
Nov 2025	Europe	Berlin	L	M	M	⭤	Medium
Dec 2025	Europe	Barcelona	L	L / M	L	⭤	Low
Dec 2025	Asia	Bangkok	L	L	H	▲	High
Jan 2026	Asia	Bangalore	L	L	M / H	▲	High
Jan 2026	Americas	New York	L	M	M	⭤	Medium
Feb 2026	Americas	Detroit	L	L / M	L	▼	Low
Feb 2026	Americas	Santiago	L	L / M	L	⭤	Low

The resulting impact ratings enabled consistent risk profiling across regions and warehouse archetypes. Leadership can clearly identify which sites are business-critical, where downtime would significantly affect customers or operations, and where redundancy, Business Continuity Planning, or contractual changes are most important. Conversely, they can also identify assets with low risks, where only minimal controls are justified.

Interpreting Results and Driving Decisions

Based on the assessment, the organization in this example should prioritize risk management efforts in Asia, where several warehouses demonstrated High availability impact. Investments should be focused on:

Redundancy for key OT systems
Improved spare-parts strategies
Focused threat modelling

Lessons learned can be shared with medium-impact sites in other regions. Although global OT security standards are often set centrally, the effort to implement them can vary depending on the specific business impact of each site. The assessment shows that effective OT risk management relies as much on business factors (like contracts and stock levels) as on technical measures (such as redundancy and threat modelling).

Conclusion

A pragmatic approach to OT cyber risk assessment bases decisions on business impact rather than on speculative likelihood. By focusing on what truly matters, such as safety, continuity, regulatory compliance, and commercial value, organizations can size controls appropriately and further refine them using credible, realistic threat scenarios.

A one-size-fits-all approach fails to account for the unique operational and business context of each site. By asking the right business-focused questions, organizations can shift from compliance-driven OT security to mature, business-driven cyber risk management.

Disclaimer authors

The views and opinions expressed are those of the authors and do not necessarily reflect the views, policies, or positions of our company or any of its affiliates.

Disclaimer ISACA Netherlands Chapter

The authors alone are responsible for the views expressed in this article and they do not necessarily represent the views, decisions or policies of the ISACA NL Chapter. The views expressed herein can in no way be taken to reflect the official opinion of the board of ISACA NL Chapter. All reasonable precautions have been taken by the authors to verify the information contained in this publication. However, the published material is being distributed without warranty of any kind, either expressed or implied. The responsibility for the interpretation and use of the material lies with the reader. In no event shall the authors or the board of ISACA NL Chapter be liable for damages arising from its use.